How China’s New Cybersecurity Measures Will Affect Multinational Companies
Multinational companies with operations in China are preparing for the impact of China’s new Cybersecurity Law, in place now for four months. The Law applies to everyone who operates networks in the PRC, particularly multinational corporations. This could impact their overall IT system set-up and global outsourcing. Also left open to question is how their Chinese offices, particularly in a sensitive sector, will be able to share business data with other offices. And of great concern to multinational companies and their advisors is how to adapt internal and regulatory investigations to avoid triggering the Cybersecurity Law.
with co-authors Lei Shi and Tina Wu.
The Cybersecurity Law of the People’s Republic of China took effect on 1 June 2017. The Law states that China will take steps to monitor, defend, and address cybersecurity risks and threats originating from within and outside China. It applies to the construction, operation, maintenance and use of networks as well as the regulation of cybersecurity within the PRC. It applies to both internet and individual intranets as long as there is any network-related activity taking place in the PRC.
The Cybersecurity Law distinguishes between “Network Operators” and “Critical Information Infrastructure Operators (“CIIOs”).”Network operators” are very broadly defined and thus may cover any business which operates a website or an intranet or provides any service through a network.
In contrast, CIIOs refer to a narrower group of operators. While there has been no definitive guidance on what constitutes a CIIO, it is understood that they include organizations in specified priority industries such as healthcare, utilities and online government services. Crucially, the financial sector is also included. CIIOs are subject to additional security, procurement and other restrictions. For example, CIIOs must carry out an assessment of their facilities’ cybersecurity at least once a year and report potential risks and proposed remediation measures to the authorities. In addition, they must also ensure that any network products and services they purchase that might influence national security undergo a security review carried out by the Cyberspace Administration of China (CAC).
Data Protection
The Cybersecurity Law and its subsidiary regulations focus heavily on the protection of personal information and important data.
Personal information protected under the Cybersecurity Law includes all types of information recorded electronically that may identify a natural person, including, for example, names, dates of birth, telephone numbers and addresses. There are requirements for fair and lawful processing, obtaining consent for the collection, use and disclosure and technical measures to ensure data security. There is an exception for the processing of personal data on an anonymized basis for statistical purposes.
Important data, which is similarly subject to enhanced protection, is less clearly defined. Data of anonymized personal information, which falls outside the definition of “personal information,” may constitute important data. Important data does not have to be state secret either. There will continue to be ambiguity pending further clarification by regulators.
Cross-border Transfers
Under the Cybersecurity Law, personal information and important data collated by CIIOs must be stored within Mainland China, and any cross-border transfer is subject to a security review.
Draft measures published in April 2017 suggested that both network operators and CIIOs would be subject to similarly stringent data export restrictions. After industry consultation, a later published draft appeared to relax certain restrictions on non-CIIO network operators.
Further Changes
The CAC has recently published a series of rules in an attempt to regulate the acts of internet users and comments posted on social media, internet forums and communities. These guidelines became effective earlier this month (October 2017). It is expected that further measures will follow such as requiring notice and consent to the use of cookies and a draft e-commerce law, providing greater protection for user data.
Pending the publication of more detailed rules (especially those on data export), the full impact of the Cybersecurity Law on multinational corporations and financial institutions is uncertain. Developments should be monitored closely and affected companies and institutions should take an active part in consultations organized by the PRC regulators. In the meantime, it is wise to prepare for a greatly expanded compliance burden.