CHINA: PRC Cybersecurity Law – take action and monitor developments to avoid losing your China business
The PRC Cybersecurity Law is three weeks old, and non-compliant international businesses are already facing severe consequences. Since 1 June, twenty-two people engaged by a global technology giant have been arrested, and sixty online entertainment news sites have been shut down.
The law continues to evolve. The latest guidance provides practical answers to previous areas of uncertainty. Whilst some questions remain, the key message is: do not ignore the PRC Cybersecurity Law. It is now in force and organisations must comply with it.
Read on if you:
- Transfer personal information and important data out of China
- Are concerned your organisation may be a key information infrastructure operator
- Supply network and cybersecurity products and services to China
- Are unsure if you handle “important data” in or from China
Five key developments that you need to know
1. What is now in force?
- The data protection and data security obligations on network operators and key information infrastructure operators (KIIOs) came into force on 1 June 2017
- The supervisory assessment/certification scheme for suppliers of critical network and specialised cybersecurity products and services also came into force on 1 June 2017
2. Are the new overseas data transfer rules in force?
Not yet. The draft measures proposing conditions/restrictions on overseas transfers of personal data and important data by network operators including KIIOs (Draft Measures) did not come into force on 1 June 2017, surprising commentators. Unofficial sources indicate the lead regulator (CAC) discussed a revised draft of the Draft Measures with key stakeholders and proposed toning down some of the more onerous obligations. For now, we await official announcements from CAC.
If and when the Draft Measures come into force, organisations should follow the newly-published Draft Guidelines for Data Cross-Border Transfer Security Assessment (Draft Guidelines). These set out detailed guidance on the security self-assessments for cross-border transfers. They include practical tips on how and when to conduct a self-assessment, including key factors to consider (legality, legitimacy, control of risks, technical and management skills, the recipient’s capability to protect data, and the recipient countries’ political and legal environment), and a rating system to apply. Practical examples are also given on how to assess the sensitivity and level of influence of personal/important data, and solutions to minimise the risks.
3. Am I a KIIO?
We still don’t have a definitive answer, but previously unofficial guidance has now been formally published. The National Internet Security Check Operational Guideline is primarily a guideline for Government agencies. A key infrastructure protection regulation is being prepared by the Chinese authorities (which may or may not refer to this guideline) and (according to CAC) is expected to be published for public comment soon. It is hoped this regulation will provide greater certainty. For now, who does the guideline indicate will be deemed a KIIO?
- Websites: operators of:
- Party/Government websites
- Key news websites
- Websites with more than one million visits per day
- Websites where a network security incident would have a significant impact (i.e. on work/lives of over one million individuals or 30% of a district; disclosure of personal information of over one million individuals; disclosure of large volumes of sensitive corporate information or “national basic data” (relating to resources, mapping); or damage to/endanger government image, social order or national security)
- Platforms: operators of platforms:
- With registered users over ten million, or with over one million active users (with a login frequency of at least once a day)
- With average daily orders or transactions over RMB 10 million
- Where a network security incident would have a significant impact (i.e. direct economic loss of RMB 10 million or above; on work/lives of over ten million individuals; disclosure of personal information of over one million individuals; disclosure of large volumes of sensitive corporate information or “national basic data” (see above); or damage to/endanger government image, social order or national security)
- Production Businesses:
- Operators of systems for public/government/cities such as healthcare, security, fire service, emergency management, production scheduling, traffic control
- Operators of data centres with over 1,500 standard servers
- Businesses where a network security incident would have a significant impact (i.e. on work/lives of 30% of a district; affect the utilities or transport of at least 100,000 individuals; death of five or more individuals, or serious injuries to fifty or more individuals; direct economic loss of RMB 50 million or above; disclosure of personal information of over one million individuals; disclosure of large volumes of sensitive corporate information or “national basic data” (see above); or damage to/endanger government image, social order or national security)
4. Can I still sell my technology products in China?
Yes, but you now need to consider the supervisory assessment/certification scheme for suppliers of critical network and cybersecurity products and services to KIIOs or to be used for other networks and information systems that relate to national security. We now have an initial catalogue of those caught by the new scheme:
|Critical network equipment||Specialised cybersecurity products|
|Routers||All-In-One data backup|
|Servers (rack-mounted)||Web application firewall|
|Programmable logic controllers||Intrusion detection system|
|Intrusion defence system|
|Security isolation and information exchange products (gatekeeper)|
|Anti-spam mail products|
|Network integrated audit system|
|Network vulnerability scanning product|
|Security data system|
|Website recovery products (hardware)|
The new Trial Measures for Security Review of Network Products and Services (Trial Measures) provide practical guidance on how the scheme will be implemented. Whilst uncertainties remain, the Trial Measures clarify that:
- Reviews will focus on “security and controllability” risks of products and key components, from manufacture through to sale, implementation and maintenance/support. Initially TC260 standards have been released for evaluating security and controllability of central processing units, operating systems and office software
- Competition impact is a lesser concern, but reviews will look at dependence on certain providers
- Reviews will also consider risks of providers accessing data and user information through their products/services
- Reviews may be conducted in a lab, onsite, remotely or through background investigations. While some technical documentation must be provided, it is not yet clear whether source code must be disclosed; and what sort of test environment providers may need to make available to the authorities
5. What is “important data”?
“Important data” is broadly defined to include information that relates to national security, economic development, or social or public interest. Appendix A of the Draft Guidelines sets out an 11-page list of examples in key sectors such as utilities, telecommunications, geographical information, finance and e-commerce. The coverage is very broad, and is a useful reminder to organisations that the PRC Cybersecurity Law does not just affect personal data and has a very wide reach.
What other developments are anticipated?
|General personal data protection||Draft Information Security Techniques – Personal Information Security Specifications, published for public consultation and, according to reports, expected to be implemented soon.
This is in effect an update to the 2013 general data protection guidelines governing personal data, which is the current persuasive best practice, and practical guidance, on how to handle personal data in China
|High: first statement of key data protection principles in China; significant changes to key terms such as “sensitive personal data” and “data controller”; greater clarity on privacy notices and terms to be included; additional security measures; and new DPO requirements|
|Minors’ data||Draft Regulations on the Protection of the Use of Internet by Minors, published for public consultation in January 2017||Medium: additional protections for minors’ online, including safeguards for collection, use and disclosure of minors’ personal data by “network information service providers”|
|Encryption||Draft PRC Encryption Law, published for public consultation in April 2017||High: more standardised approach to encryption and IT security in China (including mandatory national standards); use of encryption would be mandatory for some networks and data; encryption will remain heavily regulated; requirement for suppliers to provide decryption support|
|Consumer data||Draft Regulations on the Implementation of the Law on the Protection of the Rights and Interests of Consumers, published in Summer 2016||High: strengthening of consumer personal data protection, including consent, mandatory data breach notification and record retention requirements|
|E-commerce data||Draft E-commerce Law||High: new data protection obligations including prior notice consent; explicit consent for subsequent changes of scope/purpose; data retention, use and security obligations: immediate data breach notifications: and irretrievable anonymisation of e-commerce data before disclosure|