Filter
Back

China’s New Cybersecurity Law and Its Impact on Doing Business in China

2017-10-31

China’s new cybersecurity law came into effect on 1 June 2017. The new law promotes two key objectives:

·         protect China against cyberattacks, and

·         protect the rights and interests of Chinese citizens from cyberattacks and the misuse of personal information.

The new law not only has a comprehensive framework on cybersecurity but also gives privacy protection to Chinese citizens.

A number of legal measures that relate to cybersecurity also came into effect on 1 June 2017. On 11 April 2017, the Cyberspace Administration of China (“CAC”) released a draft (“Draft”) Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data (“Local Data”) to solicit public comments. The consultation has ended and it is expected that the finalized measure for security assessment of outbound transmission of Local Data will be issued soon.


Key Provisions of the Cybersecurity Law

The new law operates under a data localization rule that imposes an obligation on operators of “Critical Information Infrastructure” (“CII”) to store personal information and other important data collected and generated during operations within China.

For outbound data transfer of Local Data, the new law requires CII operators to undertake security assessment before transferring such data abroad. The security assessment shall be conducted by the CAC and the State Council (unless permission for the transfer is already provided under another law).

CII is defined broadly as “infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger national security, national welfare or the livelihoods of the people, or the public interest.” It includes public communications and information services, energy, transportation, water conservancy, finance, public services and e-government.

CII also covers operators who operate networks used for critical public services and private sector operators who operate networks which, if breached, would cause serious damage to state security, the Chinese economy or to the public at large.

The new law also covers “Network Operators” (“NO”), which is widely defined to include any business that owns and operates IT networks in China including a computer network, website, app or other electronic platform where information collected from third party users in China is stored, transmitted, exchanged or processed.

Under the new law, NOs need to:

·         make public all privacy notices;

·         obtain individual consent for collecting and processing personal data; and

·         implement technical safeguarding measures to secure against loss and destruction of personal data, data minimization, confidentiality and rights to accuracy and restriction on processing of personal data.

Under the new law, personal information is defined as including all kinds of information, recorded electronically or through other means which is sufficient to identify a person’s identity, including but not limited to:

·         full names;

·         birth dates;

·         identification numbers;

·         personal biometric information;

·         addresses; and

·         telephone numbers.

NOs must provide internal security management systems that include:

·         appointment of dedicated cybersecurity personnel;

·         retention of network logs;

·         reporting risks on network services and products to users and authorities;

·         having contingency plans for network security incidents and reporting such incidents to the authorities; and

·         providing assistance and cooperation to public security bodies and state security bodies to safeguard national security and investigate crimes.

The third category of operators covered by the new law is IT Product Suppliers and they are required to:

·         provide security maintenance for all services and products for the full term of the contract—security maintenance cannot be terminated within the contract term; and

·         prior to being sold or produced in the PRC market, cybersecurity products and services will be required to obtain a government certification and/or meet prescribed safety inspection requirements and national standards.


Proposed Security Assessment for
Cross-Border Transfer of Local Data under the Draft

The Draft seems to extend the applicability of the data localization rule from CII operators to all NOs. The implication is that virtually all entities established in China that access and use Internet in the course of business operation might be caught and could be required to keep a copy of personal data and other important data collected and generated in the course of the NO’s operation in China (Local Data).

If an NO seeks to transfer the Local Data overseas for business needs, it must undergo a security assessment. The Draft provides for two types of security assessments: (i) self-assessment; and (ii) government-administered assessment (“GAA”).

NOs must conduct a security self-assessment before transmitting Local Data overseas (unless a GAA is triggered) and be responsible for the results of the assessment.

A GAA is triggered if the intended outbound cross-border data transmission involves any of the following circumstances:

·         contains or accumulatively contains personal information of more than 500,000 individuals;

·         the amount of data exceeds 1,000 GB;

·         contains, among others, data regarding sectors such as nuclear facilities, chemical biology, national defense and military and population health, as well as data related to largescale engineering activities, marine environment and sensitive geographic information;

·         contains cybersecurity information such as system vulnerabilities or security protection in respect of CII;

·         provision of personal data and other important data to overseas recipients by operators of CII; and

·         other circumstances that may affect national security or public interests.

NOs must, based on its business development and network operation status, conduct a security assessment on outbound data transmission at least once a year and report the assessment results to the relevant industry regulator.

In addition to the annual security assessment, NOs are required to conduct a new security assessment each time:

·         There is a change in the data recipient or significant change in the purpose, scope, volume or type of the outbound data transmission; or

·         There is a major security incident involving the data recipient or the data transmission abroad.

Industry regulators shall be responsible for organizing and administering GAA. If a GAA is triggered but the competent industry regulator cannot be identified, CAC shall take charge of the GAA.

The Draft provides a definition of what is “Important Data.” It refers to data that is closely related to national security, economic development and public interest.

In terms of privacy protection, in general, NOs shall inform data subjects of the purpose, method and scope of collection and use of personal data and obtain data subjects’ consent.

The Draft provides that, in order to transmit personal information out of China, NOs must inform data subjects of the purpose and scope of the outbound data transmission, the content and the recipient(s) (countries or regions) of the information transmitted and need to obtain consent.

Under the Draft, outbound transmission of Local Data is prohibited:

·         if data subject has not consented or the transmission could infringe the data subject’s interests; and

·         the intended transmission would create a security risk in terms of national politics, the economy, science and technology, or national defense, etc. and could affect national security or harm public interest.


Conclusion

Organizations that conduct business in China should start to review their data privacy and cybersecurity policies to ensure compliance with the incoming law and measures. NOs with a need to transmit personal data collected within China and abroad should review and amend their existing privacy policies or statements in order to ensure compliance.

It is not known whether a transmission of Local Data from mainland China to Hong Kong would be construed as “crossborder” transfer and we may need to wait for further measures or Court explanation before this will be clear. But given that the new cybersecurity law does not apply to Hong Kong under the “One Country, Two Systems” principle, it would defeat the purpose of the data localization rule and privacy protection if Local Data can be transferred from mainland China to Hong Kong without any security assessment.

(This article, written by our Partner Mr Dominic Wai, is also published in the Fall 2017 issue of Paradigm published by the International Society of Primerus Law Firms.)




For enquiries, please contact our Litigation & Dispute Resolution Department:

E: employment@onc.hk                                                   T: (852) 2810 1212
W:
www.onc.hk                                                                F: (852) 2804 6311

19th Floor, Three Exchange Square, 8 Connaught Place, Central, Hong Kong

Important: The law and procedure on this subject are very specialised and complicated. This article is just a very general outline for reference and cannot be relied upon as legal advice in any individual case. If any advice or assistance is needed, please contact our solicitors.

Published by ONC Lawyers © 2017


Our People

Michael Szeto
Michael Szeto
Partner
Michael Szeto
Michael Szeto
Partner
Back to top