Following three readings by the National People’s Congress (NPC), the NPC Standing Committee passed China’s Cybersecurity Law on November 7, 2016. The law will go into effect on June 1, 2017 and marks the commencement of China’s “rule of law” in cyberspace. The Cybersecurity Law aims to address a wide range of cyberspace security risks at home where online fraud and cybercrime have been increasing, while providing a foundation for China to address cybersecurity in the international context.
The Cybersecurity Law focuses on three types of security – network operation security, network product security and network information security. Although China has made repeated assurances that the law would not target foreign companies, and that related regulations would be non-discriminatory and avoid nationality-based requirements, certain articles in the law challenge those assurances, potentially introducing exceedingly broad data residency requirements, restricting commercial, cross-border data exchange, mandating trade-inhibiting security reviews and requirements for ICT products and services, and requiring data sharing and technical assistance that could compromise product and network security and consumer privacy while offering limited to no security benefits.
Secure and trusted
The Cybersecurity Law calls for “secure and trusted” network products and services – similar to previous calls for “secure and controllable” or “indigenous and controllable” technology that have been defined by both President Xi Jinping himself and influential academics in terms that advocate for the substitution of domestic alternatives for international firms’ technologies. Recently, TC260, a standards organization under the Cybersecurity Administration of China (CAC) released a batch of standards with definitions of IT “security and controllability” containing problematic mandates for source code review, data localization and cross-border flow restrictions, suggesting that localization efforts are continuing.
Recently, CAC Cybersecurity Bureau director-general Zhao Zeliang confirmed at the NPC press conference announcing the passage of the Cybersecurity Law that the terms “secure and trusted,” “secure and controllable” and “indigenous and controllable” are roughly interchangeable and refer to a scenario where: 1) users have control of their own data, 2) users have control of their own systems, and 3) there is continuous supply, maintenance and service for cybersecurity products and services providers with a large-scale user base in China.
However, as evidenced by the TC260 standards and recent draft requirements for banking, insurance, telecoms and healthcare, as well as China’s ambitious plans for the domestic semiconductor industry, “secure and controllable” and related terms remain problematic as they could ultimately be used to disadvantage international firms vis-à-vis local competitors in China. Between now and June 2017, we expect a number of industry regulators to publish their own “secure and controllable” rules.
Cybersecurity classified protection
Article 21 of the Cybersecurity Law calls for the State Council to oversee the creation of a Cybersecurity Classified Protection Scheme (CCPS), and states that network operators’ cybersecurity protection measures must comply with this framework. CCPS is an update to the Multi-Level Protection Scheme (MLPS) for information technology systems, which has been in place since 2007. In October 2016, the Ministry of Public Security (MPS) announced MLPS 2.0, expanding the scheme to cover cyberspace, cloud computing, big data, mobile internet, Internet of Things and industrial control.
Specifically, TC260 has published the new MLPS cloud standards and mobile interconnection for comments, targeting industry/private providers in critical areas such as finance, government, SOEs, medical and large Internet platforms. The wide scope of this approach exacerbates concerns of a trend toward application of this scheme into commercial markets and an expansion of the inherently discriminatory application of MLPS for systems classified at Level 3 and above to exclude international vendors.
Critical information infrastructure (CII):
The Cybersecurity Law devotes an entire section to CII, highlighting the significance the government attaches to its protection. Ultimately though, the law vaguely defines CII as infrastructure that “once damaged or when losing its functions … may seriously endanger national security, the national economy … or public interests,” and leaves the responsibility with the State Council for eventually defining the specific scope of CII. Besides the persistent risk that CII could be broadly scoped leading to nationality-based discrimination for commercial procurement, there are also concerns about restrictions on data flows and compliance burdens for CII operators.
Data protection under the Cybersecurity Law refers to the protection of personal information, users’ information and business secrets. The principles of personal information protection in the law are not substantially different from those of existing laws and regulations. Some mechanisms of protection however, such as the right to delete and the right to correct one’s own personal information, are newly added.
According to Article 76, personal information refers to all kinds of information that can identify personal identity separately or combined with other information, including but not limited to the natural person’s name, date of birth, ID number, personal identification information, address, telephone number, etc. In purely practical terms, considering the sophisticated capabilities for Big Data applications to cross-reference public information with individual data points, this language risks making the data protection provisions in the law unenforceable without undermining Big Data development in China.
According to Article 37 of the Cybersecurity Law, personal information and important data gathered or generated by CII operators from operations in mainland China must be stored in China. Information and data that needs to be transferred overseas for genuine business purposes shall be subject to a security audit in accordance with measures formulated by CAC jointly with relevant departments under the State Council. Coupled with the uncertain scope of “important data” and opaque procedures and content for audits, companies are justifiably concerned that such security evaluations could arbitrarily increase the burdens of compliance for global business operations and precipitate a drop in foreign investment in China.
Technical assistance to regulators
Article 28 stipulates that network operators must cooperate and provide technical assistance to criminal investigations. Sources suggest that CAC, MPS and related departments are closely monitoring the evolving situation in the U.S. in this regard, with an eye to potentially referencing the U.S. government’s position on required assistance, potentially including encryption/decryption support, mandated backdoors, etc. Thus, if the new administration’s approach to encryption is pro government access, China will likely reference this as justification for introducing similar requirements in future implementing measures.
Upcoming implementation measures
The Cybersecurity Law establishes a framework for developing a wide range of specific, security rules and mechanisms, which could be restrictive or progressive. Over the coming months, we expect a high volume of new, detailed cybersecurity regulations leading up to the June 1 implementation date. If China’s lawmakers want to achieve their stated goal of effectively balancing security and development, new regulations should seriously consider industry’s opinions, comply with China’s WTO commitments and encourage the adoption of international models that support China’s development as a global hub for technology and services. This approach would also help assure international companies that China is genuine in its claims to desire an open domestic market and equitable trading system in which companies and countries can fully and fairly participate.
The United States Information Technology Office (USITO) is an independent, non-profit, membership-based trade association, representing the U.S. information communication technologies (ICT) industry in China.