China's New Data Protection Laws and Regulations
On 1st of June 2017, the much debated Cybersecurity Law of China (CSL) has become effective. The opinions on its implications for international companies differ a lot.
The Cybersecurity Law
Mainly the CSL has introduced two relevant changes for data regulation. The first, less intrusive one, concerns any network operators action. The second one applies only to so called “Critical Information Infrastructure Operators” (CIIO).
1) Changes for all Network Operators
Written out in the Articles 10, 21 and 22 of the CSL, the first major change obliges any network operator to provide a certain standard of individual privacy protection. Therefore, Article 10 defines security requirements:
“When creating and operating networks or providing services through networks, technical and other necessary measures should be taken to safeguard network operations, effectively respond to cybersecurity incidents and to prevent cybercrime. These measures should also maintain the integrity, confidentiality and accessibility of network data, in accordance with the Law’s provisions and national standards.” [Art. 10 CSL]
“The state will adopt a tiered system for cybersecurity protection. Network operators are required to follow certain security procedures to safeguard networks from interference, destruction or unauthorized access, and to prevent network data from being leaked, tampered with or stolen.” [Art. 21]
“Network product and service providers that collect users’ information are required to inform and obtain consent from the users.” [Art. 22]
Compared to the changes for CIIOs, the requirements of these articles give a pretty clear picture. The only questions remaining are: Who are network operators and how can they comply with the CSL? An answer gives the law itself. Art. 76 refers to “network operators” as owners and administers of networks and network providers. On a closer look, this actually includes any person or entity in China who has access to a network. But while the scope of application is so wide, the actual obligations are viable. Network operators are obliged to provide data availability, confidentiality and obtain its owners consent. Regarding any new technology requirements, a network operator is demanded to use technologies that ensure the protection against cyber-attacks and mitigate network risks.
In this sense, the rules will not mean a significant change to the companies data policies. We would advise you to ensure, that owners of personal information are informed on how long their information is published and under what conditions it is being saved. For this, it is useful to have a written policy in English as well as Chinese. Moreover, we advise you not to collect and publish more information than necessary. As soon as the State has published security procedures as stated in Art. 21 CSL you will be able to adopt to them.
2) Changes for CIIOs
A compliance with the abovementioned rules should mean no big expenses for international companies. However, the articles concerning “Critical Information Infrastructure Operators” paint a different picture.
Core of the obligations is Art. 37 CSL: “Personal information and important data collected and generated by critical information infrastructure operators in the PRC must be stored domestically. For information and data that is transferred overseas due to business requirements, a security assessment will be conducted in accordance with measures jointly defined by China’s cyberspace administration bodies and the relevant departments under the State Council. Related provisions of other laws and administrative regulations shall apply.”
In other words, personal information gathered or generated by a CIIO is to be stored within the Chinese mainland. Data may still be transferred overseas, but only after a security assessment by the Chinese Cyberspace Security Departments. With most international companies storing all their data in a central location of another country, this rule would indeed have a great impact on data policies and would mean immense expenses. Therefore, the all-important question is: which entities fall under the definition of a CIIO? For this, we will have to look both into the CSL as well as the implementation regulations that have been published so far. But despite all the uncertainty, one aspect seems clear: In the end, it will be up to China’s cyberspace administrative bodies and other regulatory bodies to introduce policies that clarify the requirements for domestically stored data.
Firstly, the CSL itself contours the scope of a CIIO. In Art. 31 it states: “Regarding cybersecurity protection, the state emphasises the protection of critical information infrastructure in public communications and information services, energy, finance, transportation, water conservation, public services and e-governance, as well as other critical information infrastructure that may cause serious damage to national security, the national economy and public interest if destroyed, functionality is lost or data is leaked.“ At first glance, this very vague definition would mainly include telecom operators, Internet ISPs and cloud providers. However, the rule does also apply to any other critical information that may jeopardise the national security. But for further description of what this information might be, Article 31 only refers to the State Council: “the State Council will convey the scope and security protection measures for critical information infrastructure.”
Therefore, we will now take a look into the existing regulations and implementation rules. Already on May 2nd the CAC released its “Measures for the Security Review of Network Products and Services”. The regulation tries to clarify the type of network products and services, that will fall under the definition of a CIIO and will, therefore, be subject to the security assessment. For this, the rules differ between entities in key sectors such as telecommunication and information services, energy, transportation, water conservation, finance, utilities and e-government and other operators of CII. Comparing this description to the CSL, it becomes clear, that the authorities failed again, to give a clear answer to the question of which entities are going to be affected. Regarding the ongoing uncertainty and CACs inability to bring some light into the darkness, it is possible, that a phase-in period will be announced. And indeed, the CAC held a meeting on May 20th and opened discussions about an 18-month phase-in from June 2017, delaying the full implementation of the law to give companies more time to comply. In this sense, it is not surprising, that most companies are adopting a wait-and-see approach in compliance preparations.
However, on July 10th the CAC published an Opinion-seeking Draft of “Critical Information Infrastructure Security Protection Regulations”, which remained open for comment until August 10th, 2017. When the regulation will actually come effective is unclear but can be expected within the next couple of weeks.
Regarding the scope of application of the CSL, Article 18 of the draft provides at least some clues:
The network infrastructure and information systems operated or managed by the following work units, which whenever destroyed, cease functioning or leak data may gravely harm national security, the national economy, the people’s livelihood and the public interest, shall be brought into the scope of CII protection:
(1) governmental bodies and work units in sectors and areas such as energy, finance, transportation, irrigation, sanitation and healthcare, education, social security, environmental protection, public utilities, etc.;
(2) telecommunications networks, radio and television networks, the Internet and other such information networks, as well as work units providing cloud computing, big data and other such large-scale public information network services;
(3) research and production work units in sectors and areas such as national defense science and industry, large-scale equipment, chemistry, food, drugs, etc.;
(4) radio stations, television stations, news agencies and other such news work units;
(5) other focus work units.
Jointly with Article 19: (“The national cybersecurity and informatization department will, jointly with the national telecommunications management department and public security department, formulate identification guidelines for CII.”) the draft gives hope for clearance in the upcoming months. With this in prospect it is not a surprise, many international companies are still not making any profound changes.
But assuming one would fall under the definition of a CIIO, the question remains under what conditions the transfer of critical information is possible. The draft from July 10th doesn’t give an answer to that. However, we have worked out the most probable components your assessment should have, to be admissible under the CSL:
a) The assessment should be done annually and before any transfer occurs.
b) It should examine the legitimate business necessity of transferring data,
c) Take into account the amount, scope, type and sensitivity of the personal/important data
d) And assure, that consent has been obtained by their owners.
e) Furthermore, the law requires the data recipients to establish safety precautions to mitigate the risk of the data being retransferred or misused
Reactions by MNCs
Having said, most international companies are still waiting for any clarification before investing in Chinese data storage, there seems to be one prominent exception. The technology company and cloud provider Apple Inc. has set up a new data center in China in the mid of July. The company stated, all its iCloud data of Chinese customers will now be stored in the country. In this sense, Apple Inc. wants to keep its “strong data privacy and security protections in place.” This great investment is interpreted as a compliance measure by most of the media. Therefore, the reporting of Apples move to China has triggered even more uncertainty among companies around the world. In addition, the hospitality service Airbnb published plans of moving data to a domestic location last year, in order to comply with the upcoming data regulation.
But regarding the major changes Apple Inc. has done so far, we should not neglect the fact, that it is easily the most successful technology company in China. Therefore, they have a great economic interest in adapting to the Chinese data policy and might not only store their data in China for legal reasons. As in their statement, they said as well: “The addition of this data center will allow us to improve the speed and reliability of our products and services while also complying with newly passed regulations.” Their measures can, therefore, be interpreted as a political and economic step to secure their market position rather than a legal compliance act in fear of penalties. (The same assessment would apply to their removing of VPN apps.)
And taking a look at other companies, the situation is regarded less alarming. We won’t deny, the regulations aren’t being watched closely by the MNCs, but the CSL doesn’t seem to give them any reason to act hastily. It is hard to estimate their further moves, as Microsoft declined to comment on the matter and Amazon and Tencent didn’t comment yet. But we will keep a close eye on their actions and statements.
The question any company will have to ask is, whether it falls under the definition of a CIIO. Concerning Apple Inc., as a cloud provider this was quite certain. However, for most companies it is not that easy. If you are engaged in the sector of telecommunications, transportation, energy, water supply, health care, emergency services, manufacturing and financial services we would advise you to keep an eye on the upcoming regulations and guidelines. Their publication can be expected in the next couple of weeks. Weighing all options, we asses, that the best strategy is to wait for further information. The penalties might be high, but investing in data storage in China on such an unclear legal basis as the CSL, involves significant risks.
ABOUT THE AUTHOR: Matthew Murphy
Matthew is a Partner in the MMLC Group. Matthew acknowledges the excellent assistance provided by German law student, Katharina König, during her internship with MMLC, in formulating this article.
Copyright MMLC Group
More information about MMLC Group
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.