The PRC Cybersecurity Law will come into force on 1 June 2017, and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China.
While Chinese officials maintain that the new law is not closing the door on foreign companies, there has been widespread international unease that competition may be stifled. There is also concern regarding data localisation, perceived increased surveillance, and the handover of proprietary information to Chinese authorities. Other new obligations – including enhanced personal data protections – have been less controversial, but could signal a change to the enforcement environment in China.
Some of the key provisions include:
- A range of new obligations that apply to organisations that are “network operators”. There is speculation that this definition could potentially catch any business that owns and operates IT networks/infrastructure or even just websites in China.
In terms of data protection, the new law formalises as binding legal obligations some safeguards that were previously only perceived as best practice guidance in China. Network operators must comply with comprehensive data protection obligations, including notification/consent, data security and breach notification requirements. While an earlier draft specifically provided protection to personal information of “citizens”, the final law does not make this distinction, and so seemingly offers a broader protection to all personal information.
As regards network security, network operators must fulfil certain tiered security obligations according to the requirements of a classified cybersecurity protection system, which prescribes a wide range of security measures, standards and reporting requirements.
Network operators must also provide technical support and assistance to state security bodies. The form and extent of such co-operation is not currently clear.
- Chinese citizens’ personal information and “important data” gathered and produced by “key information infrastructure operators” (“KIIOs”) during operations in China must be kept within the borders of the PRC, unless a Government-approved security assessment is conducted or other PRC laws permit the overseas transfer. While the new law specifies that certain sectors (such as utilities and finance) will be considered KIIOs, the definition remains vague and also considers the impact of security breaches, and so could capture a broader range of organisations. While “personal information” is defined, the types of information that might constitute “important data” is also currently unclear.
- Additional security safeguards apply to KIIOs, including staff vetting and training obligations, and annual assessments. Strict network-related procurement procedures will apply.
- Providers of “network products and services” must also comply with prescribed security measures, standards and reporting requirements; and notably must provide security maintenance support that cannot be terminated within the agreed customer contract term. This will require technology providers to update their current maintenance offerings and contracts.
- Critical network equipment and specialised cybersecurity products must obtain government certification or meet safety inspection requirements.
Great uncertainties remain as to how the new legislation will be applied and enforced. Organisations are advised to review their data compliance programmes before the new law comes into force and as further guidance becomes available.