Click here to access all series
All companies incorporated within Mainland China are required to abide by the Cybersecurity Law of The People's Republic of China (PRC), which went into effect 1 June 2017. Given the complex business relationships within the international market, the Cybersecurity Law will continue to have important political, economic, and technical implications for both domestic and multinational corporations (MNC). As updated regulations and interpretations to the Law have been released since 2017, this Point of View (POV) aims to provide further insight to the Law and expand on our July 2017 white paper, China’s Cybersecurity Law and Its Impacts: Key requirements businesses need to understand to ensure compliance.
Technically speaking, the Cybersecurity Law is an “umbrella law” that encompasses a structured suite of security and privacy laws that are enforced by official sources of law . To be in compliance, companies must understand not only the Cybersecurity Law but also these supportive regulations, rules, and interpretations. This POV offers an overview of recent updates to the Law and addresses the compliance challenges that they may pose.
Overview of the Cybersecurity Law
The Cybersecurity Law integrates preexisting regulations and rules of the PRC to create a structured and statutory law addressing the following legislative objectives:
- Define the principle of cyberspace sovereignty
- Define the cybersecurity obligations of internet products and services providers
- Formulate the rules of personal information protection
- Establish a security baseline for critical information infrastructure
- Institute rules for cross-border transmission of data
The Cybersecurity Law also provides detailed articles and provisions on legal liability, prescribing a variety of penalties that include fines, certificate suspension, and revocation of permits and/or business licenses. Where criminal acts are involved, offenders will be punishable according to the Criminal Law of the People’s Republic of China. The Cybersecurity Law grants the Cyber Security Administrative Authorities (CSAA) with rights and guidelines to carry out legal enforcement on illegal acts.
Affected Organisations and Updated Compliance Requirements
The Cybersecurity Law expressly applies to network operators and critical information infrastructure (CII) operators within mainland China. Since the release of its updated guidelines, more details have become available regarding compliance requirements for network operators and CIIs.
“Network operator,” as defined in the appendix to the Cybersecurity Law, could be applicable to almost all businesses in mainland China that own or administer their networks. The Cybersecurity Law may also be interpreted to encompass a wide set of industries apart from traditional information technology, internet service providers, and telecommunications companies. Therefore it is safe to assume that any company operating its network - including websites, as well as internal and external networks - to conduct business, provide a service, or collect data in mainland China falls within the scope of “Network operator.”
Although the Cyberspace Administration of China (CAC) has yet to issue further guidance on CIIs, it has incorporated a wide range of industries, including but not limited to communications, information services, energy, transportation, utility, financial services, public services, and government services. In general, the requirements for network operators and CIIs are similar in terms of their objectives, but the requirements for CIIs are more stringent. The differences in obligations between network operators and CIIs are detailed below and organisations should take note of where they fall.
Network Operator Obligations
Critical Information Infrastructure Security
Cross-Border Data Transmission
Organisations that transmit data to overseas affiliates or headquarters must abide by data localisation requirements. To avoid violation, they should either restructure their system architecture around cross-border data transfer, or conduct assessments for approval by regulatory authorities.
While Article 37 of the Cybersecurity Law originally outlined the legal requirements on cross-border data transmission for CIIs, selected requirements under this article have now been extended to network operators.
Personal Information Protection
Chapter Four of the Cybersecurity Law focuses on the protection of personal information, which is defined within the appendix as “information recorded by electronic or other means that can be used alone or in combination with other information to identify a person, including name, date of birth, identity document number, biometrics, address details or other similar personal details.” With the release of updated guidelines in May 2019, organisations should take into account the following articles to ensure compliance with related regulations:
Compliance Challenges and Impacts
Cyber Security Law (CSL) Challenges
Given the broad scope of the law and China’s growing prominence as the world’s second largest economy, the Cybersecurity Law presents various challenges – not only for multinational companies operating in mainland China, but also for domestic companies looking to grow their business internationally.
Overall, the biggest challenge of the Cybersecurity Law is its ambiguous language and general vagueness, which make it difficult for organisations to fully understand whether or not they are in compliance. This issue becomes even more pronounced as companies work towards compliance by attempting to define work scopes, initiate remediation plans, adjust corporate processes, select technical solutions, and prepare budgets.
For example, Article 37, in reference to cross-border data transfers, states that personal and other important business data produced in mainland China shall be stored within mainland China. However, neither the Cybersecurity Law nor its supportive rules and regulations actually define the criteria of cross-border data transfers, which would affect an organisation’s strategy for compliance, from implementing technical solutions to budget planning.
What’s more, even though the Cybersecurity Law has been in effect since 2017, many of its supportive regulations and rules are still in development or draft from.
COMPLEXITY OF CHINA’S LEGAL SYSTEM
Another challenge comes from the complicated legal system and regulatory framework in mainland China. Besides judicial interpretation, the various sources of statutory law on cybersecurity create a complex environment for organisations pursuing compliance. For example, with the Basic Requirement for Multi-Layer Protection Schema of Cybersecurity coming into effect on 1 December 2019, business and IT operations now have to respond to various assessments, interviews, and remediation from different departments like legal counsel, compliance, audit, and IT security, in order to fulfil their compliance requirements.
Without providing all the details needed to comply with its broad scope of legal requirements, the Cybersecurity Law makes it necessary for organisations to navigate and understand all supportive regulations and rules. With more than 300 laws, regulations, rules and other legal documents, a great burden is put on an organisation’s legal counsel and compliance officers, especially since different legislative authorities, laws, regulations and rules may conflict with one another. When two laws govern the same factual situation, a law governing a specific subject matter (special laws) can override a law governing only general matters (general laws). An example of this is the cybersecurity regulation of the financial industry. The legal implications require cybersecurity personnel to have professional knowledge not only in legal affairs, but in the industry.
The last, and possibly the most immediate challenge, is the cost of compliance. Costs related to compliance assessments, as well as remediation and mitigation actions after assessments, can discourage some organisations from operating in mainland China or cooperating with local business partners. Compliance, especially from a technical perspective, extends beyond the purchasing of devices and equipment or migration of systems from one place to another. There is a great deal of time and effort involved in its maintenance, not to mention resources needed to implement new procedures and systems to meet compliance requirements. All these add to the burden of cost for organisations wishing to operate in mainland China, and for some companies, this is simply not affordable. Officers in charge of Cybersecurity Law compliance inevitably face challenges in balancing compliance with business operations, especially with regards to budget.
Cybersecurity Law and its impact
Even before the Cybersecurity Law was enacted, legal requirements related to cybersecurity have already had an impact on companies operating in mainland China, especially within the IT and cybersecurity industry.
One such impact is the increased prevalence of companies and individuals claiming to be security specialists. On the one hand, the recent growth of the IT and cybersecurity industry as a whole has led to the emergence of specialised companies, new products, and subject matter experts, bringing more choices and support for achieving compliance with the Cybersecurity Law. On the other, organisations need to be vigilant and properly vet these new service providers, ensuring that they have the appropriate qualifications. Otherwise, companies risk receiving subpar service, feeling a dangerous false sense of security and compliance where critical vulnerabilities still exist, and worse, subjecting themselves to additional costs of remediating inadequate security services or defective systems.
Another direct impact on organisations is the cost of non-compliance. The Cybersecurity Law provides elaborate regulations and definitions on legal liability, setting a variety of punishments, including monetary fines, suspension or removal of business licenses, revocation of permits, and criminal prosecution.