China’s Cyber Security Law, which will take effect from June 1 2017, was finally adopted on November 7. The third draft of the law adopted by the Standing Committee of the National People’s Congress, China’s highest legislative authority, contained few changes from the second draft put forward for comment in July, 2016 (see our briefing). The net result is ongoing controversy coupled with uncertainty, with multi-national businesses in particular questioning the intent behind the law and criticizing its vagueness. The final draft contains a number of broadly-framed defined terms that are critical to its interpretation which continue to leave much to be resolved through detailed measures that may or may not follow. All in all, the direction of travel is towards a much more heavily regulated Chinese internet and technology sector, with an open question as to whether China's cyber space will be truly integrated with the rest of the world in the coming years.
A quick recap
The Cyber Security Law’s seventy-nine articles address a wide range of issues, but as previously noted we see particular focus on three main aspects:
- Technology regulation: The Cyber Security Law seeks to regulate what technology can or cannot be used in China’s cyber space, including by: (i) imposing requirements for pre-market certification of “critical network equipment” and “specialized security products”; and (ii) designating certain systems as “critical information infrastructure” that will be subject to national security reviews and detailed measures to be issued by the State Council. The concern here is whether there will be a protectionist slant to these measures that will make it difficult for foreign players to compete.
- Co-operation with authorities: The Cyber Security Law imposes duties on “network operators” to provide technical support and assistance in national security and criminal investigations and to retain weblogs for at least 6 months.
- Data localization: The Cyber Security Law requires operators of “critical information infrastructure” to store personal information and “important data” within China, save where it is truly necessary to send this data offshore and the offshoring arrangements have cleared a security assessment process that is yet to be defined. Revisions in the final draft broaden the scope of personal data from "citizen's person data" to "personal data", suggesting that personal information of foreigners in China will also be subject to the localization requirement, which does little to reassure foreign residents who may need to move data across borders for any number of good reasons.
Continuing uncertainty as to scope
Obligations under the Cyber Security Law attach to two main classes of business: “network operators” and operators of “critical information infrastructure.” Neither of these terms are defined in any detail under the new law, leaving much room for speculation and interpretation.
“Network operators” are defined as an “owner or manager of any cyber network and network service providers,” casting a potentially very wide net for the obligations to maintain weblogs and co-operate with authorities noted above.
“Critical information infrastructure” is ultimately left to be defined by the State Council, but is stated in the Cyber Security Law to be critical infrastructure relating to critical industries, being public communications and information services, energy, transportation, water conservancy, finance, public services, e-government affairs and other significant industries and sectors, as well as any other infrastructure that may jeopardize national security, the national economy, people’s livelihoods or the public interest were it to be destroyed, experience a loss of functionality or data leakage. Ultimately it is a subjective test.
Following the recent inspection of critical information infrastructure carried out by the Office of the Central Leading Group for Cyberspace Affairs - often referred to as the Cyberspace Administration of China (the "CAC") - the CAC moved to define “critical information infrastructure” by reference to a three step process, beginning with the identification of critical businesses, then identifying information systems and industrial control systems that ensure the functioning of those businesses and then finally identifying the degree to which these businesses are vulnerable to attack in relation to specific items of infrastructure forming part of their systems.
In its press release on the Cyberspace Inspection, the CAC set out a non-exhaustive list of critical businesses within each of the critical industries identified. In relation to telecommunications and internet sector, a wide swathe of facilities and non-facilities-based services are identified, from voice, data, basic internet networks and hubs, through to domain name resolution systems and data center and cloud services. A section headed “business platforms” refers to instant messaging, online shopping, online payments, search engines, e-mail, BBS, maps and audio/video services. To give context to the degree of materiality envisaged in the wake of the Cyberspace Inspection if, for example, they have over one million average daily visitors or if a cybersecurity breach would affect the life and work of over one million people, web sites are considered to be critical information infrastructure for critical businesses. Corresponding examples applicable to online platforms are 10 million yuan ($1.5 million) in direct economic losses due to a cyber security breach or the loss of personal data of one million people.
In addition to key definitions such as “network operator” and “critical information infrastructure”, the scope of certain obligations under the Cyber Security Law lacks precision in many areas. It is not clear, for example, the extent of technical assistance that “network operators” will be obliged to provide in support of national security and criminal law investigations. Does this encompass, for example, directions to install “back doors” in technology that would enable uninterrupted access by law enforcement to data and communications? Similarly, what security assessment will need to be applied to proposals to offshore personal information and important business data collected or created by critical information infrastructure? These are fundamental issues for many of the foreign investors in this area.