On July 6 2015, Chinese government released for public comment a consultation draft of a new PRC Cyber-Security Law (Draft Cyber-Security Law). The Draft signals that Beijing is preparing to tighten its rules on domestic networks and data security, in line with its focus on reinforcing national security.
By IndraStra Global Editorial Team
On July 6, 2015,
Chinese government released for public comment, a consultation draft of a new
PRC Cyber-Security Law (Draft Cyber-Security Law). The Draft signals that Beijing
is preparing to tighten its rules on domestic networks and data security, in
line with its focus on reinforcing national security. The Draft Cyber-Security
Law applies to the construction, operation, maintenance and use of information
networks in China. Many Internet users around the world are aware of the
censorship regime of the Chinese government- this is not a well-kept secret. A
new cyber
security draft law may change this. The law would legalize China’s use
of the Great Firewall to block access to information that authorities say
violates local law, as part of an effort to make cyberspace a more “safe and
harmonious” place for Chinese citizens and their government.
Salient
Features of the Draft Law and its Scope of Coverage:
According to the 15th Standing Committee of the 12th National People's Congress, which performed
the initial review, this law is formulated- to ensure network security, to
preserve cyberspace sovereignty, national security and societal public
interest, to protect the lawful rights and interests of citizens, legal persons
and other organizations, and to promote the healthy development of economic and
social informatization. It is intended to be applied with respect to the construction,
operation, maintenance and usage of networks, as well as the supervision and
management of networks within the mainland territory of the People's Republic
of China.
Under the
Draft Law, network operators are required to comply with new stringent
obligations in connection with cyber security under Chapter 7, Article 65.
Specifically, network operators:
- Must formulate internal cyber security system and operation protocols and must adopt strong technical measures in order to prevent computer viruses and cyber invasions and attacks;
- Can only procure network products or services that comply with the relevant national and industry standards, and the suppliers of network products and services are prohibited from installing any malicious computer programs within such products and services. Where network operators are aware of any security flaws or other risks in network products or services, they must take responsive action immediately and promptly notify affected users;
- Are obliged to verify the identity of users when providing services such as land-line and mobile subscription, Internet access and domain name registration. Network operators are prohibited from providing such services until a user has sufficiently disclosed its identity;
- Must set up an emergency response system and have the emergency plans in place. The Draft Law empowers the State Council, and provincial governments upon approval by the State Council, to restrict Internet communication where public security emergencies occur.
In addition,
the Draft Law provides that ‘key network equipment’ and ‘specialized network
security products’ must be either certified or tested by licensed security
certification institutions (in order to ensure compliance with mandatory
requirements under applicable national and industry standards) before such
equipment or products can be put onto the market.
According to
the Draft Law, a cyberspace regulator (the Cyberspace Administration of China
(CAC)), will work jointly with other Chinese regulators in order to formulate
and publish a catalog of what will constitute ‘key network equipment’ and
‘specialized network security products’ for certification purposes. CAC will
also promote the recognition and simplification of the certification process.
Critical
Information Infrastructure:
The Chapter 3,
Section II of the Draft Law provides for strengthened protection in relation to
the operation of crucial information infrastructure facilities.
According to
the Draft Law, ‘Critical Information Infrastructure Facilities’ refers to the
following:
- Basic information networks that provide services such as public communications and radio and television broadcasts; / Chapter II, Article 12
- Crucial information systems for key industries such as energy, transportation, water, financial institutions and public utilities (such as electricity supply, water supply, gas supply, medical/health-care and social security); / Chapter 3, Section II, Article 26
- Military networks for the PRC military; / Chapter 3, Section II, Article 25
- Networks of governmental departments at or above city level; and / Chapter 5, Article 4
- Internet networks and systems owned or managed by network service providers with massive numbers of Internet users. / Chapter 5, Article 41
The wide scope
of what could constitute ‘Crucial Information Infrastructure Facilities’ means
that the Draft Law could cast a wide net over a broad range of sectors, and
both network operators and network products and services providers will be
affected.
Under the
Draft Law, operators of ‘crucial information infrastructure facilities’ are
subject to the following obligations (in addition to the general network
security responsibilities already described):
- Procurement of network products or services that may give rise to national security concerns will be subject to a security review jointly conducted by CAC and other relevant governmental agencies;
- Operators must enter into a security and confidentiality agreement with suppliers of network products and services;
- Where operators collect or generate personal information or other important data in the course of network operation in China, such information or data must be stored in China, subject to an exception. That exception is potentially available where an operator wishes to store such information or data outside China for business purposes, but in such a case such storage must first be approved by a security review conducted by CAC;
- Operators of crucial information infrastructure facilities must conduct an annual security review either by themselves or by appointing a qualified third party and must adopt proper measures for security risk mitigation.
Data
Privacy and Security:
In the absence
of a comprehensive data privacy law in China, the Draft Law contains certain
provisions in relation to personal data privacy and data protection to supplement
existing data privacy rules which are scattered in various administrative
regulations and judicial interpretations.
The Draft Law
stipulates that network operators must improve protection for personal data,
privacy and commercial confidentiality. Where network operators collect and use
personal data, they must follow principles of legality, propriety and
necessity. Data collectors must notify data subjects of the purpose, manner and
scope of data collection and usage, and express consent must be obtained from
the data subjects.
The Draft Law
also provides that network operators:
- Are obliged to safeguard the secrecy of personal data collected; / Chapter 4, Article 3
- Must take technical and other appropriate steps to avoid data leakage or loss (reporting to relevant authorities and notification to data subjects are required in case of data leakage or loss). / Chapter 4, Article 35
Perhaps in
order to address concerns recently expressed by IT suppliers and network
operators that are required to file their network encryptions or source codes
with regulators, the Draft Law provides that governmental officials in charge
of supervision and administration of network security must protect the secrecy
of personal data, privacy and confidentiality of information to which they have
access.
The Legal
Aspect and Liabilities:
Businesses will
be subject to liability and to various sanctions for breach of the requirements
under the Draft Law.
For example,
an operator of crucial information infrastructure facilities may face a fine of
up to RMB 500,000, and suspension of its business license, if it stores data
overseas without first undergoing the security review as required under the
Draft Law.
Practical
Implications:
The Cyberspace
Administration, or the Office of the Central Leading Group for Cyberspace
Affairs, was set up in 2013 with the aim of enhancing China’s cyber security
and informatization strategies. Chinese President Xi Jinping has since served
as its chairman and on many occasions stressed cyber security and informatization
are significant strategic issues that are critical to national security and development.
The draft law
may cement the Cyberspace Administration’s central leadership in administering,
coordinating and supervising cyberspace affairs, from monitoring and censoring
online content to evaluating and authorizing the overseas storage and transfer
of Chinese citizens’ personal information (Chapter 3, Section II, Article
31). However, with the enhancement and expansion of the Cyberspace
Administration’s role, it is unclear whether it will be subject to any form of
supervision or judicial oversight.
The cyber
security law may be seen as China’s official response to both domestic and
foreign criticisms of the current chaotic and inefficient Internet control
mechanism. By codifying the Internet control policies and concentrating the
power to one body, China is likely to exert more aggressive posture with more
efficiency in governing the domestic cyberspace.