30 November, 2020
Data has become a strategic asset in China’s digital transformation. In addition to huge opportunities, it also presents businesses with compliance challenges. With the growth of China’s digital economy and emerging technologies, the country’s legal regime for data has also developed at a rapid pace.
This article provides an overview of key regulatory requirements under the Cyber Security Law (abbreviated below as “CSL”) and discusses the law’s key implementing rules. It also looks at how China’s regulatory regime for cyber issues will most likely develop in the future.
The CSL regulates the construction, operation, maintenance and use of networks within the territory of China. Therefore, the CSL applies broadly to companies in all industries, and is not limited in its application to internet or IT companies, as the phrase “network operator” may suggest.
Under the CSL, network operators are required to comply with the Multi-level Protection Scheme (abbreviated below as “MLPS”) and establish internal security management systems in accordance with it. The MLPS is a regulatory classification scheme intended to protect the security of information systems located in China. Under the scheme, information systems are graded on a scale of 1 to 5. Network operators are required to take appropriate cybersecurity measures corresponding to the information system’s grade.
The CSL per se does not provide detailed requirements for the MLPS; therefore, businesses should consult other regulations such as the Administrative Measures for the Graded Protection of Information Security for further guidance. The Ministry of Public Security (abbreviated below as “MPS”) also released a new MLPS directive in 2018 titled Regulations on the Graded Protection of Cyber Security. These regulations are still in draft form and have yet to be finalized, but the national technical standards for the MLPS were upgraded by the MPS effective December 1, 2019. These new MLPS standards (generally referred to as MLPS 2.0) have expanded the applicability of the MLPS to cover cloud operations, big data, mobile applications, IoT and industrial automation.
Under MLPS 2.0, network operators are required to make a filing of their MLPS certification with government authorities if their IT systems are classified at level 2 or above, and they must have their IT system certified by a qualified cybersecurity institution if their IT systems are classified at level 3 or above. In addition, network operators providing cloud services in China are required to exercise a series of extended control measures, such as using China-based data centers, implementing network boundary protection for access control and security audits, and ensuring identity authentication, data recovery and backups.
According to the CSL, critical information infrastructure operators (abbreviated below as “CIIO”) are required to conduct the cybersecurity review prior to procuring network products or services that affect, or may affect, China’s national security. “CIIOs” refers to entities engaged in telecommunications, media, energy, finance, transportation, postal services, water conservancy, emergency management and the health-care business, as well as operators of important information systems in social security, national defense, science, technology and other fields.
The CSL does not provide any additional detailed requirements as to the criteria and procedures used for the abovementioned security review. However, this information gap was bridged when the Measures for Network Security Review came into force on June 1, 2020. Under the measures, any procurement of network products and services relevant to China’s national security is subject to the network security review procedure. Purchases only become effective after completion of the review. According to the measures, “network products and services” includes core network equipment, high-performance computers and servers, mass storage devices, large databases and application software, network security equipment and cloud computing services.
The measures require that detailed reviewing procedures be followed, whereby the process can be initiated either by the relevant CIIO or by the authorities. The review process normally takes 60 to 70 working days; when special reviews are undertaken due to the complexity of the situation, the entire process may take 120 working days, and reviews can be further extended if the circumstances are especially unusual or complicated.
Data localization is likely the most challenging compliance requirement mandated by the CSL for international companies. Under the CSL, any personal information or important data (as defined below) collected by CIIOs in China must be stored within China and not transferred abroad, unless the transfer is necessary for business reasons and a security assessment has been completed by the CIIO or by a third party and the results reported to the appropriate industry regulator. “Important data” is not defined in the CSL but in a draft guidance document titled Guidelines for Data Cross-Border Transfer Security Assessment, in which the term refers to industry data that does not fall into the category of national secrets, but impacts China’s national security, economic development or the public interest.
In practice, several difficulties arise from the data localization requirement. For example, the definition of critical information infrastructure (abbreviated below as “CII”) is not clearly defined under the CSL. Although the CSL contains a list of selected industries which are deemed CII, it is not clear whether all entities active in those industries would be viewed as CIIOs, or only those active in CII industries which also meet certain criteria. What those criteria might be remains unclear. The lack of transparency in the CSL on what constitutes “important data” and the broad and vague definition offered by the draft guidelines create uncertainty and leave room for interpretation by regulators.
Similarly, the draft Regulations on the Protection of Security of Critical Information Infrastructure issued by China Administration of Cyberspace (abbreviated below as “CAC”) in 2017 expand the scope of CII beyond what is found in the CSL, but the Data Security Measures issued in 2019 state that CIIOs will be identified by the relevant industry regulators, which suggests that regulators will play a greater role in determining who the CIIOs are in each sector.
In addition to the general restrictions imposed on CIIOs by the CSL, there are data localization requirements specific to certain industries, such as the financial, credit investigation, population management and genetic processing sectors. Therefore, companies are strongly advised to conduct a thorough risk assessment based on relevant laws and regulations before they transfer data abroad.
Chinese authorities have been active in enforcing the CSL, and numerous investigations have been carried out by CAC, MPS and other central and local authorities to “clean up the internet”. The authorities have focused their efforts on social media operators, e-commerce platforms, health-care institutions, financial service providers and educational institutions, and maximum administrative fines have been imposed. In 2019, thousands of mobile apps were removed from app stores for collecting and using personal data in violation of the CSL, failure to adopt a mechanism to prevent cyberattacks, and failure to include required content in the privacy policy and consent procedure.
The CSL and the relevant implementing regulations impose administrative, civil and criminal liabilities on companies and individuals that fail to comply with the legal requirements. Sanctions can range from investigations or raids by authorities, to the suspension of business operations, shutdown of websites, administrative fines, revocation of business licenses or operating permits, civil litigation and even criminal liability in case of a severe violation. Additionally, managers directly in charge can be held personally liable and subject to administrative fines and even criminal detention.
It is important that companies comply with the legal requirements laid out by the CSL and other relevant regulations. Non-compliance can lead to severe penalties and reputational damage. Compliance, however, is not a straightforward exercise because the CSL contains high-level requirements and some articles lack clarity or guidance for implementation. The CSL’s data localization requirement presents a special challenge for international companies that need to transfer data across borders.
Moreover, China launched a campaign in February 2020 to create new infrastructure as a way of offsetting the economic slowdown caused by COVID-19 and boosting sustainable development of the data economy. Another wave of digitalization is thus imminent, and China will continue to firm up its cybersecurity and privacy regime by passing new laws and formulating new standards.
For all of the above reasons, it is important that international companies keep close watch on regulatory developments and make appropriate adjustments to their business strategy and operations in China on an ongoing basis.