The newly passed Cybersecurity Law of the People’s Republic of China will take effect in June 2017, and it is expected to have a significant impact on multinationals doing business in mainland China. The law affects both domestic and foreign companies operating on the Chinese mainland and covers a wide range of activities including the use of the internet, information and communications technologies, personal data, national security and more. 

The difficulties with determining the steps needed to comply with such sweeping changes are only complicated by the fact that a large number of key terms in the law have yet to be clearly defined. As a result, China’s new Cybersecurity Law will continue to evolve as the national government interprets it. 

Here are some key provisions to follow in the coming months. 

Baseline for all network operators

Article 21 to Article 30 set a baseline of care for all “network operators.” Interpreted together with the other provisions, the term “network operator," which is undefined, may broadly include all companies that provide services and products via the internet, including network hardware and software vendors and website operators. Among other things, all network operators have the duty to enact privacy policies, designate responsible personnel and use technical measures to ensure security. While the full scope of these obligations remains to be seen, two of these articles deserve special attention:

Mandatory reporting requirements

Article 22 provides that, “When network operators discover data breaches, or data destruction or loss, they must immediately notify users and relevant authorities, and immediately remediate the issue.” The statute does not define “immediately” with any specific deadlines, nor provide any guidance on the ways to notify users and authorities. Furthermore, “relevant authorities” may include the telecommunications administrative department, the public security departments and as well as other relevant departments of the State Council. However, because data breaches can happen at any time, businesses should not take a “wait-and-see” approach before more official clarifications are issued, and it is prudent to comply with some of the other requirements discussed below. Rather, it is advisable to prepare a breach response plan now and adjust the plan accordingly once more government guidelines are issued. Such a plan should include a way to rapidly determine the scope of a breach, and to send notification to authorities and affected parties.

The duty to assist legal authorities

Article 28 states, “network operators shall provide technical support and assistance to Chinese police departments and national security agencies for their legal criminal investigations.” The law, however, does not specify what such “technical support and assistance” will entail. Foreign tech companies have raised concerns over providing “backdoor access” to comply with this provision, which is a means for the government to bypass all of the installed security methods and gain direct access to a business’ protected data. Other businesses are worried that, under certain circumstances, providing “technical support and assistance” to the Chinese government may infringe on their intellectual properties and/or their users’ privacy rights under the privacy laws of other jurisdictions. Involving legal counsel in developing a government inquiry plan is advisable for a business to provide the proper “technical support and assistance” to the Chinese government while also maintaining compliance to the IP and privacy laws in other jurisdictions in the world.

Heightened standard of care and scrutiny for critical industries

According to Articles 31 to 39, network operators in certain “critical industries” are subject to a heightened standard of care and scrutiny, above and beyond that already described. Article 31 states that these critical industries include telecommunications, energy, transportation, information services and finance. But this list is not all-inclusive; more are expected to be added to by the State Council of the People’s Republic of China in the future. However, it remains unclear if all the organizations in such industries will be subject to the heightened standard. As discussed further below, the mandatory heightened standard will require a substantial increase of compliance efforts and in monetary investments for such initiatives.

Safety assessments in IT procurement

Article 35 states, “network operators in the critical industries shall pass security inspections by government agencies for cyberspace and State Council of the People’s Republic of China before purchasing IT products and service, if a proposed purchase may affect national security.” In addition to which businesses are considered to be in “critical industries,” this provisions raises questions of what types of procurements may “affect national security” and how a company can pass a “security inspection.” Since this provision may mean an added government oversight on a multinational’s IT procurement process, it is important to monitor the interpretations of this provision by the Cyberspace Administration of China and/or the State Council of the People’s Republic of China.

The data localization requirement

One of the most controversial provisions in the new cybersecurity statute is Article 37, which contains a data localization requirement for network operators in the critical industries. Article 37 states that, “critical and personal information collected and produced by network operators in critical industries during their operations in China shall be stored within the territory of China.” This article further demands data security assessments when it is a business necessity to transfer such information outside of China. Article 37 will result in sizable new compliance investments for multinationals, which typically rely on cross-border flows of business data. Currently, it remains uncertain how this data localization requirement will be implemented due to lack of guidelines or best practices. The standard that businesses will be held to in these “data security assessments” is as yet unknown.

Some commentators expect that compliance with Article 37 might require the utilization of data centers and service providers physically located in mainland China. This is not how most businesses currently store their data, and it would be a potentially expensive change to make. For a business to comply with Article 37, a good starting point would be to map its data flow to understand where it collects and stores personal information related to individual citizens.

Noncompliance with the new Cybersecurity Law may give rise to penalties, fines, closure of websites and forfeitures of business licenses to companies doing business in China. Businesses could face the confiscation of between one and 10 times their “illegal gains” that result from the misuse of, or failure to protect, personal information. Any individual or organization has the right to report practices that “threaten” information security to various Chinese authorities. Company officials and other persons responsible for the lack of compliance will be subject to penalties and fines, with serious violations possibly even resulting in jail time. Considering that China is currently the second-largest economic power in the world, staying abreast of the developments of the new Cybersecurity Law is important for all multinational companies. The final interpretation of these provisions has the potential to greatly alter the costs and risks inherent in doing transpacific business.

photo credit: ★e via photopin