China’s draft Cybersecurity Law, the eagerly awaited companion to China’s recently promulgated National Security Law, was published on 6 July. The draft legislation sets out a framework for China’s cybersecurity regime, responding to the needs set out in the National Security Law to ensure “safe and controllable” systems and data security in critical infrastructure. To appreciate the scope and impact of the draft Cybersecurity Law, we must also look to the context of other key actions and increasing prioritisation of cyberspace regulations, which help to build a picture of the Chinese government’s overall approach to cybersecurity. Considered a matter of national sovereignty (the notion of controlling the internet within China and equating that with cybersecurity), China’s cybersecurity regime in the making is bound to profoundly impact foreign companies doing business in this country. In this client alert, we provide an overview of the recent developments in China’s cybersecurity regime, and a summary of notable provisions in the draft law with our observations and concerns.
Overview: The Developing Cybersecurity Regulatory Regime in China
- In December 2013, China first indicated it would be stepping up anti-terrorism and cybersecurity efforts when they hailed a UN Security Council Resolution on Fighting Internet Terrorism. They promptly issued the first review draft of the Anti-terrorism Law for public comment in Nov 2014, and the review of a second draft was completed in Feb 2015. It is expected that a third reading (and promulgation of the law) will probably take place later in 2015.
Two important provisions in the draft Anti-terrorism Law impose network security obligations on telecommunication providers and internet service providers. Firstly, Article 15 requires such providers to pre-install a “technical interface” in their networks and submit the encryption scheme used with the authorities before their networks can be operational. Those providers who operate in China are further bound by a local storage requirement to keep their equipment and domestic user data within China. Secondly, Article 16 imposes monitoring, compliance and cooperation measures relating to anti-terrorism.
Though it is generally assumed that the Chinese government has backdoor access to telecommunication networks in China, the concern here is the application to internet service providers, which may capture various types of online businesses (B2B, B2C, C2C, etc.). While all e-commerce providers have their servers hosted by China telecommunications providers, Articles 15 and 16 may impose additional registration and reporting requirements on them.
- In February 2014, China formed a Central Leading Group on Cybersecurity and Informatization to establish central authority over Internet governance. The Group is led by President Xi Jinping (head), Premier Li Keqiang (first deputy head) and 10 top figures at ministerial level.
- The new National Security Law was passed on 1 July 2015 with immediate effect. Notably, Article 24 provides that the State shall accelerate the development of strategic high-tech and core technologies in important areas that are “self-owned and controllable”. Article 25 further stipulates that as a general guiding principle, the State shall enhance the ability to protect network and information safety, and ensure key technologies and infrastructure, as well as information systems and data in important areas, are “safe and controllable”, so as to “protect national sovereignty, security and development interests in the cyberspace”.
- The banking sector was among the first to be targeted by the Chinese government’s network security campaign. On 3 September 2014 the China Banking Regulatory Commission(“CBRC”), jointly with a few other ministries, issued the Guiding Opinions on Strengthening the Banking Network Security and Information Technology Construction through the Application of Safe and Controllable Information Technology (“Guiding Opinions”). Following that, CBRC promulgated specific Guidelines on Advancing the Application of Safe and Controllable Information Technology in Banking Industry (from 2014 to 2015) (“Guidelines 317”) on 2 December 2014. Under the Guiding Opinions and Guidelines 317, banking financial institutions are encouraged to use “safe and controllable” information technology, and are required to increase the application of information technology that complies with the “safe and controllable” requirements by no less than 15% each year, with a target of 75% by the year of 2019.
- Facing opposition because of the deep concerns raised by foreign technology firms in relation to the new IT standards for the banking sector, CBRC suspended the implementation of these measures in April 2015 until further notice. Particular requirements of concern included a requirement to voluntarily consent to capacity evaluation and risk evaluation by CBRC and to submit the source code of software to CBRC in order for such software to be considered “safe and controllable”.
Key Provisions of Draft Cybersecurity Law
|Article||Summary||Comments / Concerns|
|Article 17 Hierarchical Protection of Network Security||Network operators are required to implement “certain duties” to protect network security in accordance with the respective security level of their operations, in order to prevent disruption, destruction or unauthorized access to the network as well as the leakage or theft of network data.||No detail as to what these duties are has been included in the Draft. The State Council is authorized to formulate specific regulations at a later date.|
|Article 19 Network Products and Services to Comply with Mandatory Standards||Key network equipment and specialized network security products shall comply with the mandatory requirements of applicable national standards and industry standards, and may only be sold after they are certified by a qualified agency or pass the test as meeting applicable security standards and requirements.The Cyberspace Administration of China (“CAC”) will, in conjunction with other relevant departments under the State Council, publish a catalogue listing key network equipment and specialized network security products and promote mutual recognition of security certification and security test results to avoid duplication of certification and testing.||Mandatory requirements to comply with applicable national and industry standards.Compared to Article 25 below, which is limited to “Key Information Infrastructure”, this provision has a broad, general scope of application.If implemented, any company that intends to supply a CAC-catalogued equipment or product to any Chinese customer would have to comply with the security certification or testing requirements.It could also mean that any entity using catalogued equipment or products in its day-to-day operations will have to purchase equipment and products that have passed the security certification or testing requirements.|
|Article 20 Requirement on Customers’ Real Identity Information||Network operators who provide network access services, domain name registration services, land phone registration, mobile phone network access, or information dissemination services, must request the customers’ identity information.Network operators shall not provide such services if the customer refuses to provide the requested identity information.||These provisions reinforce current requirements.|
|Article 25 Security Protection of Key Information Infrastructure||China will implement enhanced protections for “key information infrastructure”, which includes:|
The measures for security protection of Key Information Infrastructure will be formulated by the State Council.
|Does the broad definition of “Key Information Infrastructure” capture companies with online operations?The definition of “Key Information Infrastructure” is pretty comprehensive.The catch-all phrase “networks and systems owned or managed by network service providers with numerous users” may be interpreted to even encompass companies that operate online businesses with a sizable user base.For the sake of clarity and certainty, some terms used in this definition, such as “network service providers”, “numerous” and “users”, need to be further defined.|
|Article 30 Security Reviews||The purchase of network products or services by any operator of Key Information Infrastructure which may impact national security shall be subject to security review organized by CAC in conjunction with relevant departments under the State Council.Specific measures will be formulated by the State Council.||Will CAC security review require source code disclosure? CBRC’s Guidelines 317 is so far the only live piece of legislation which sets out criteria for the regulator’s assessment of safe and controllable technology. As such, it may shed some light on what may be included in the implementation rules of the State Council or CAC in respect of security review under this Article 30.As noted earlier, Guidelines 317 requires, among other things, the disclosure of source code of software supplied to Chinese institutions. If the State Council or CAC incorporates similar or comparable assessment criteria for the CAC security review, foreign IT hardware/software vendors may face a difficult choice between meeting such requirements (by disclosing the source code, etc.) and losing significant business opportunities in China.Will domestic suppliers be favoured for the sake of security?While the draft law is silent on this, it remains to be seen if the State Council or CAC will stipulate in the implementing rules any localisation requirements or criteria that are based on security reasons but will effectively favour domestic suppliers.|
|Article 31 Local Storage Requirement||Operators of Key Information Infrastructure shall store citizens’ personal information and other important data collected or generated during operation within the territory of China.Exceptions may be approved following a security assessment in accordance with the measures to be formulated by CAC in conjunction with other relevant departments under the State Council.||Will the local storage requirement affect cross-border data transfer between affiliates?Given the broad definition of Key Information Infrastructure, cross border data transfer between China subsidiaries and overseas parent/affiliate operations (including sharing of data on customers, employees, etc.) may potentially be restricted by the local storage requirement or be subject to security assessment and approval.|
|Articles 35 and 36 Collection and Use of Personal Data||Network operators bear data privacy obligations in relation to the collection, use, storage, handling and confidentiality of personal information.Network operators and suppliers of software applications shall further abide by information dissemination rules, including monitoring the information published by its users or customers, suspending or ceasing to publish any prohibited or illegal information, establishing a platform for receiving and handling complaints, and the obligations of disclosure and taking remedial measures.||The provisions reinforce current requirements.|
|Responsible Agencies||The responsible government agencies in charge of cyber space governance are CAC, the Ministry of Industry and Information Technology, and the Ministry of Public Security.They are assisted by other relevant government departments under the State Council which are also responsible for cybersecurity protection, supervision and administration within their respective mandates.|
The potential data residency and source code disclosure requirements concern many companies operating in China. Of wider concern is the applicability or even regulatory impositions, on the types of hardware/software one can deploy for its China operations. We will continue to monitor these developments closely and will provide further updates on the legislative process of the Cybersecurity Law and the promulgation of new regulations under the cybersecurity regime as they become available.