China Adopts Cyber Security Law

On November 7, 2016, the Standing Committee of the National People’s Congress of China promulgated the Cyber Security Law of the People’s Republic of China (the “Cyber Security Law”) after three rounds of readings in June 2015, June and October 2016, respectively.  The Cyber Security Law will enter into force on June 1, 2017.  As early as July 1, 2015, the National Security Law of the People’s Republic of China was promulgated, expressly providing that the state shall “safeguard sovereignty and security of cyberspace in the state,” a theme that is reiterated and emphasized in Article 1 of the Cyber Security Law.  The introduction of the concept of “cyber space sovereignty” in the Cyber Security Law echoes the views of President Xi Jinping, who is also the head of the Office of the Central Leading Group for Cyberspace Affairs, and who has stated in February 2014 that “[n]o cyber safety means no national security.”  Critically, the Cyber Security Law may have global implications, as the Law applies to both Chinese and international businesses engaging in the construction, operation, maintenance or use of information networks in China.

To achieve its aim of “safeguarding sovereignty and security of cyberspace in the state,” the Cyber Security Law strengthens the protection and security of key information infrastructure and important data.  In addition to Article 37, the term of “important data” is used in Article 21 (requiring network operators to back up and encrypt the important data), but it is undefined under the Cyber Security Law.  Notably, under the Guidance of the State Council on Accelerating the Work of “Internet plus Governmental Services” (the “Guidance”) promulgated by the State Council (China’s central government) on September 25, 2016, “important data” is defined to include state secrets, trade secrets, and personal private data.  Although this definition in the Guidance does not necessarily apply to the Cyber Security Law, it could still shed some light on the scope of “important data”.  Pursuant to Article 31 of the Cyber Security Law, “key information infrastructures” refers to information infrastructures maintained by certain industry sectors (including public communication and information services, energy, transportation, water resources utilization, finance, public service and e-government affairs) which would seriously jeopardize national security and the public interest in the event that such infrastructures malfunction, or be subject to damage or data leakages.  Pursuant to Article 35, where operators of such infrastructures purchase network products or services that may impact national security, the national security review should be triggered by this procurement.  Accordingly, the Law could presenting challenges to foreign suppliers.  Further, pursuant to Article 37 of the Cyber Security Law, operators of such infrastructures would be subject to data localization requirements for personal data and important data they collect within China.  Pursuant to Article 76 of the Cyber Security Law, “personal data” refers to all kinds of information, stored in electronic or other form, which individually or in combination with other information allows the identification of a natural person’s individual identity, including but not limited to the natural person’s name, date of birth, identity card number, personally distinctive biological information, address, telephone number, etc.

Apart from the above mandatory requirements for the operators of key information infrastructures, the Cyber Security Law also imposes certain obligations on the “network operators,” which is widely defined to include owners and administrators of network, and network service providers.  Pursuant to the Cyber Security Law, among others, network operators shall (i) have cyber security protocols in place; (ii) preserve web logs for at least six months; (iii) strictly protect users’ personal data; and (iv) verify the identity of users for phone and internet services.  As to cyber security protocols, the Cyber Security Law requires network operators to put protocols in place as required by the “hierarchical protection system of network security,” which is undefined therein.  Notably, as early as June 2007, the Administrative Measures for Hierarchical Protection of Information Security were jointly promulgated by China’s Ministry of Public Security, State Secrecy Bureau and State Encryption Administration setting up China’s five-tier information security protection system supported by a series of implementing rules, guidelines, and national standards.  As to personal data protection, the Cyber Security Law requires compliance with “provisions relating to personal data protection as contained in relevant laws and regulations,” without referring to specific rules.

The Cyber Security Law will have significant impact on domestic and foreign business in several sectors in China.  It is advisable for companies in China to reassess their data management system, operational mode, and IT deployment plan in order to comply with these requirements stipulated in the Cyber Security Law, and ensure they have documentation around the implementation of security protocols.