On 7 November 2016, the National People’s Congress (“NPC”) Standing Committee enacted the Network Security Law of the People’s Republic of China 2016, which will take effect 1 June 2017.
The law was first circulated in draft form on 6 July 2015. A revised draft was released on 5 July 2016.
The final version of the law includes some changes, but the core principles in the drafts remain:
- Network operators. This is broadly defined as “network owners, managers and network service providers” and could include any person in China from an internet service provider to the owner of a commercial website operated through a domestic network. Network operators are subject to a series of obligations designed to protect networks from disturbance, damage or unauthorised access and prevent network data from being divulged, stolen or tampered with.
- Critical information infrastructure (“CII”). These include public communication and information services, energy, transportation, water conservation, finance, public services, e-government and other important industries and sectors that could threaten national security, people’s livelihood and the public interest in case of damage, loss of functionality or data leakage. CII operators are subject to the obligations imposed on network operators and to a set of additional obligations, including data localisation requirements, national security review for procurement and annual safety and risk assessment and reporting.
- Critical network equipment and dedicated network security products. These must conform to relevant national standards and undergo safety certification or safety testing by qualified institutions before sale or use.
- Personal information. The law imposes obligations in relation to personal information gathered by network operators. This refers to information that by itself or in combination with other information can be used to identify an individual, including name, date of birth, ID card number, biological identification information, address, and telephone number.
Paul McKenzie, Partner, Morrison & Foerster, Beijing and Shanghai
“The Network Security Law has potentially far-reaching consequences for CII operators as well as suppliers of network equipment and technology. But the devil is in the details, and, in relation to a number of the more key provisions of the law, the legislators have pushed key decisions to the State Council rather than making decisions themselves. Leaving the State Council to determine the precise meaning of CII is just one example.”
The meaning and actual impact of many of these broad concepts and terms will be fleshed out in implementing rules to be formulated by the State Council, presumably before the law takes effect next June. In the meantime, General Counsel for companies that own, operate or administer a computer information network or website in China should closely examine the data privacy requirements to begin assessing the potential impact on its business, network infrastructure and policies on data collection and storage. General Counsel for companies that could be regarded as CII should also study the additional data localisation and other requirements as part of the impact assessment. Counsel for companies that manufacture and distribute network equipment and network security products should work with government relations colleagues in an effort to have these products included in the pending catalogue of qualified products.