FEATURED | A Brief on China’s Cyber-Security Draft Law
IndraStra Global

FEATURED | A Brief on China’s Cyber-Security Draft Law

By IndraStra Global Editorial Team

On July 6, 2015, Chinese government released for public comment, a consultation draft of a new PRC Cyber-Security Law (Draft Cyber-Security Law). The Draft signals that Beijing is preparing to tighten its rules on domestic networks and data security, in line with its focus on reinforcing national security. The Draft Cyber-Security Law applies to the construction, operation, maintenance and use of information networks in China. Many Internet users around the world are aware of the censorship regime of the Chinese government- this is not a well-kept secret. A new cyber security draft law may change this. The law would legalize China’s use of the Great Firewall to block access to information that authorities say violates local law, as part of an effort to make cyberspace a more “safe and harmonious” place for Chinese citizens and their government.

FEATURED | A Brief on China’s Cyber-Security Draft Law

Salient Features of the Draft Law and its Scope of Coverage:

According to the 15th Standing Committee of the 12th National People's Congress, which performed the initial review, this law is formulated- to ensure network security, to preserve cyberspace sovereignty, national security and societal public interest, to protect the lawful rights and interests of citizens, legal persons and other organizations, and to promote the healthy development of economic and social informatization. It is intended to be applied with respect to the construction, operation, maintenance and usage of networks, as well as the supervision and management of networks within the mainland territory of the People's Republic of China.

Under the Draft Law, network operators are required to comply with new stringent obligations in connection with cyber security under Chapter 7, Article 65. Specifically, network operators:

  • Must formulate internal cyber security system and operation protocols and must adopt strong technical measures in order to prevent computer viruses and cyber invasions and attacks;

  • Can only procure network products or services that comply with the relevant national and industry standards, and the suppliers of network products and services are prohibited from installing any malicious computer programs within such products and services. Where network operators are aware of any security flaws or other risks in network products or services, they must take responsive action immediately and promptly notify affected users;

  • Are obliged to verify the identity of users when providing services such as land-line and mobile subscription, Internet access and domain name registration. Network operators are prohibited from providing such services until a user has sufficiently disclosed its identity;

  • Must set up an emergency response system and have the emergency plans in place. The Draft Law empowers the State Council, and provincial governments upon approval by the State Council, to restrict Internet communication where public security emergencies occur.
In addition, the Draft Law provides that ‘key network equipment’ and ‘specialized network security products’ must be either certified or tested by licensed security certification institutions (in order to ensure compliance with mandatory requirements under applicable national and industry standards) before such equipment or products can be put onto the market.

According to the Draft Law, a cyberspace regulator (the Cyberspace Administration of China (CAC)), will work jointly with other Chinese regulators in order to formulate and publish a catalog of what will constitute ‘key network equipment’ and ‘specialized network security products’ for certification purposes. CAC will also promote the recognition and simplification of the certification process.

Critical Information Infrastructure:

The Chapter 3, Section II of the Draft Law provides for strengthened protection in relation to the operation of crucial information infrastructure facilities.

According to the Draft Law, ‘Critical Information Infrastructure Facilities’ refers to the following:

  • Basic information networks that provide services such as public communications and radio and television broadcasts; / Chapter II, Article 12

  • Crucial information systems for key industries such as energy, transportation, water, financial institutions and public utilities (such as electricity supply, water supply, gas supply, medical/health-care and social security); / Chapter 3, Section II, Article 26

  • Military networks for the PRC military; / Chapter 3, Section II, Article 25

  • Networks of governmental departments at or above city level; and / Chapter 5, Article 4

  • Internet networks and systems owned or managed by network service providers with massive numbers of Internet users. / Chapter 5, Article 41
The wide scope of what could constitute ‘Crucial Information Infrastructure Facilities’ means that the Draft Law could cast a wide net over a broad range of sectors, and both network operators and network products and services providers will be affected.

Under the Draft Law, operators of ‘crucial information infrastructure facilities’ are subject to the following obligations (in addition to the general network security responsibilities already described):

  • Procurement of network products or services that may give rise to national security concerns will be subject to a security review jointly conducted by CAC and other relevant governmental agencies;

  • Operators must enter into a security and confidentiality agreement with suppliers of network products and services;

  • Where operators collect or generate personal information or other important data in the course of network operation in China, such information or data must be stored in China, subject to an exception. That exception is potentially available where an operator wishes to store such information or data outside China for business purposes, but in such a case such storage must first be approved by a security review conducted by CAC; 

  • Operators of crucial information infrastructure facilities must conduct an annual security review either by themselves or by appointing a qualified third party and must adopt proper measures for security risk mitigation.
Data Privacy and Security:

In the absence of a comprehensive data privacy law in China, the Draft Law contains certain provisions in relation to personal data privacy and data protection to supplement existing data privacy rules which are scattered in various administrative regulations and judicial interpretations.

The Draft Law stipulates that network operators must improve protection for personal data, privacy and commercial confidentiality. Where network operators collect and use personal data, they must follow principles of legality, propriety and necessity. Data collectors must notify data subjects of the purpose, manner and scope of data collection and usage, and express consent must be obtained from the data subjects.

The Draft Law also provides that network operators:

  • Are obliged to safeguard the secrecy of personal data collected; / Chapter 4, Article 3

  • Must take technical and other appropriate steps to avoid data leakage or loss (reporting to relevant authorities and notification to data subjects are required in case of data leakage or loss). / Chapter 4, Article 35
Perhaps in order to address concerns recently expressed by IT suppliers and network operators that are required to file their network encryptions or source codes with regulators, the Draft Law provides that governmental officials in charge of supervision and administration of network security must protect the secrecy of personal data, privacy and confidentiality of information to which they have access.

The Legal Aspect and Liabilities:

Businesses will be subject to liability and to various sanctions for breach of the requirements under the Draft Law.

For example, an operator of crucial information infrastructure facilities may face a fine of up to RMB 500,000, and suspension of its business license, if it stores data overseas without first undergoing the security review as required under the Draft Law.

Practical Implications:

The Cyberspace Administration, or the Office of the Central Leading Group for Cyberspace Affairs, was set up in 2013 with the aim of enhancing China’s cyber security and informatization strategies. Chinese President Xi Jinping has since served as its chairman and on many occasions stressed cyber security and informatization are significant strategic issues that are critical to national security and development.

The draft law may cement the Cyberspace Administration’s central leadership in administering, coordinating and supervising cyberspace affairs, from monitoring and censoring online content to evaluating and authorizing the overseas storage and transfer of Chinese citizens’ personal information (Chapter 3, Section II, Article 31). However, with the enhancement and expansion of the Cyberspace Administration’s role, it is unclear whether it will be subject to any form of supervision or judicial oversight.

The cyber security law may be seen as China’s official response to both domestic and foreign criticisms of the current chaotic and inefficient Internet control mechanism. By codifying the Internet control policies and concentrating the power to one body, China is likely to exert more aggressive posture with more efficiency in governing the domestic cyberspace.