[BreachExchange] The New Cybersecurity Law of China: What does it Mean for the International Market?

[Audrey McNeil]

http://www.jdsupra.com/legalnews/the-new-cybersecurity-law-of-china-
what-44529/

On 7 November, the government of the People’s Republic of China passed the
much-anticipated Cyber Security Law of China, which will come into force 1
June 2017. After first and second drafts were put out for public
consultation in June 2015 and May 2016, respectively, it was a third draft
issued in October 2016 that was ultimately passed into law.

China’s cyber history

Until the recent passing of the new Cybersecurity Law in November 2016,
regulations relating to cybersecurity in China were scattered across many
different laws, regulations and regulatory documents, e.g., Administrative
Measures on Internet Information Services (last amended in 2011), and
Telecommunications Regulations of the People’s Republic of China (last
amended in 2016). The new Cybersecurity Law, as the first comprehensive law
specifically regulating network security, contains several highlights that
may greatly influence future network-related businesses in China.

The Chinese government has stated that its key goals in passing the new law
were to better combat online fraud and to protect the nation against
Internet security threats and risks.

The new law: what we know…

The final version of the law that will come into force 1 June 2017 contains
the following key provisions:

Data localisation rule: Personal data or “important data” of Chinese
citizens, collected or produced by key information infrastructure operators
during their operations within the PRC territory, should be kept within the
borders of the PRC. Should key information infrastructure operators that
collect or produce such personal data or important data seek to transfer
such data outside of China, to do so will require a security assessment
conducted by the National Cyberspace Administration and State Council
(unless permission for the transfer is already provided under another PRC
law).
Network operations requirements: Network operations (a broadly defined term
that may catch any business that owns and operates IT networks in the PRC)
must:

◦ Make public all privacy notices

◦ Obtain individual consent for collecting and  processing personal  data

◦ Implement technical safeguarding measures, similar to those required in
North American and Europe, that include, inter alia, securing against loss
and destruction of personal data, data minimization, confidentiality, and
rights to accuracy and restriction on processing of personal data

Network security: Network operators must provide internal security
management systems that meet the requirements of a classified protection
system for cybersecurity, including:

◦ Appointment of dedicated cybersecurity personnel

◦ Retention of network logs for at least six months

◦ Reporting risks on network services and products to both users and
authorities

◦ Formulating contingency plans for network security incidents, and
reporting such incidents to the authorities

◦ Providing assistance and cooperation to public security bodies and state
security bodies to safeguard national security and investigate crimes (the
extent of which is not yet clear, especially in terms of the disclosure
that will be required of private businesses)

Security maintenance obligations: Network services and product providers
will be required to provide security maintenance for all services and
products for the full term of the contract – security maintenance cannot be
terminated within the contract term.
Government certification: Prior to being sold or produced in the PRC
market, cybersecurity products and services will be required to obtain a
government certification and/or meet prescribed safety inspection
requirements and national standards.

In addition to the above, further rules within the new law address issues
of personal responsibility for web use, requirements to comply with “real
identity” rules (requiring users to register under their legal names that
enables more effective tracking) when registering for certain services
(e.g., network access, domain name registration services), and the online
protection of minors.

In summary

Much is still unknown when it comes to the detail of the new Cybersecurity
Law and what its enforcement will be like in practice.

Many welcome the introduction of requirements that are widely championed by
data protection authorities and bodies across North American and Europe.
Others have raised concerns that this new law may also be a way for China
to flex its muscles by introducing more invasive policy and establishing
data localisation rules that provide road blocks to international
competition or, at least, create additional red tape and add significant
cost for international organisations wanting to do business within the
People’s Republic of China.

Further uncertainty surrounds exactly who will be caught by the new rules –
including new proposed criminal sanctions as well as administrative
penalties. While the new law will clearly apply to businesses and
organisations, the extent to which its terms will apply to individual
employees and officers as well as web users is unclear.

It is anticipated that the Chinese authorities will publish further
detailed and practical guidance in the upcoming months.

In the meantime, organisations that conduct business in the PRC are
strongly encouraged to start reviewing their data privacy and cybersecurity
policies to ensure compliance with the incoming law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170120/7f1769d4/attachment.html>