Licensed telcos and internet businesses in China face a new wave of investigations by the Ministry of Industry and Information Technology (“MIIT”) as they announce a new enforcement campaign aimed at ensuring network security compliance.
The campaign will affect telcos, internet businesses, domain name registration service providers and those otherwise licensed or certified by MIIT or other relevant telcos authorities (Network Operating Organisations).
Investigations will focus on reviewing and overseeing the establishment and operation of network infrastructures and systems used by such Network Operating Organisations for the purposes of collecting, storing or otherwise processing user information or network data, including internet data centres, public cloud service platforms, internet content delivery networks, instant communication systems, network transaction systems, email systems, app stores, apps and backend platforms etc.
Network Operating Organisations must:
- conduct a self-evaluation of their networks and systems; and
- file the respective self-evaluation report to the MIIT by 15 July 2019.
Following the filing period, the authorities plan to conduct random checks, on-site interviews and investigations of selected organisations and order non-compliant practices to be rectified. Failure to rectify may result in sanctions being imposed.
Going forward, Network Operating Organisations must report any risks identified to their networks and systems.
The announcement by MIIT is in line with the actions recently taken by other regulators, with multiple regulatory authorities now publishing separate and varying guidelines regarding the protection of networks and information systems and data security in China. As the cyber and data security enforcement landscape continues to develop at a rapid pace, organisations must be mindful that, depending on the nature of their business and location, they may have to answer to more than one regulatory authority and comply with more than one set of rules or guidelines.