The recent adoption of China’s sweeping new cyber-security law, and a follow-up draft security review framework published last month, serves as a stern warning to foreign companies in the country that it’s time to reassess your data privacy practices and cyber-security controls.

The Standing Committee of the National People’s Congress, China’s top legislature, passed the “Cyber-security Law of the People’s Republic of China” in November. It takes effect June 1, 2017.

China’s cyber-security law primarily applies to the “construction, operation, maintenance, and usage of networks, as well as network security supervision and management within the mainland territory of the People’s Republic of China,” according to an unofficial English translation of the law provided by China Law Translate. The overall intent, the law states, is “to ensure network security, to safeguard cyberspace sovereignty, national security, and the societal public interest.”

One provision that has garnered a significant amount of attention from foreign companies in China is the data localization requirement. That provision requires that personal information and other “important data” gathered and produced by “critical information infrastructure” (CII) operators must be stored on servers physically located within mainland China.

This could pose challenges for multinational companies needing transfer data across borders in their business operations; foreign companies subject to the law would need to get government permission before transferring data out of the country. “The law is significant, as it is China’s first to enact rules on the collection and use of personal data,” states a report by the Information Technology & Innovation Foundation, a Washington think tank.

According to the law, “personal information” broadly refers to all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person’s identity, including, but not limited to, natural persons’ full names, birth dates, identification numbers, addresses, telephone numbers, and more.

CII operators found in violation of the data localization provision will be sanctioned with a warning, or worse, the confiscation of unlawful gains, website shutdown, revocation of relevant operations permits, or a fine ranging between RMB 50,000 and 500,000. Individuals who are directly in charge will be fined between RBM 10,000 and 100,000.

Data protection measures. The cyber-security law also imposes numerous data protection measures on network operators, defined as “network owners, managers, and network service providers.”

The data protection measures required by the law are the same measures many companies have already implemented as best practice, including:

Strictly maintaining the confidentiality of user information they collect;

Making data privacy notices publicly available, explicitly stating the purposes, means, and scope for collecting or using information;

Adopting technical measures to ensure the security of personal information and prevent against loss, destruction, or leaks; and

In the event of a data security breach, taking immediate remedial action and promptly notifying users and relevant authorities.

Furthermore, the law states that network operators shall not provide an individual’s personal information to others without the individual’s consent or illegally sell an individual’s personal data; gather personal information unrelated to the services they provide; or disclose, tamper with, or destroy personal information that is gathered.

The various requirements concerning personal information are not that different from other regulatory regimes, such as the European Union’s General Data Protection Regulation (GDPR). “The key difference is the need to obtain consent from the individuals concerned,” says Clarice Yue, a senior managing associate at Bird & Bird in Hong Kong.

“The ‘new’ compliance requirements—which certainly are not new to telecom companies or financial institutions—relate mostly to cyber-security.”
Michele Chan, Partner, Bird & Bird

“In other words, China requires both notification and consent, and this is not restricted to direct marketing or transfer of sensitive personal information,” Yue says. “A lot of the companies operating in China are already familiar with this dual requirement as they do appear in other key legislation, such as the PRC Protection of Consumer Rights Law.” Various national standards on network security also exist, which will provide useful guidance to companies, she says.

Cyber-security reviews. Another provision raising concerns among foreign tech companies in China stipulates that network security products and services procured by CII operators that may impact national security must pass a cyber-security review.

Examples of key infrastructures cited by the Chinese government are expansive, sweeping in public communication and information services, energy, water resources, financial services, public service, and e-government affairs. In practical terms, any of these sectors could be required to use only computing equipment approved by state authorities to pass a security review.

The scope of those security reviews may be expanded even further, under a draft security review framework issued in February by the Cyberspace Administration of China (CAC), China’s chief internet regulator. The draft measures appear to broaden the scope of cyber-security reviews by loosely stating that “important network products and services” used in information systems in connection with national security and the public interest are subject to its inspection requirements.

The CAC, together with other unidentified authorities, will form a newly established “network security inspection committee,” tasked with administering inspection policies and overseeing network security inspections. According to the draft measure, cyber-security reviews primarily will focus on the “security and controllability” of the following risks:

Operation risks: illegal control, interference, or interruption to the operation of these products and services;

Supply chain risks: risks in research and development, delivery, and technical support activities;

Data-security risks: the risk of providers using products and services to illegal collect, store, and process data; and

User-dependency risk: risks associated with suppliers of network products and services drawing on user dependency to unfairly compete or impair their users’ interests.

The focus on user-dependency risk is particularly concerning for foreign technology companies “whose products and services, even without monopoly behaviors, may dominate the market due to their competitiveness and the lack of alternative products and services,” states a client alert from law firm Davis Wright Tremaine.

Neither the cyber-security law nor the draft measures spell out what information will be required for a cyber-security review. Without detailed guidelines, it is unclear to determine for hardware products, “what and how detailed technical documents should be provided for review,” and for software products, “whether source code and decryption algorithm should be disclosed to the government,” the Davis Wright client alert states.

According to the draft measure, a cyber-security review may be initiated at the request of a government agency, trade association, incidents in the market, or if a company voluntary submits its product or service for review. Once the cyber-security review is initiated, an authorized third party will evaluate the products and services first, followed by an overall assessment conducted by an expert panel.

The cyber-security review committee will then make a decision based on the expert panel’s assessment report. With no appeal mechanism mentioned, it appears the committee’s decision will be the final decision.

The review process itself will consist of four elements: lab testing, an on-site inspection, online monitoring, and review of background information. The draft measure is silent, however, on the overall timeframe of each element of the review or the review as a whole.

DRAFT MEASURES

Below is an excerpt from the draft measures on the security review of online products and services.
Article 9. The competent government departments of key sectors such as finance, telecommunications and energy shall organize the implementation of the cyber-security review of online products and services in their respective industries or sectors pursuant to the requirements for the national cyber-security review.
Article 10. The Party and government departments as well as key industries shall give priority to online products and services that have passed the review in procurement, and shall not procure any online products or services that fail to pass the review.
Article 11. Where any online products or services that are purchased by critical information infrastructure operators may affect national security, such products or services shall be subject to the cyber-security review. Whether any online products or services purchased by critical information infrastructure operators affect national security shall be determined by the authority that is responsible for protecting critical information infrastructure.
Article 12. Third-party agencies performing the cyber-security review shall adhere to the principles of objectivity, fairness and justness, and carry out evaluation of online products and services and providers focusing on the controllability, transparency and creditability, and be responsible for the review results.
Article 13. Providers of online products and services shall cooperate in the cyber-security review. Third party agencies and related organizations and personnel shall undertake the security and confidentiality obligations for any information learned in the review, and shall not use such information for any purpose other than the cyber-security review.
Article 14. The Cyber-security Review Office will issue the security evaluation reports for providers of online products and services from time to time.
Source: Chinese government (translation provided by Covington & Burling)

Network products and services that fail to pass a cyber-security review will be prohibited from being procured by party and government departments and operators of key industries. Companies seeking to supply network products and services to operators of CII in China—such as energy, finance, and telecommunication—should stay on top of these developments.

“As the draft measures come into force in the coming months, such companies will need to carefully assess the implications of the draft measures, including whether to voluntarily seek security reviews for their products or services,” states a client alert from law firm Covington & Burling.

Data-security obligations. Most of the data protection-related requirements are not new. In fact, many of the cyber-security requirements can be found in sector- or industry-specific regulations.

“It is, however, the first time that we have a piece of overarching legislation codifying all these requirements,” says Michele Chan, a partner at Bird & Bird in Hong Kong. “The ‘new’ compliance requirements—which certainly are not new to telecom companies or financial institutions—relate mostly to cyber-security.”

For example, companies are required to:

Appoint a cyber-security officer;

Implement measures to protect against viruses, cyber-attacks, and invasion;

Record and monitor the relevant network and network incidents (retain network logs for at least six months);

Adopt measures such as data classification, back-up of important data, and encryption; and

Formulate emergency response plans for network security incidents, and periodically organize drills.

“Technical support” to enforcement authorities. Another provision in the law requires network operators to provide “technical support” to authorities for national security and law enforcement purposes. Some in the industry have concerns that this could include forcing companies to build backdoors to their encryption.

“There is no subpoena process in China,” says Dan Whitaker, managing director of China operations at e-discovery and managed review provider Consilio. “Your data is really at the mercy of the Chinese government.”

Whitaker, who serves as vice chair of the technology and innovation committee at the American Chamber of Commerce in Shanghai in a volunteer capacity, says China’s anti-corruption law is currently a “big topic” of concern.

In fact, the American Chamber of Commerce in Shanghai is among more than 40 international business and technology groups representing hundreds of companies that expressed “deep concern” about several sweeping provisions in the law in a letter to the Chinese government.

Specifically, the letter states, “We remain particularly concerned about provisions in the new cyber-security Law and related measures that mandate broad data residency requirements and restrictions of cross-border data flows, trade-inhibiting security reviews and requirements for ICT products and services, and broad requirements for data sharing and technical assistance that may decrease the security of products and harm consumer privacy.”

Given that numerous terms in the law remain vague and unclearly defined, potential CII operators in China should continue to proactively engage in discussions with industry groups and corporate counsel on how to best comply with the law.

“A preliminary self-assessment can be conducted to assess the risks for compliance,” writes Xiaoyan Zhang, counsel at law firm Mayer Brown in Shanghai. “Tools such as data maps can be used to identify the physical locations of data and data flow charts to track the data’s life cycle. Extra caution must be taken to ensure that legal requirements and technology jargon are not lost in translation during internal communications.”

Further guidance, which companies should closely monitor, is expected to be published in the coming months. The law itself only sets out a framework. Forthcoming rules and standards are what will provide more concreate guidance to companies as to how best comply with the new law.