legal paperwork

How China’s New Cybersecurity Measures Will Affect Multinational Companies

Multinational companies with operations in China are preparing for the impact of China’s new Cybersecurity Law, in place now for four months. The Law applies to everyone who operates networks in the PRC, particularly multinational corporations. This could impact their overall IT system set-up and global outsourcing. Also left open to question is how their Chinese offices, particularly in a sensitive sector, will be able to share business data with other offices. And of great concern to multinational companies and their advisors is how to adapt internal and regulatory investigations to avoid triggering the Cybersecurity Law.

with co-authors Lei Shi and Tina Wu

The Cybersecurity Law of the People’s Republic of China took effect on 1 June 2017. The Law states that China will take steps to monitor, defend, and address cybersecurity risks and threats originating from within and outside China. It applies to the construction, operation, maintenance and use of networks as well as the regulation of cybersecurity within the PRC. It applies to both internet and individual intranets as long as there is any network-related activity taking place in the PRC.

The Cybersecurity Law distinguishes between “Network Operators” and “Critical Information Infrastructure Operators (“CIIOs”).”Network operators” are very broadly defined and thus may cover any business which operates a website or an intranet or provides any service through a network.

In contrast, CIIOs refer to a narrower group of operators. While there has been no definitive guidance on what constitutes a CIIO, it is understood that they include organizations in specified priority industries such as healthcare, utilities and online government services. Crucially, the financial sector is also included. CIIOs are subject to additional security, procurement and other restrictions. For example, CIIOs must carry out an assessment of their facilities’ cybersecurity at least once a year and report potential risks and proposed remediation measures to the authorities. In addition, they must also ensure that any network products and services they purchase that might influence national security undergo a security review carried out by the Cyberspace Administration of China (CAC).

Data Protection

The Cybersecurity Law and its subsidiary regulations focus heavily on the protection of personal information and important data.

Personal information protected under the Cybersecurity Law includes all types of information recorded electronically that may identify a natural person, including, for example, names, dates of birth, telephone numbers and addresses. There are requirements for fair and lawful processing, obtaining consent for the collection, use and disclosure and technical measures to ensure data security. There is an exception for the processing of personal data on an anonymized basis for statistical purposes.

Important data, which is similarly subject to enhanced protection, is less clearly defined. Data of anonymized personal information, which falls outside the definition of “personal information,” may constitute important data. Important data does not have to be state secret either. There will continue to be ambiguity pending further clarification by regulators.

Cross-border Transfers

Under the Cybersecurity Law, personal information and important data collated by CIIOs must be stored within Mainland China, and any cross-border transfer is subject to a security review.

Draft measures published in April 2017 suggested that both network operators and CIIOs would be subject to similarly stringent data export restrictions. After industry consultation, a later published draft appeared to relax certain restrictions on non-CIIO network operators.

Further Changes

The CAC has recently published a series of rules in an attempt to regulate the acts of internet users and comments posted on social media, internet forums and communities. These guidelines became effective earlier this month (October 2017). It is expected that further measures will follow such as requiring notice and consent to the use of cookies and a draft e-commerce law, providing greater protection for user data.

Pending the publication of more detailed rules (especially those on data export), the full impact of the Cybersecurity Law on multinational corporations and financial institutions is uncertain. Developments should be monitored closely and affected companies and institutions should take an active part in consultations organized by the PRC regulators. In the meantime, it is wise to prepare for a greatly expanded compliance burden.

Wendy Wysong

Wendy L. Wysong, a litigation partner with Clifford Chance, maintains offices in Hong Kong and Washington D.C.  She offers clients advice and representation on compliance and enforcement under the Foreign Corrupt Practices Act, the Arms Export Control Act, International Traffic in Arms Regulations, Export Administration Regulations, and OFAC Economic Sanctions.  She was appointed by the State Department as the ITAR Special Compliance Official for Xe Services (formerly Blackwater) in 2010.

Ms. Wysong combines her experience as a former federal prosecutor with the United States Attorney for the District of Columbia for 16 years with her regulatory background as the former Deputy Assistant Secretary for Export Enforcement at the Bureau of Industry and Security, U.S. Department of Commerce.  She managed its enforcement program and was involved in the development and implementation of foreign policy through export controls across the administration, including the Departments of Justice, State, Treasury, and Homeland Security, as well as the intelligence community.]

Ms. Wysong received her law degree in 1984 from the University of Virginia School of Law, where she was a member of the University of Virginia Law Review.

Contact information:

Wendy L. Wysong
Clifford Chance
28th Floor Jardine House
One Connaught Place
Hong Kong
+852 2826 3460
+852 9280 3612 (cell)


2001 K Street, NW
Washington, DC 20006
+1 202 912 5030
+1 202 290 7634
[email protected]

Related Post