China's new cybersecurity law – implications for foreign businesses

In the middle of May, the wannacry ransomware infected hundreds of thousands of computers all over the world and China was particularly affected. The victims of the attack used old software which they had failed to patch. This demonstrated the need to improve IT security and processes, in particular for basic infrastructure such as power plants, transportation and hospitals. Coincidentally, on 1 June 2017, China's new Cybersecurity Law (the "CSL") came into effect to regulate the cybersecurity of China and to force Critical Information Infrastructure operators ("CIIOs") to improve their IT security.

China has not had any comprehensive personal data legislation and abuse of personal data has been all too common. CSL contains such provisions to regulate the collection, use and transfer of personal data. This is another widely welcomed element of the CSL.

However, many foreign commentators have taken a rather grim view of the CSL focusing on the negative effects on the foreign businesses in China. Indeed, CSL will create significant challenges and in this briefing we will look at these but in view of the wider objectives of the CSL.

What are the objectives of CSL?

The CSL sets out that it will "ensure network security, preserve cyberspace sovereignty, national security and the societal public interest, to protect the lawful rights and interests of citizens, legal persons and other organizations, and to promote the healthy development of economic and social exchange of information".

The term "cyber sovereignty" is frequently used by the Chinese leadership to assert the right to control the development and regulation of the internet within China. It is a challenge to those who think that information should be allowed to flow freely across borders as well as the role of foreign institutions in shaping the internet. 

In summary, the aim of the CSL is to protect China's national interests in a broad sense by giving the government visibility and control over data collected in China and improving the safety and security of data generally.

Who will enforce the CSL?

The Chinese government has established a powerful and well-resourced regulator – the Cybersecurity Administration of China ("CAC").  It will monitor and enforce compliance of the CSL in conjunction with local authorities and sector-specific regulators.

What does this mean for foreign businesses within China?

A business dealing with data in China should consider the following:

1. Are you a "CIIO"? CIIOs are entities managing Critical Information Infrastructure in China such as "critical industries and fields like public communications and information services, power, traffic, water, finance, public service, electronic governance…and other critical information structure…" If you are a CIIO, you will have to, among other things (i) localise your data and (ii) conduct yearly security assessments. The data localisation requirement will pose a huge challenge to global companies who may have to disaggregate the China data from their global data systems.
2. Are you a "network operator"? The CSL defines a network operator as "owners and administrators of networks as well as network service providers" and "networks" covers "systems comprised of computers or other information terminals and related equipment that follow certain rules and procedures for information gathering, storage, transmission, exchange and processing.” The term will cover e-businesses as well as potentially any business in China which uses a network to store, process and exchange data. If you are a network operator you will become a regulated entity and have to, among other things, (A) meet network security requirements and (B) be prepared to cooperate with the public security bodies to "safeguard national security and investigate crimes in accordance with the law”.
3. Have you obtained customer consent? The CSL requires network operators to obtain consent from their customers for collection and use of personal data and there is no express grandfathering provision. What information did you provide and what consent did you obtain when you collected personal data in China?
4. Are the products you use certified? Under the CSL, critical network equipment and special cybersecurity products have to be certified. There has been a flurry of detailed regulations and guidance to specify what the regulators expect from businesses. However, exactly how the CSL will be implemented and enforced is still unclear and many businesses are still grappling with the pivotal question of their CIIO status. However, the lack of clarity does not justify complacency. Failure to comply with the CSL can result in heavy fines as well as suspension of business, websites being taken down and business licences being revoked.

What does this mean to companies outside of China who have Chinese business partners?

The CSL will affect how CIIOs conduct themselves with overseas business partners. Export of data outside of China will, subject to certain thresholds, require regulatory approval and the arrangements by which data are exchanged have to meet the new higher regulatory standards. This means that the Chinese business partner may be less willing to exchange information than before.

To manage its obligations under the CSL, CIIOs who exchange data with foreign parties may request the foreign business party to provide necessary assistance and for any agreements between the parties to contain firm undertakings in this regard. The foreign party needs to consider what the implication of agreeing to this would be. 

In its risk assessment, the foreign party should also factor in the possibility that the CAC (or another regulator) will examine the CIIO and that any regulatory action may also involve the foreign party's data held by the CIIO.