Search PillsburyLaw.com
  • All
  • Lawyers
  • Capabilities
  • Insights

Alert

The New Cybersecurity Law—New Compliance Focus for Enterprises in China

By Jenny (Jia) Sheng, Amy Y. Liu

Alert

By Jenny (Jia) Sheng, Amy Y. Liu

12.15.16

On November 7, 2016, the Standing Committee of the National People’s Congress (NPC) of the People’s Republic of China (PRC) passed the final Cybersecurity Law (CSL) after three rounds of review by the NPC since June 2015. China’s first law addressing the cybersecurity issue, the CSL’s promulgation marks China’s increasingly stricter administration and supervision of cyber space, and is a milestone for China’s cybersecurity legislation. The CSL will come into effect on June 1, 2017. Given the potential impact of the law, we suggest clients review it closely, especially when transmitting affected data out of the PRC.

With the wide use of information technology in both the private and public sectors, cybersecurity is now considered an important part of the national security by the PRC government. With the highest number of internet users in the world and the booming internet economy, the PRC is also facing increasing cybersecurity challenges and risks. Moreover, data privacy has become a prominent issue, especially for PRC individuals. Reflecting the need for increased cybersecurity in China, the CSL incorporates previous practices of the PRC government in regulating cyber space, and also introduces certain new requirements.

Key Points

All business operators in and outside the PRC should pay attention to the following key points concerning the CSL and its implementation by the authorities for national security and public interest reasons:

  • Identify sensitive Information that may trigger application of the CSL (e.g., classified secrets in the PRC National Secrets Protection Law and regulations, information in relation to military-related transactions and/or interests of the PRC or State-owned/controlled industries and infrastructure utilities, personal financial and health data, etc.).
  • Pay attention to the sources of the information and use caution in distributing sensitive information, especially when transmitting such information outside of the PRC.
  • CSL and the enforcement authorities will crack down on online, abuses including “unhealthy” live programs and online disagreements which could cause disorder of markets and harm the public interest and moral values. The CSL also defines network operators as those who own or manage networks, or provide network services. These two definitions are broad and will include a wide range of targets.
  • The CSL will investigate all business operators that own, operate, build and/or maintain network and computer systems. Also, all other business operators that use computer systems and networks for business operations and management should also comply with the requirements under this CSL with regard to data privacy protection in the PRC. (E.g., the CSL applies to a wide range of network operators, including network owners and suppliers of network products/services.) The CSL also has a “catch all” definition for the term networks which is broad enough to target a wide range of businesses.

Application of the Law

The CSL applies to the creation, operation, maintenance and use of networks by network operators within the territory of the PRC. Obligations under the CSL are structured on the basis of its broad definition of “networks” (“systems composed of computers or other terminals together with relevant devices to collect, store, transmit, exchange or process information following predefined rules and procedures”) and “network operators” (who own or manage networks, or provide network services).

Governing Authorities

The CSL mainly designates the Cyber Administration of China (CAC, an authority which is not widely known to the public) together with the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS) to be responsible for supervising and administering cybersecurity-related work.

Obligations of Business Operators 

Network operators should (i) formulate internal security protocols and working guidelines, (ii) have designated personnel in charge of cybersecurity issues; (iii) adopt technical measures to prevent virus, cyber-attacks and network intrusion, etc., track security events and keep records for at least six months; (iv) implement data classification, provide backup for important data and encryption; (v) prepare cybersecurity accident contingency plans; and (vi) assist governmental authorities in any national security or crime investigations if needed.

In addition to networks operators, the CSL also requires that suppliers of network products and services provide non-malicious programs to users, obtain consent from users for gathering and transferring user information, and inform users and take remedial measures in case of security risks. However, the CSL does not provide a clear definition for “network products and services.” According to our communications with the local counterpart of MIIT in Shanghai, the official we consulted explained that the term “network products and services” refers to those products and services related to the maintenance and operation of a network, such as computer consumables, server maintenance services, etc.

When network operators provide services concerning internet access, domain name registration, fixed-line telephone and mobile phone access, if the user does not provide its actual identity, network operators cannot provide services to such users.

Download: The New Cybersecurity Law—New Compliance Focus for Enterprises in China

Tags
China
These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.