Jian Wu Blog Post

Jian Wu

Information Privacy Law

Professor Ira Rubinstein

April 11, 2017

Title of Blog Post: China’s Cybersecurity Law Goes into Effect June 1, 2017

Article: Katherine W. Keally, China’s Cybersecurity Law Goes into Effect June 1, 2017—Are You Ready?, NACD Online (March 21, 2017), https://blog.nacdonline.org/2017/03/chinas-cybersecurity-law-goes-into-effect-june-1-2017-are-you-ready/

Blog Text:

The Cybersecurity Law of China, promulgated by the National Congress Standing Committee of China, will become effective on June 1, 2017. [1] This new Law reflects China’s desire for cyber-sovereignty and requires the network service providers in China to participate in protection of the national cybersecurity. [2]

This Law has a very broad scope and potentially far reaching effect.  Key provisions of this Law that may potentially affect multinational companies doing business in China are summarized as follows.

  1. Data localization

Article 37 of the Law requires that “Critical Information Infrastructure” (CII) operators shall store all Personal Information and other important data gathered or produced within the territory of China.  Prior government approval will be required where it is “truly necessary” for CII operators to transfer data outside the mainland for business reasons.

“CII” is broadly defined under Article 31 as “public communication and information services, power, traffic, water, finance, public service, electronic governance and other critical information infrastructure that if destroyed, losing function or leaking data might seriously endanger national security.”  “Personal Information” is defined under Article 76 to cover all kinds of information that, taken alone or together with other information, “is sufficient to identify a natural person’s identity, including but not limited to, natural persons’ full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers, and so forth.”

Given the broad definitions of CII and Personal Information, it appears that any types of companies operating in China that are reliant on the telecommunications network for their operations or provision of services would fall into the regulation of this Law and thus, they might be prohibited to transfer data outside China without prior approval. [3]

  1. Support for Chinese security authorities

Article 28 of the Law provides that “Network Operators shall provide technical support and assistance to the public security authorities and state security authorities” for the purposes of upholding national security and investigating crimes.  “Network Operators” is defined under Article 76 as “network owners, administrators and network service providers.”  The Law does not specify the types of “technical support and assistance” required.

It is worth noting that the final version of the Law has removed the requirement under an earlier draft for a Network Operator to provide decryption assistance and backdoor access.  However, it is not clear whether in practice the authorities would direct the relevant Network Operator to provide such assistance. [4]

  1. Certified network equipment and products

Pursuant to Article 23, critical network equipment and specialized network security products must satisfy the national standards and mandatory requirements, and be safety certified before being sold or provided in China.  In other words, foreign hardware and software suppliers, although not having a presence in China, may also be subject to China’s certification regimes so long as they provide equipment/products to CII operators.

Besides the above provisions, the Law also contains various provisions devoted to personal data protection.  For instance, Article 43 grants users the right to request the network operators to delete their personal information or to make corrections, which seems to echo the “right to be forgotten” under the European regime.

Due to the broad applicability of this Law, it is envisaged that detailed implementation regulations will be issued in the near future.  On April 11, 2017, the Cyberspace Administration of China published the consultation draft of Measures for Safety Valuation on Overseas Transfer of Personal Information and Important Data to seek opinions and suggestions from the public.  [5]

[1] A full text of this law in Chinese can be found at http://www.npc.gov.cn/npc/xinwen/2016-11/07/content_2001605.htm; its unofficial English translation can be found at http://www.chinalawtranslate.com/cybersecuritylaw/?lang=en.

[2] See also Sarah Zhao and Stephanie Sun, What’s in China’s New Cybersecurity Law (Apr. 7, 2017), https://www.faegrebd.com/whats-in-chinas-new-cybersecurity-law.

[3] See also Final Passage of China’s Cybersecurity Law (Nov. 25, 2016), http://www.bakermckenzie.com/en/insight/publications/2016/11/final-passage-of-chinas-cybersecurity-law/.

[4] Id.

[5] The Chinese version of the news can be found at http://tech.sina.com.cn/i/2017-04-11/doc-ifyecezv3062359.shtml.