Interpretations of the updates to China’s Cyber Security Law

Interpretations-of-the-updates-of-China’s-CSL
Interpretations of the updates to China’s Cyber Security Law
Click here to access all series

 

All companies[1] incorporated within Mainland China are required to abide by the Cybersecurity Law of The People's Republic of China (PRC), which went into effect 1 June 2017. Given the complex business relationships within the international market, the Cybersecurity Law will continue to have important political, economic, and technical implications for both domestic and multinational corporations (MNC). As updated regulations and interpretations to the Law have been released since 2017, this Point of View (POV) aims to provide further insight to the Law and expand on our July 2017 white paper, China’s Cybersecurity Law and Its Impacts: Key requirements businesses need to understand to ensure compliance.[2]

Technically speaking, the Cybersecurity Law is an “umbrella law” that encompasses a structured suite of security and privacy laws that are enforced by official sources of law[3] . To be in compliance, companies must understand not only the Cybersecurity Law but also these supportive regulations, rules, and interpretations. This POV offers an overview of recent updates to the Law and addresses the compliance challenges that they may pose.

Overview of the Cybersecurity Law

The Cybersecurity Law integrates preexisting regulations and rules of the PRC to create a structured and statutory law addressing the following legislative objectives:

  • Define the principle of cyberspace sovereignty
  • Define the cybersecurity obligations of internet products and services providers
  • Formulate the rules of personal information protection
  • Establish a security baseline for critical information infrastructure
  • Institute rules for cross-border transmission of data

The Cybersecurity Law also provides detailed articles and provisions on legal liability, prescribing a variety of penalties that include fines, certificate suspension, and revocation of permits and/or business licenses. Where criminal acts are involved, offenders will be punishable according to the Criminal Law of the People’s Republic of China[4]. The Cybersecurity Law grants the Cyber Security Administrative Authorities (CSAA) with rights and guidelines to carry out legal enforcement on illegal acts.

Affected Organisations and Updated Compliance Requirements

The Cybersecurity Law expressly applies to network operators and critical information infrastructure (CII) operators within mainland China. Since the release of its updated guidelines, more details have become available regarding compliance requirements for network operators and CIIs.

“Network operator,” as defined in the appendix to the Cybersecurity Law, could be applicable to almost all businesses in mainland China that own or administer their networks. The Cybersecurity Law may also be interpreted to encompass a wide set of industries apart from traditional information technology, internet service providers, and telecommunications companies. Therefore it is safe to assume that any company operating its network - including websites, as well as internal and external networks - to conduct business, provide a service, or collect data in mainland China falls within the scope of “Network operator.”

Although the Cyberspace Administration of China (CAC) has yet to issue further guidance on CIIs, it has incorporated a wide range of industries, including but not limited to communications, information services, energy, transportation, utility, financial services, public services, and government services. In general, the requirements for network operators and CIIs are similar in terms of their objectives, but the requirements for CIIs are more stringent. The differences in obligations between network operators and CIIs are detailed below and organisations should take note of where they fall.

Network Operator Obligations

Critical Information Infrastructure Security

Cross-Border Data Transmission

Organisations that transmit data to overseas affiliates or headquarters must abide by data localisation requirements. To avoid violation, they should either restructure their system architecture around cross-border data transfer, or conduct assessments for approval by regulatory authorities.

While Article 37 of the Cybersecurity Law originally outlined the legal requirements on cross-border data transmission for CIIs, selected requirements under this article have now been extended to network operators.

Personal Information Protection

Chapter Four of the Cybersecurity Law focuses on the protection of personal information, which is defined within the appendix as “information recorded by electronic or other means that can be used alone or in combination with other information to identify a person, including name, date of birth, identity document number, biometrics, address details or other similar personal details.” With the release of updated guidelines in May 2019[5], organisations should take into account the following articles to ensure compliance with related regulations:

Compliance Challenges and Impacts

Cyber Security Law (CSL) Challenges

Given the broad scope of the law and China’s growing prominence as the world’s second largest economy, the Cybersecurity Law presents various challenges – not only for multinational companies operating in mainland China, but also for domestic companies looking to grow their business internationally.

AMBIGUITY

Overall, the biggest challenge of the Cybersecurity Law is its ambiguous language and general vagueness, which make it difficult for organisations to fully understand whether or not they are in compliance. This issue becomes even more pronounced as companies work towards compliance by attempting to define work scopes, initiate remediation plans, adjust corporate processes, select technical solutions, and prepare budgets.

For example, Article 37, in reference to cross-border data transfers, states that personal and other important business data produced in mainland China shall be stored within mainland China. However, neither the Cybersecurity Law nor its supportive rules and regulations actually define the criteria of cross-border data transfers, which would affect an organisation’s strategy for compliance, from implementing technical solutions to budget planning.

What’s more, even though the Cybersecurity Law has been in effect since 2017, many of its supportive regulations and rules are still in development or draft from.

COMPLEXITY OF CHINA’S LEGAL SYSTEM

Another challenge comes from the complicated legal system and regulatory framework in mainland China. Besides judicial interpretation, the various sources of statutory law on cybersecurity create a complex environment for organisations pursuing compliance. For example, with the Basic Requirement for Multi-Layer Protection Schema of Cybersecurity coming into effect on 1 December 2019, business and IT operations now have to respond to various assessments, interviews, and remediation from different departments like legal counsel, compliance, audit, and IT security, in order to fulfil their compliance requirements.

Without providing all the details needed to comply with its broad scope of legal requirements, the Cybersecurity Law makes it necessary for organisations to navigate and understand all supportive regulations and rules. With more than 300 laws, regulations, rules and other legal documents, a great burden is put on an organisation’s legal counsel and compliance officers, especially since different legislative authorities, laws, regulations and rules may conflict with one another. When two laws govern the same factual situation, a law governing a specific subject matter (special laws) can override a law governing only general matters (general laws). An example of this is the cybersecurity regulation of the financial industry. The legal implications require cybersecurity personnel to have professional knowledge not only in legal affairs, but in the industry.

COST

The last, and possibly the most immediate challenge, is the cost of compliance. Costs related to compliance assessments, as well as remediation and mitigation actions after assessments, can discourage some organisations from operating in mainland China or cooperating with local business partners. Compliance, especially from a technical perspective, extends beyond the purchasing of devices and equipment or migration of systems from one place to another. There is a great deal of time and effort involved in its maintenance, not to mention resources needed to implement new procedures and systems to meet compliance requirements. All these add to the burden of cost for organisations wishing to operate in mainland China, and for some companies, this is simply not affordable. Officers in charge of Cybersecurity Law compliance inevitably face challenges in balancing compliance with business operations, especially with regards to budget.

Cybersecurity Law and its impact

Even before the Cybersecurity Law was enacted, legal requirements related to cybersecurity have already had an impact on companies operating in mainland China, especially within the IT and cybersecurity industry.

One such impact is the increased prevalence of companies and individuals claiming to be security specialists. On the one hand, the recent growth of the IT and cybersecurity industry as a whole has led to the emergence of specialised companies, new products, and subject matter experts, bringing more choices and support for achieving compliance with the Cybersecurity Law. On the other, organisations need to be vigilant and properly vet these new service providers, ensuring that they have the appropriate qualifications. Otherwise, companies risk receiving subpar service, feeling a dangerous false sense of security and compliance where critical vulnerabilities still exist, and worse, subjecting themselves to additional costs of remediating inadequate security services or defective systems.

Another direct impact on organisations is the cost of non-compliance. The Cybersecurity Law provides elaborate regulations and definitions on legal liability, setting a variety of punishments, including monetary fines, suspension or removal of business licenses, revocation of permits, and criminal prosecution.

Protiviti Cybersecurity and Privacy Protection Services

How Protiviti Can Help

In response to an increase in IT security breaches and potential uncertainties in geopolitical affairs, the Chinese government is increasingly involved in safeguarding cybersecurity regulations and protecting personal information. Companies can expect to encounter heightened audit and security compliance measures and further demands on their already over-burdened IT and cybersecurity divisions.

Protiviti works with legal counsels, compliance officers, audit executives, IT professionals and top management at companies of all sizes, public or private, to assist them with their cybersecurity needs –from strategic advice around structure and objectives, to the development and implementation of tools and processes with subject matter expertise.


[1] As defined by the Cybersecurity Law, a company is the network operator or critical information infrastructure operator. 

[2] China’s Cybersecurity Law and Its Impacts: Key requirements businesses need to understand to ensure compliance, Protiviti, 2017. 

[3] Retrieved 9, April 2020 from Legal Research Guide, China.

[4] For more information, please refer Criminal Law of the People’s Republic of China

[5] China issues final guideline for Internet personal information protection, ReedSmith, May 2019
 
Click here to access all series

Ready to work with us?

Sean Webb
Sean Webb
Managing Director
Linked
Ewen Ferguson
Ewen Ferguson
Managing Director
+61.478.491.056
Linked