Interpretations of the Updates to China’s Cybersecurity Law
All companies[1] incorporated within Mainland China are required to abide by the Cybersecurity Law of The People's Republic of China (PRC), which went into effect 1 June 2017. Given the complex business relationships within the international market, the Cybersecurity Law will continue to have important political, economic, and technical implications for both domestic and multinational corporations (MNC). As updated regulations and interpretations to the Law have been released since 2017, this Point of View (POV) aims to provide further insight to the Law and expand on our July 2017 white paper, China’s Cybersecurity Law and Its Impacts: Key requirements businesses need to understand to ensure compliance.
Technically speaking, China’s Cybersecurity Law is an “umbrella law” that encompasses a structured suite of security and privacy laws that are enforced by official sources of law[2]. To be in compliance, companies must understand not only the Cybersecurity Law but also these supportive regulations, rules, and interpretations. This POV offers an overview of recent updates to the Law and addresses the compliance challenges that they may pose.
Network operator obligations
Article | Legal Requirements * |
---|---|
No. 8 | The State Council departments for telecommunications, public security, and other relevant organisations are responsible for cybersecurity protection, supervision, and management efforts within the scope of their respective jurisdictions |
No. 21 | Perform security protection duties according to the requirements of the cybersecurity multi-level protection schema (MLS). |
No. 21, Sec. 3 | Adopt technical measures for monitoring and recording network operational statuses and cybersecurity incidents, and store these network logs for at least six months. |
No. 21, Sec. 4 | Adopt additional measures such as data classification, backup of important data, and encryption. |
No. 24 | Users are required to provide real identity information when signing agreements for services. Failure to do so will result in network services being terminated or withheld. |
No. 25 | Network operators must develop a cybersecurity incident response plan that promptly addresses system vulnerability, computer viruses, network attack, network intrusion, and other cybersecurity risks, and report all incidents to the relevant departments. |
No. 47 | Strengthen the management of information published by users, immediately terminating the transmission of illegal information and preventing the spread of disinformation. |
* This is not an exhaustive list |
Critical information infrastructure security
Article | Legal Requirements * |
---|---|
No. 34, Sec. 1 | Set up a dedicated security management body with a designated security management leader; conduct security background checks on personnel in key positions. |
No. 34, Sec. 2 | Periodically conduct cybersecurity education, technical training, and skills evaluations for employees. |
No. 34, Sec. 3 | Conduct disaster-recovery backups of critical systems and databases |
No. 34, Sec. 4 | Formulate emergency response plans for cybersecurity incidents and regularly organise drills. |
No. 38 | Conduct annual inspection and assessment of network security. Submit a cybersecurity report as well as proposed improvement measures to the departments responsible. |
* This is not an exhaustive list |
Cross-border data transmission
Organisations that transmit data to overseas affiliates or headquarters must abide by data localisation requirements. To avoid violation, they should either restructure their system architecture around cross-border data transfer, or conduct assessments for approval by regulatory authorities.
While Article 37 of the Cybersecurity Law originally outlined the legal requirements on cross-border data transmission for CIIs, selected requirements under this article have now been extended to network operators.
Article | Legal Requirements * |
---|---|
No. 37 | Store all collected personal information and important data within mainland China, and prior to a cross-border data transfer, conduct a security assessment for approval by the relevant departments. |
* This is not an exhaustive list |
Personal information protection
Chapter Four of the Cybersecurity Law focuses on the protection of personal information, which is defined within the appendix as “information recorded by electronic or other means that can be used alone or in combination with other information to identify a person, including name, date of birth, identity document number, biometrics, address details or other similar personal details.” With the release of updated guidelines in May 2019[4], organisations should take into account the following articles to ensure compliance with related regulations:
Article | Legal Requirements * |
---|---|
No. 40 | Network operators must keep user information strictly confidential and maintain a private information protection system. |
No. 41 | Collection and usage of personal information shall be in compliance with all laws and regulations and with the user’s consent, and only for purposes related to the service being provided. |
No. 42 | Personal information shall not be disclosed, tampered with or shared with others, and security measure should be put in place to protect personal information. |
No. 49 | Network operators shall establish network information security complaint and reporting policies, publicly disclose said policies and promptly handle complaints and reports relevant to network information security. |
* This is not an exhaustive list |
Compliance challenges and impacts
Cybersecurity Law challenges
Given the broad scope of the law and China’s growing prominence as the world’s second largest economy, the Cybersecurity Law presents various challenges – not only for multinational companies operating in mainland China, but also for domestic companies looking to grow their business internationally.
Ambiguity
+Overall, the biggest challenge of the Cybersecurity Law is its ambiguous language and general vagueness, which make it difficult for organisations to fully understand whether or not they are in compliance. This issue becomes even more pronounced as companies work towards compliance by attempting to define work scopes, initiate remediation plans, adjust corporate processes, select technical solutions, and prepare budgets.
For example, Article 37, in reference to cross-border data transfers, states that personal and other important business data produced in mainland China shall be stored within mainland China. However, neither the Cybersecurity Law nor its supportive rules and regulations actually define the criteria of cross-border data transfers, which would affect an organisation’s strategy for compliance, from implementing technical solutions to budget planning.
What’s more, even though the Cybersecurity Law has been in effect since 2017, many of its supportive regulations and rules are still in development or draft from.
The complexity of China’s legal system
+Another challenge comes from the complicated legal system and regulatory framework in mainland China. Besides judicial interpretation, the various sources of statutory law on cybersecurity create a complex environment for organisations pursuing compliance. For example, with the basic requirement for Multi-Level Protection Scheme of cybersecurity that came into effect on 1 December 2019, business and IT operations now have to respond to various assessments, interviews, and remediation from different departments like legal counsel, compliance, audit, and IT security, in order to fulfil their compliance requirements.
Without providing all the details needed to comply with its broad scope of legal requirements, the Cybersecurity Law makes it necessary for organisations to navigate and understand all supportive regulations and rules. With more than 300 laws, regulations, rules and other legal documents, a great burden is put on an organisation’s legal counsel and compliance officers, especially since different legislative authorities, laws, regulations and rules may conflict with one another. When two laws govern the same factual situation, a law governing a specific subject matter (special laws) can override a law governing only general matters (general laws). An example of this is the cybersecurity regulation of the financial industry. The legal implications require cybersecurity personnel to have professional knowledge not only in legal affairs, but in the industry.
Cost
+The last, and possibly the most immediate challenge, is the cost of compliance. Costs related to compliance assessments, as well as remediation and mitigation actions after assessments, can discourage some organisations from operating in mainland China or cooperating with local business partners. Compliance, especially from a technical perspective, extends beyond the purchasing of devices and equipment or migration of systems from one place to another. There is a great deal of time and effort involved in its maintenance, not to mention resources needed to implement new procedures and systems to meet compliance requirements. All these add to the burden of cost for organisations wishing to operate in mainland China, and for some companies, this is simply not affordable. Officers in charge of Cybersecurity Law compliance inevitably face challenges in balancing compliance with business operations, especially with regards to budget.
In response to an increase in IT security breaches and potential uncertainties in geopolitical affairs, the Chinese government is increasingly involved in safeguarding cybersecurity regulations and protecting personal information. Companies can expect to encounter heightened audit and security compliance measures and further demands on their already over-burdened IT and cybersecurity divisions.
Protiviti works with legal counsels, compliance officers, audit executives, IT professionals and top management at companies of all sizes, public or private, to assist them with their cybersecurity needs –from strategic advice around structure and objectives, to the development and implementation of tools and processes with subject matter expertise.
[1] As defined by the Cybersecurity Law, a company is the network operator or critical information infrastructure operator.
[2] Retrieved 9, April 2020 from Legal Research Guide, China.
[3] For more information, please refer Criminal Law of the People’s Republic of China
[4] China issues final guideline for Internet personal information protection, ReedSmith, May 2019
Learn more about other specific sections of the China’s Cybersecurity Law: