Career Advice Legal Case studies for employers

China’s new cybersecurity law will have implications for both businesses and internet users

The Coming Law

The Chinese government has passed the new PRC Cybersecurity Law which will take effect on 1 June 2017. The law is a clear indicator of an increased focus by China on data protection, and its broad scope gives cause for concern to business and data subjects alike.

The law imposes various security obligations on “network operators” and additional security obligations on “key information infrastructure operators” (KIIOs). In essence, KIIOs are operators of information infrastructures that store information, the leakage of which would seriously jeopardise national security, the livelihoods of Chinese citizens and/or the public interest. The law also requires that personal information and “important data” gathered or produced by a KIIO be transferred outside of China (excluding Hong Kong, Macau and Taiwan) only when “necessary” and subject to a security assessment by Chinese authorities.

In relation to data protection, the new law requires network operators to notify data subjects of the purpose, method and scope of collecting and using their personal information; to seek consent from data subjects before collecting, processing and disclosing their personal information; and to keep their personal information confidential. A data subject also has the right to request a network operator to delete his or her personal information where it has been illegally collected by the operator, or to amend incorrect personal information.

Penalties for non-compliance with the law include, but are not limited to, fines of up to 1 million yuan (HK$1,126,518) for network operators and 100,000 yuan for individuals, suspension of business, and revocation of operational permits or business licenses.

The Applicability of the Law

The broad definition of various terms in the law means that it is capable of applying to a wide range of businesses and organisations in China. For example, “network operator” is defined to include all network owners and administrators, and some commentators have suggested that it is broad enough to cover any business or organisation that simply owns or administers a website in China.

Similarly, “personal information” is defined to include all kinds of information that, taken alone or together with other information, is sufficient to identify a person’s identity. Such information would cover all basic information that organisations collect from its clients or employees, for example a person’s name, birth date, address or telephone number.

Great uncertainty remains as to which organisations will be deemed KIIOs. The law and subsequent publications have sought to identify several industries that may be deemed KIIOs, for example public communications, energy, transportation, hydropower and finance. It is unclear, however, whether organisations in those industries will automatically be deemed KIIOs or whether the impact of a potential security breach by such organisations must also be considered.

The Implications for Businesses and Individuals

The law has stirred anxiety among foreign businesses in China. In particular, the data localisation requirement poses problems for many international businesses needing to transfer personal information outside of China. Foreign businesses are also worried about the requirement to provide Chinese authorities with sensitive information about its network and security codes in the name of “national security”.

While it has been suggested that many organisations operating in regulated sectors in China are already subject to similar data-protection requirements, the law will have a significant impact on non-regulated businesses. If foreign businesses want to continue operating in China, they will need to review their existing network systems to ensure compliance with the law.

The law provides substantial data protection for individuals, including the right to request that their personal information be deleted or amended – individuals might then be more relaxed about the proposed changes. Of greater concern, however, will be the requirement for internet users to log into networks using their real names, and for network operators to verify the authenticity of that information. The requirements have raised concerns of encouraging self-censorship – a phenomenon which is arguably already prevalent in China.

While sanctions potentially await those who violate the new law, great uncertainty unfortunately remains as to how the new legislation will be enforced. It is hoped that the Chinese government will publish more detailed, practical guidance in the coming months.

 


This article appeared in the Classified Post print edition as Grappling with China's new cybersecurity law.