China’s new cybersecurity law came into effect from 1st of June 2017. The new law which was rubber-stamped by the country’s Parliament last year is part of wide-ranging efforts by Beijing to manage the internet within China’s borders. The law focuses on protecting personal information and individual privacy, and standardizes the collection and usage of personal information. As such, companies will now be required to introduce data protection measures, and sensitive data for instance, information on Chinese citizens or relating to national security must be stored on domestic servers.
The law has raised concerns among some foreign companies over greater data controls as well as increased risks of intellectual property theft. Vague terminology and absent official guidance on complying with the law have created uncertainty. While Chinese authority is saying the new cyber law is aimed preventing serious cyber attack threats and security concerns, many are arguing that it will make the operations of the foreign companies in China less secure and more expensive. Many of the accompanying rules that ought to clarify what foreign companies can and can’t do under the law remain vague, leaving businesses of all types in limbo.
Network Operations Security-
The Network Security Law introduces rules and requirements that will significantly impact individuals and entities utilizing the internet in the PRC. Critical network equipment and network security products will need to comply with mandatory national standards, and will be subject to security certification or inspection.
- Appointment of dedicated cybersecurity personnel
- Retention of network logs for at least six months
- Reporting risks on network services and products to both users and authorities
- Formulating contingency plans for network security incidents, and reporting such incidents to the authorities
- Providing assistance and cooperation to public security bodies and state security bodies to safeguard national security and investigate crimes (the extent of which is not yet clear, especially in terms of the disclosure that will be required of private businesses).
CSL does require CII operators comply with the following, in addition to the requirements for all network operators:
Annual security assessment-
According to the new law, CII operators need to review the security of their networks and assess potential risk annually. The entire process can be conducted by the companies themselves or they can engage a third-party service providers.
The new law stipulates that the personal data of Chinese citizens should be kept within the territory of China. If the key information infrastructure operators who collect or process such data would like to transfer the data outside the country, they will need to undergo a security assessment and get approval from the National Cyberspace Administration and State Council. Unauthorized collection, disclosure and receipt of a citizen’s personal information now constitutes a criminal offense.
Network security requirements-
Businesses are obliged to employ network security safeguards, such as preparing and implementing contingency plans for mitigating network security incidents, reporting possible security risks, and assisting Chinese authorities in investigating and combating cyber crimes.
Online protection of minors-
The Chinese government aims to strengthen the protection of minors in the cyberspace by obliging entities that collect personal data from minors to (1) place a warning label on their websites; (2) obtain a consent for data collection from the minors or their guardians; and (3) set rules for minors’ personal data processing
Many foreign companies are becoming increasingly skeptical of China’s promises of economic reform. But it has been noted that most of the foreign companies based in China are already accustomed to tight internet and content controls. Many have existing internal policies for information technology and data management and privacy in China. So there is no major worry and apprehension for the foreign companies as long as they are maintaining the law.