The controversial Cybersecurity Law of China, issued in November 2016 by the National Congress Standing Committee, will become effective on June 1, 2017. This new rule requires the network service providers in China to participate in protection of the national cybersecurity. Such service providers not only include the basic telecom operators, but also the value-added service providers, such as Internet content providers, and hardware and software providers.
The Cybersecurity Law of China sets forth requirements for the service providers which include having users’ true identities, storing data servers locally in China and providing “technical support” (wiretap access) to the Chinese government during investigations involving national security. Failure to do so may trigger not only monetary fines, but also the termination of one’s business license, or even certain criminal penalties. Even though the rule is highly restrictive on many security issues, it is the first time that the Chinese government has provided relatively clear language on privacy protection for personal information gathered in China. We might consider the privacy protection aspect as the silver lining of this new rule.
Faced with the new rule, what must foreign operations in China do? Because the detailed implementation regulations have yet to be issued, it would be extremely difficult to determine exactly what should be done immediately. However, certain major requirements call for close attention when considering how to comply:
1. True Identity
Service providers should require their users to provide their real names and true identities. If this requirement is not met, the involved entity may face a warning from the government and a fine of up to 500,000 yuan. If the warning does not result in compliance, more severe penalties may be involved. This could result in the termination of a business license or a personal fine of up to 100,000 yuan on the involved staff member of the entity, in accordance with Article 24 and Article 61 of the new rule.
2. Data Location
Data collected in China dealing with personal and import information will need to be stored in servers located inside the territory of China. If such data needs to be transferred across borders to another country to conduct business, it must be handled in compliance with the rules established by the relevant governmental agencies, and certain evaluations of the involved data may be triggered, based on Article 37 of the new rule.
3. Technical Assistance
Network operators must provide technical assistance (wiretap access) when National Security and criminal investigations are involved, in accordance with Article 28 of the new rule.
There are more specific requirements, evaluations and approvals imposed on foreign hardware and software providers for infrastructure projects. Therefore, care must be taken to be in compliance on these issues.
5. Data Protection
The rule requires that a data protection system needs to be established to prevent data breach, and the system should include the following elements:
- Establishing internal policies for security management including appointed responsible officials
- Adopting appropriate technical measures for preventing the breach
- Monitoring and recording
- Classifying data and ensuring that sensitive data is encrypted
- Complying with other related rules and requirements
If a breach occurs, an immediate report to the relevant authority is required. (There are more steps for protection required for those service providers involved in infrastructures.) The recordkeeping should be no less than six months.
6. Data Collection and Use
Personal information collection must be conducted in a manner in which users will be informed about the purpose, the method and the scope of the collection, and user agreements should be obtained before the collection, in accordance with Article 41 of the new rule. The minimum necessity of collection and the narrowed permissible purpose of use principles are all to be applied in accordance with the broad language of this new rule.
7. Data Disclosure
The collected data should not be disclosed to a third party unless: (1) personal consent is obtained from the person from whom the data was collected; (2) the data has been de-identified, based on Article 42. If certain information must be disclosed to governmental authorities for national security purposes, such information can only be used for this particular involved case and nothing else, in accordance with Article 30 of the new rule.
Because the purpose of this new rule is to protect cybersecurity in China, the government has adopted special actions to ensure enforcement, and the government will conduct random inspections of companies’ security systems. Certain sectors involved in infrastructure are required to conduct regular maneuvers (tabletop) for handling potential security breaches. The operators must have specific plans for dealing with security breach emergencies.
The most important requirement for a foreign operation in China from the governmental perspective is the obligation to provide technical assistance (wiretap access) or any other related technical access when national security and criminal activities are involved. Actually, this requirement has existed in real practice in China for some time. This Cybersecurity Law of China has codified the practice.
Suggested Promulgation of Personal Information Protection Law
In addition to passing cybersecurity measures, China is considering an independent law protecting personal information, which representatives of the National Peopleʼs Congress (NPC) suggested during the NPC held at Beijing in March 2017. The suggestion was triggered by an unfortunate 2016 instance in which Ms. Xu Yuyu, a student just about to enter college, encountered telecommunication scam. As a result, her 9,900 RMB was taken away. Xu suddenly went into cardiac arrest after reporting the case to the police. Her death triggered a high degree of concern about personal information leakage.
Even though rules relating to personal data protection are found across various laws and regulations in China, there is not a dedicated personal data protection law in China. Several representatives of the NPC pointed out the urgency to launch a systematic personal data protection law to codify the right of personal information, strengthen industry supervision, regulate personal data collection and disclosure, and set out responsibilities and liabilities for data leakage