China’s Cybersecurity Law comes into force on 1 June 2017. It is a significant piece of legislation impacting all companies operating a network in China. It covers a wide range of activities relating to the cyberspace, including personal data protection and security, hacking, malicious software prohibition, handling of emergency network situations, data localisation. There are hefty penalties for breaches including fines of up to RMB1 million (approx. US$150,000) and confiscation of monies illegally obtained for certain offences. In the final countdown to its launch on 1 June 2017, we created a checklist of seven key points to note and make it easier for you to ensure that you are compliance ready.
1. Check if the Cybersecurity Law applies to you and your business
Many of the Cybersecurity Law requirements apply to “network operators” which is broadly defined as “owners of networks, administrators or managers of networks, and network service providers”. The term “network” refers to “a system that is formed by computers or other information terminals and related equipment for collecting, storing, transmitting, exchanging, and processing information according to certain rules and procedures”. Most companies or firms operate or administer intranets, servers or some other types of network systems, could be regarded as “network operators” under the Cybersecurity Law, and would need to comply with its requirements.
2. Prepare personal data protection policies and obtain consent for collection, use and provision to third parties
All network operators must prepare personal data collection policies and/or statements setting out the purpose, manner and ambit of the collection and use of any personal information, and obtain consent from the person from whom personal information is collected for the collection, use and provision of any personal information to any other person. The personal data collection policy and statement must comply with principles of legality, properness and necessity. Personal information unrelated to the service provided must not be collected. Personal information must not be provided or sold to any other person, except with consent from the person from whom personal information was collected, or if the data is irrevocably anonymised. Network operators must also provide avenues to entertain requests for deletion or amendment of personal information in accordance with the Cybersecurity Law. The term “personal information” is defined to cover not only information which may be able to identify a natural person’s personal identity, but also information which may be able to identify a natural person’s activities1.
3. Implement security measures and keep logs of network security events
All network operators must implement security measures, categorize data, backup and encrypt important data (not precisely defined under the Cybersecurity Law), supervise and record network operation status and technical measures taken in relation to network security events, and maintain logs of network activities of at least the past 6 months.
4. Report any security incidents and risks to the government
All network operators must prepare and implement cybersecurity emergency plans. In the event of any cybersecurity events, the network operator must immediately trigger the emergency plan, take remedial measures, and report to the National Computer Network Emergency Response Technical Team, at www.cert.org.cn.
5. Comply with National Standards and apply for security assessment when procuring network products and services relating to national security and critical information infrastructure2
All network products and network services must comply with the relevant compulsory requirements of national standards, and must not contain malicious tools and processes. In addition, all operators of critical information infrastructure3 which procure network products, services and information systems which may impact upon national security, as well as operators of networks or information systems which procure important network products and services relating to national security, must undergo network security assessment by the Cyberspace Administration of China (“CAC”) in accordance with the Trial Measures for Security Examination of Network Products and Services dated 2 May 2017 (the “Trial Measures”). While the Trial Measures provide that special committees and office would be set up by the CAC to organize and conduct such security assessment and certification with the assistance of third party institutes, it is still unclear as to the precise procedures for such security assessment or certification, and whether the work would be undertaken by existing institutes such as the Public Security Bureau Information Security Graded Protection Assessment Center, the China Information Security Certification Center, and/or the China Information Technology Security Evaluation Center.
6. Implement data localisation and other security measures for critical information infrastructure operations
All operators of critical information infrastructure must store within Mainland China all personal information and important data collected and generated in Mainland China. In case of business needs, and if the said data has to be provided outside Mainland China, a security assessment should be obtained prior to the provision in accordance with relevant regulations. As at the date of this OnPoint, the relevant regulations have still not been enacted – a draft regulation on security assessment for provision of personal information and important data out of Mainland China was issued for consultation on 11 April 2017 (The “Draft Security Assessment Regulation”) and is pending approval and enactment. Until the regulations are enacted, critical information infrastructure operators must conduct very careful analysis of compliance risks before providing any personal information or important data collected and generated in Mainland China outside Mainland China. Critical information infrastructure operators must also keep disaster backups of important systems and databases, and conduct at least yearly security risk assessments and regular drills of cybersecurity emergency plans.
7. Closely monitor the data localisation requirement for potential application to network operators
The Draft Security Assessment Regulation also requires all network operators, as opposed to merely critical information infrastructure operators, to store within Mainland China personal information and important data collected and/or generated within Mainland China. Network operators should be aware that if the draft regulation is enacted in the same form, it would mean that all network operators must also store personal information and important data within Mainland China, and the provision of such data out of Mainland China may require security assessment in accordance with any regulation that may be finalized and implemented shortly.