On 7 November 2016, the Standing Committee of the National People’s Congress has formally passed China’s first comprehensive privacy and security regulation for cyberspace. Since the new Cyber Security Law (CSL) will come into effect on 1 June 2017, technology companies that are operating in or planning to expand to the Peoples Republic of China (PRC) are well advised to adapt their IT infrastructure and data architecture to the new law. Violations of the law may, at worst, lead to high fines, website shutdowns or license revocations. Some of the most significant changes brought about by the new law are briefly outlined below.
Who Is Affected and What Is New?
The CSL applies to operators of Critical Information Infrastructures (CIIs) and network operators. A network operator is defined as an operator of basic telecommunication networks, internet information service providers and key information systems. However, it is not clear which companies qualify as operators of CIIs. The exact definition of CIIs was left to the State Council of the PRC. So far, the Council has not given any specifications.
The new law includes several important and consumer protection provisions, but also some very controversial ones affecting technology companies.
Some provisions of the new law have aroused particular criticism. For example, instant messaging services and other companies qualifying as CIIs are only allowed to provide users with their full service if the users have registered under their real identities. In addition, CIIs are under an obligation to remove “prohibited content” from their service. In case of non-compliance with the latter requirement, CIIs are liable for a fine or worse. These requirements are believed to potentially restrict anonymity on the internet and to encourage self-censorship for online communication.
Under another controversial provision, companies are required to report to the relevant authorities any cyber security incident and vulnerabilities that they have experienced and to technically support and assist the authorities on national security matters and crime investigation. However, the nature and scope of the required technical support and assistance have not been defined. Thus, it is not clear whether the process might entail the provision of confidential information.
Among all the changes, the most significant change might be the so-called Data Localization Requirement. Under that provision, CIIs are required to store personal data and other important information within mainland China. However, it is not clear whether this provision only applies to personal data of Chinese citizens or to any personal data, including those of foreigners. In the first case, companies might be required to separate the personal data of Chinese citizens from the personal data of other individuals.
A Look Ahead
The CSL brings a lot of changes in the fight against cyber security threats. However, the law should be criticized for its lack of legal certainty, mostly resulting from overly broad formulated terms. As the CSL comes to effect in less than three months, technology companies are allowed little time to adapt to the new provisions. Compliance may in particular be of crucial importance for multinational companies with regard to the Data-Localization Requirement, as cross-border data transfer may be daily business. It remains to be seen whether the legal uncertainties will somehow be eliminated by the relevant authorities. Until then, affected companies need to be very cautious.