On 6 July 2015, the Commission of Legislation Affaires of the Standing Committee of the National People’s Congress issued a draft of the People’s Republic of China Cyber Security Law (CSL) for public comment. The deadline for submitting is 5 August 2015.
Once adopted, this will be the first Chinese law that focuses exclusively on cyber security. The draft signals that the Chinese government is preparing to tighten its grip on domestic networks and data security, which is in line with the National Security Law.
In this article, I will provide some lawyers’ opinions, which I agree, discussing the impacts the draft may have in both business and social life in China.
1. Overview of Cyber Security in China
Currently, the network and information technology have gained rapid development, penetrated deeply into all aspects of the economy and society of the China, greatly changed and affected people’s social activities and lifestyles; while promoting technological innovation, economic development, cultural prosperity and social progress, cyber security issues are also increasingly prominent.
Firstly, network intrusions, cyber-attacks and other illegal activities, pose serious threats to the information infrastructure security of telecommunications, energy, transportation, finance and national defence, administration and other important information fields, and cloud computing, big data, internet of things and other new technologies as well as new applications are facing a more complex cyber security environment.
Secondly, illegal acquisition of, disclosing or reselling citizens’ personal information, insulting and slandering others, intellectual property infringement and other illegal activities often occur on the internet, and seriously damage legitimate rights and interests of citizens, legal persons and other organizations.
Thirdly, promoting terrorism and extremism, inciting to subvert state power and overthrow the socialist system, as well as spreading and proliferating obscene and pornographic information and other illegal information spreading through the network seriously jeopardize the national security and public interests. Cyber security has become a major issue relating to national security and development, and direct interests of the masses. [1]
2. Legislation Relating Cyber Security in China
2.1. Criminal Law (Revised in 2011)
Article 285: Whoever, in violation of State regulations, invades the computer information system in the fields of State affairs, national defence construction or sophisticated science and technology shall be sentenced to not more than three years of fixed-term imprisonment or criminal detention.
Whoever, in violation of the State’s provisions, intrudes into a computer information system other than that prescribed in the preceding paragraph or uses other technical means to obtain the data stored, processed or transmitted in the said computer information system or exercise illegal control over the said computer information system and where the circumstances are serious, shall be sentenced to fixed-term imprisonment not more than three years or criminal detention, and/or be fined; or where the circumstances are extremely serious, shall be sentenced to fixed-term imprisonment not less than three years but not more than seven years, and be fined. Whoever provides special programs or tools specially used for intruding into or illegally controlling computer information systems, or whoever knows that any other person is committing the criminal act of intruding into or illegally controlling a computer information system and still provides programs or tools for such a person, and where the circumstances are serious, shall be punished pursuant to the preceding paragraph.
Article 286: Whoever, in violation of State regulations, cancels, alters, increases or jams the functions of the computer information system, thereby making it impossible for the system to operate normally, if the consequences are serious, shall be sentenced to fixed-term imprisonment of not more than five years or criminal detention; if the consequences are especially serious, he shall be sentenced to fixed-term imprisonment of not less than five years.
Whoever, in violation of State regulations, cancels, alters or increases the data stored in or handled or transmitted by the computer information system or its application program, if the consequences are serious, shall be punished in accordance with the provisions of the preceding paragraph.
Whoever intentionally creates or spreads destructive programs such as the computer viruses, thus affecting the normal operation of the computer system, if the consequences are serious, shall be punished in accordance with the provisions of the first paragraph.
Article 287: Whoever uses computers to commit the crimes such as financial fraud, theft, embezzlement, misappropriation of public funds and theft of State secrets shall be convicted and punished in accordance with the relevant provisions of this Law.
2.2. Protection of Consumer Rights and Interests Law (Revised in 2013)
Article 29: When a business operator collects or uses the personal information of a consumer, it shall follow the principles of acting in a legal, justifiable and necessary way and shall expressly indicate the purpose, method and scope of the collection or use of the information and obtains the consent of the consumer.
When a business operator collects or uses the personal information of a consumer, it shall announce its rules for the collection and use of the information and shall not violate laws and regulations and the agreement between itself and the consumer.
A business operator and its staff shall strictly keep the collected personal information of consumers confidential and shall not disclose or sell such information nor illegally provide such information to others. A business operator shall take technical and other necessary measures to ensure the safety of such information and prevent the personal information of consumers from being disclosed or stolen. In case the information has been or potentially will be disclosed or lost, remedial measures shall be taken promptly. Business operators shall not send commercial information to consumers who have not requested such information or who have not consented to or have explicitly refused the receipt of such information.
2.3. Provisions on Protection of Personal Information of Telecommunication and Internet Users
Article 14: In case of any divulge, damage or loss or potential divulge, damage or loss of the personal information of users stored by the telecommunication business operators and internet information service providers, the telecommunication business operators and internet information service providers shall immediately take remedy measures; in case of causing or possibly causing any severe consequence, the telecommunication business operators and internet information service providers shall immediately report to the Telecommunication Administration Authorities allowing their licenses or filling, and cooperate with the investigation and handling conducted by relevant authorities. …
3. National Security Law (NSL)
3.1. Overview of National Security Law
China had a more conventional national security law prior to the enactment of the NSL. The 1993 national security law was largely designed to defend China against espionage activities. In November 2014, China revised and restyled the old national security law as the People’s Republic of China Counter Espionage Law to make way for the NSL, which was being drafted then with a much broader scope of application in mind.
Broad definition of national security The NSL defines national security as "the status whereby there is a relative absence of international or domestic threats to the state’s power to govern, sovereignty, unity and territorial integrity, the people’s welfare, sustainable economic and social development, and other significant national interests, as well the ability to maintain security on a continuous basis".
This general definition is followed by topical sections on politics, the military, the economy, finance, culture, technology and territorial sovereignty to cyber security, ideology and religion. Clearly, the NSL takes a broad and flexible approach in defining national security which goes beyond the more conventional and narrower concept of national security revolving around national defence. From a business perspective, the key concern is in the reference to "economic development" as being seen as part of China’s national security – i.e. in addition to the existing laws and regulations, commercial activities and investments will be considered separately in the light of the broad and amorphous perspective of national security. [2]
3.2. Insecurity for Foreign Businesses Creating by the National Security Law
NSL expanded the National Security Review (NSR) regime including foreign investments, IT products & services and merger control.
With its 84 provisions, the NSL expands national security concerns from the core area of national defence to a wide range of geopolitical, cultural and economic issues that have more to do with tightening the ruling Communist Party’s grip on China. The NSL may also provide a source of principles to be taken into account when government bodies draft policies or further regulations.
Foreign companies doing business in or with companies in China will need to brace themselves for further uncertainty until we have greater visibility on how the NSL will be implemented in practice. However the overall effect of this and other legislation currently going through the system is to make foreign investors increasingly nervous about the impact on their existing and future investments in China, and there is a worrying sense that China may be looking inwards rather than outwards for its future growth and prosperity. [3]
4. Features of the Draft CSL
4.1. Expanding Government’s Power
The Chinese government is determined to assert a tighter grip over China’s networks in order to increase national security and stability. With broad reaching implications, the Draft Cyber security law proposes to accomplish that through strict regulation of network operation and network information security.
Under the current Draft, some network operators (e.g. those network service providers who have significant number of users) will be deemed as the operators of the key informational infrastructure facilities and will be required to adhere to the new key informational infrastructure facilities regulations. Network information security will be regulated under both a top-down and bottom-up regulatory structure which holds network operators responsible for controlling the publication of information on their networks and platforms.
Currently, the Draft is open to public discussion and comments until 5 August 2015. Once adopted, it will almost certainly have significant influence on all sectors of business in China. Especially given China’s broader Internet+ strategy [3], adoption of the Draft would have broad and fundamental effects on Chinese society. [4]
4.2. Potential Challenges for Firms in "Key Industries"
It must be understood that a key purpose of the CSL will be to establish oversight power over pertinent cyber security issues with the relevant governmental authorities, where the "… national cyberspace administration [and other] industry and information departments of the State Council, public security departments, and other relevant departments [which] shall be responsible for cyber security protection…."[5] What said governmental entities may oversee is broadly defined as the "construction, operation, maintenance and use of the network as well as the supervision and management over cyber security within the territory of the People’s Republic of China."[6] With such a broad mandate in terms of overseeing cyberspace in China, the natural question of those individuals responsible for commercial entities operating in China may be simply: What does this all mean to my firm?
Again, putting aside "network operators"[7] , such as telecommunications providers (fixed line and mobile), the Draft CSL makes clear that certain entities operating in "key industries" will be subject to very specific requirements. Such industries include "… energy, transportation, water conservancy, [and] finance….", as well as "public service areas such as power supply, water supply, gas supply, medical service and social security, military networks, [and] government affairs…."[8] In short, a wide variety of firms – some wholly public, some wholly private, and others with varying degrees of governmental ownership/control – will qualify as operating in "key industries" in the PRC and, as such are likely to be deemed "key information infrastructure operators" in relation to their networks and security infrastructure.
While some of the requirements for "key information infrastructure operators" are variations on best practices for information networks and cyber security in general [9], there are also requirements under the Draft CSL for said operators which, though not always solely specific to the Draft CSL, are not necessarily statutory requirements absent the requirements of the Draft CSL. For instance, under Article 31 it stipulates that:
"key information infrastructure operators shall store citizens’ personal information and other important data gathered and produced during operations within the territory of the People’s Republic of China; due to business requirements, if it is really necessary to store such information and data outside the mainland or provide such information and data to overseas individuals or organizations, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration authorities in concert with relevant departments under the State Council. If the laws and administration regulations have other provisions, those provisions shall prevail." [10]
4.3. Challenges for Foreign Companies
The official explanation attached to the Draft Cyber Security Law states that the law has been formulated in response to three critical issues:
(i) Cyber intrusions/attacks;
(ii) The illegal acquisition, disclosure and reselling of personal information;
(iii) The dissemination of information promoting or supporting terrorism, extremism, subversion of state power/China’s socialist system, and pornographic materials. [14]
The areas of interest, particularly from the perspective of foreign businesses operating in China, are in provisions that are not so directly engaged by these issues. We would highlight these as follows:
Technology regulation: Requirements for certification of catalogued "critical network equipment" and "specialized cyber security products" prior to sale in China; [11]
Co-operation with authorities: Duties to provide support and assistance in national security and criminal investigations; [12] and
Data localization: Requirements to store data gathered and produced in China on Chinese soil. [13]
We discuss each of these points in detail below.
(a) Technology Regulation
Many multinationals have been reviewing the Draft Cyber Security Law very closely with a view to understanding what it may mean for the use of foreign technology in China.
Article 19 of the Draft Cyber Security Law requires that "critical network equipment" and "specialized cyber security products" be inspected or certified by a qualified institution before they can be sold in China. An official catalogue will be issued identifying which equipment and products will specifically be subject to this rule. Critically, Article 19 refers to a "national internet information department" as the principal author of the catalogue. While the point is not free from doubt, it appears likely that the Cyberspace Administration of the State Council Information Office will lead in establishing and maintaining the certification regime.
This is an important area of focus for most multi-nationals dealing in China, not just in terms of technology companies that could be facing approval requirements, but also in terms of multinationals reliant on foreign technologies that may or may not in future be available if a necessary certification is not forthcoming. Inspections and certifications may delay a product’s entry to the market, and it also remains to be seen how invasive the proposed inspections of technology would be from the perspective of protecting valuable intellectual property.
We would note that the Draft Cyber Security Law does not contain any explicit requirements to register source code, install back-doors into communications technologies or pre-screen mobile apps, as were found in an earlier draft Anti-Terrorism Law. (For more on the draft Anti-Terrorism Law, see the Hogan Lovells client note Suppressing terrorism or stifling deployment of (foreign) technology? China’s draft Anti-Terrorism Law troubles foreign technology providers, dated 25 March 2015.)
The absence of these provisions in the Draft Cyber Security Law gives some hope that these highly controversial requirements may have been abandoned, but it is obviously not known at this stage whether such provisions, or other similar requirements for disclosure of sensitive know-how, will crop up again in later in further revisions to the draft or in supporting legislation to follow, especially as it will relate to the categories of "critical network equipment" and "specialised cyber security products" mentioned in the draft law. [15]
(b) Co-operation with Authorities
Article 23 of the Draft Cyber Security Law requires "network operators" to provide necessary support and assistance if requested by investigating departments for reasons of national security or criminal investigation.
Network operators, a term of art used throughout the Draft Cyber Security Law, is broadly defined and likely includes any businesses operating over networks and the Internet, from basic carriers to companies operating websites.
The breadth of duties to cooperate with authorities in investigations is a concern for multi-national technology service providers in particular, given the relatively small role for judicial oversight in the procedures for conducting investigations in China. There have been a number of well-publicised instances in which investigations by Chinese authorities have raised brand or public relations challenges for technology companies, and Article 23, coupled with the data localization requirements under the Draft Cyber Security Law, will be a critical area of focus for the sector. [16]
(c) Data Localization
Article 31 of the Draft Cyber Security Law requires "critical information infrastructure operators" to store personal information and other important data within China. Such information cannot be stored abroad or be provided to individuals or organisations outside China, unless it is "truly necessary" for the operation and the operator has conducted a security assessment in support of the offshore transfer. These security assessments would be carried out in accordance with measures to be jointly formulated by the state-level cyberspace administration authorities and the relevant departments of State Council. [17]
Before the CSL, only Chinese banks were required to store users’ data within mainland China. This expansion of the coverage of the rule to other industries has given rise to concerns given the free flow of information cross borders in the normal conduct of business these days. Even though Article 39 vaguely requires that government officials keep confidential all personal information gathered during the fulfilment of their duties, it is worth mentioning that China does not have an independent judicial review mechanism, so concerns will remain about the potential to abuse such powers.
Companies with operations across multiple countries will potentially face new challenges triggered by these new requirements. For example, some business functions such as customer services are typically served across borders which inevitably involve data transfers and perhaps (temporary and/or permanent) storage of some Chinese users’ personal information outside mainland China. After the Cyber Law comes into force such companies will need to re-evaluate their data architecture, and apply for a "security assessment" prior to any cross-border transfer, the standard and content of which is not clearly defined. [19]
5. Conclusions
The Draft CSL stands as the latest in a series of new and draft laws that demonstrate a China increasingly focused on national security and stability and the particular challenges that a digitally connected world pose for China’s aims. Against a backdrop of geopolitical tensions over cyber security and Chinese concerns about the particular position that western technology companies hold in the global technology industry, there can be no doubt that there is a much bigger picture to this draft law. [18]
[1] See Explanation of Cyber Security Law of the People’s Republic of China (Draft)
[2] China’s new national security law creates more insecurity for foreign business, 2015, Kurt Tiam, Sherry Gong, Andy Huang, Andrew McGinty, Mark Parsons
[3] As above
[4] Cyber Security Draft Law tightens grip on network security, 2015, Wang Rui, Xiao Yu, Andrew Fuller
[5] Draft CSL at Art. 6.
[6] Draft CSL at Art. 2.
[7] Draft CSL at Art.65, which states that "Network operators refers to owners, administrators or network service providers who provide relevant services through using the network owned or administered by others, including basic telecom operators, network information service providers, operators of important information system, etc."
[8] Draft CSL at Art. 25.
[9] Draft CSL at Art. 28-29.
[10] China’s Draft Cyber Security Law Raises Potential Compliance Challenges for Firms in "Key Industries" 2015, Richard W. Wigley
[11] Draft CSL at Art. 19.
[12] Draft CSL at Art. 23.
[13] Draft CSL at Art. 31.
[14] See Explanation of Cyber Security Law of the People’s Republic of China (Draft)
[15] China’s Draft Cyber Security proposes more stringent regulation of cyberspace and personal data protection, 2015, Kurt Tiam, Sherry Gong, Nolan Shaw, Andrew McGinty, Mark Parsons.
[16] As above
[17] As above
[18] As above
[19] China’s New Cyber-security Law: Progress or A Sideways Step? 2015, Gabriela Kennedy, Xiaoyan Zhang.