On 5 July 2016, the NPC circulated for public comment the Network Security Law of the People’s Republic of China (Draft) (Draft for Second Review) 2016. The second draft contains significant changes including the following:
- The first draft required network operators to retain network logs and co-operate with government authorities. The second draft further imposes penalties for failing to co-operate with government authorities.
- The first draft defined “critical information infrastructures” by providing a set of examples. The second draft replaces these examples with a broad definition that appears to capture any network or system that if damaged or breached could seriously endanger national security or the national or public interest.
- The first draft permitted companies to store data overseas upon completion of a security evaluation. The second draft permits companies to provide information overseas, but requires data to be stored in China.
Paul McKenzie, Managing Partner, Morrison & Foerster, Beijing and Shanghai
“The draft Network Security Law is an important component of a broader programme among various arms of the Chinese government to increase network security, parts of which threaten market access for international IT companies and which potentially present challenges to international companies in banking and other sectors, who may find their domestic IT infrastructure regulated as “critical information infrastructure”. We had hoped the second draft would clarify the scope of the term “critical information infrastructure” so companies could have a clearer sense of the scope of the related data localisation requirement. No such luck. In fact, the NPC Standing Committee has kicked the can further down the road by delegating to the State Council not only the job of defining the term but also of stipulating the specific security measures other than the data localisation requirement that will apply to key information infrastructure. So uncertainty remains, both for operators of IT infrastructure and for suppliers of IT products and services.”
General Counsel for companies that may be regarded as operating critical information infrastructures should work with business colleagues to formulate contingency plans in case the companies are required to relocate servers to China. General Counsel for network operators should ensure compliance with the obligations on retaining network logs and co-operating with government authorities. General Counsel for all companies with China operations should take steps to ensure that personal information is kept strictly confidential.