On June 1, 2017, China’s new cybersecurity law will go into effect. The law, which intends to better protect against Internet security threats and risks, will affect companies of all sizes regardless of whether or not they have a physical presence in China. Currently, China, similar to the United States, does not have a single data protection law that spans industries. Rather, it regulates cybersecurity through various industry-specific laws. Likewise, China does not have a single regulating body to enforce the numerous data protection laws.
The new law covers a range of topics. However, every aspect of the law does not apply universally. Instead, many key provisions apply to either “network operators” or “critical information infrastructure” (CII) providers. “Network operators” includes network owners, administrators, and service providers, thus indicating a very broad interpretation. Many companies could qualify as “network operators,” including companies that use networks to conduct business in China.
Among other provisions, “network operators” must:
- Obtain individual informed consent prior to the collection of personal data
- Retain a log of all cybersecurity incidents for no fewer than six months
- Implement safeguarding measures and maintenance of systems
- Create a cybersecurity incident plan
- Backup and encrypt data
CII concerns those that provide services important to Chinese national security or public interest. Specifically, the law defines CII providers as those that provide services that, if lost or destroyed, would harm China’s national security or public interest. In addition engaging in the same cybersecurity practices as network operators, CII providers face additional requirements, such as conducting reviews of their cybersecurity practices annually.
Additionally, the law requires CII providers to store “personal information” and “important data” within China unless their business necessitates the storage of data overseas and they have passed a security assessment conducted by the National Cyberspace Administration and State Council. It remains unclear what the law intends by “important data,” although many predict that its inclusion next to “personal information” means it refers to non-personal data. Several pre-existing industry-specific regulations already impose a data localization requirement.
Furthermore, on April 11, the Chinese government released the Draft Security Assessment Measures for Cross-Border Transfer of Personal Information and Important Data. These measures are the implementation rules for the Cybersecurity Law. If finalized, these measures would further restrict international data transfers. Under these measures, “network operators” who either plan to transfer more than one terabyte of data internationally or have collected data on more than 500,000 individuals to both obtain consent of the individuals and pass certain security assessments. Relevant enforcement authorities may block the transfer.
The new law provides for both financial and criminal penalties. The law also provides the Chinese government with the authority to issue administrative penalties.
While the June 1, 2017 effective date is approaching quickly, it is anticipated that Chinese authorities will provide practical guidance. However, companies that conduct business in China, with or without a physical presence in the country, should review their cybersecurity policies and data protection measures to ensure compliance with the new law.