China is brewing up a cybersecurity law that could have significant impact on how data is stored and monitored there. The PRC Cyber Security Law (second consultation draft), from the Standing Committee of the National People’s Congress (NPC), outlines the goals to protect information infrastructure and data in China. Public submissions closed in August and the NPC may have a third reading with further revisions before it is put to a vote.
How the law will be put into action and interpreted will be critical for businesses to watch.
Lawyers Asialaw spoke to believe businesses should prepare for the new law by strengthening their existing information infrastructure, putting contingency plans in place and keeping in touch with regulators.
“The government has a paradox of on the one hand to control harmful material on the internet and on the other hand, to want to boost information flowing,” says He Fang, IP litigation partner at King & Wood Mallesons. “The actual laws will likely come into place next year since the National People’s Congress has to delegate to the State Council to formulate rules for implementation.”
“China wants to build a strong and sustainable internet network for economic security,” says Hu Ke, dispute resolution partner at Jingtian & Gongcheng. “China’s cybersecurity laws are not compatible with those in the US or Europe and there are implications, such as the crossfire between the US on cyberattacks. The cybersecurity law is a response.”
Domestic cases of wire fraud scams have been on the rise. The case of a young woman who committed suicide after falling victim to scammers who stole the tuition fees raised by her impoverished family has attracted much media attention. “The lack of clear rules and jurisprudence have resulted in these cases,” says Hu.
The draft law:
- calls for a national cyber security strategy and defence capabilities to be established (Article 4);
- says the State aims take measures to monitor, defend and deal with cyber security risks and threats from within and outside China to protect key information infrastructure (Article 5);
- hints at a more open cyber environment with the establishment of a multilateral, democratic and transparent cyber governance (Article 7).
Foreign technology companies that were previously only granted observer status on the National Information Security Standardisation Technical Committee have been permitted to take a more active role in rule drafting.
Concerns over the government’s increasing control over information flow stem from more scrutiny and penalties:
- All publication of information related to system vulnerabilities such as computer viruses and network attacks should be made according to applicable laws (Article 25) but there is no specification on what the laws are.
- Penalties can be serious, including the temporary closure of the business and shutdown of the company’s website (Article 60).
- A controversial aspect is the potential criminal offence of detention for a period of up to 15 days for those engaged in activities that endanger national security (Article 26).
- Companies that breach laws may have contraventions recorded in credit files and made public (Article 68).
“A case that has attracted a lot of attention recently has been the dissemination of pornography videos on the online video player Kuaibo,” says He. The CEO of the company has been sentenced to three and a half years in jail for distributing obscene materials for personal gain. Although the company did not store the files on its own servers, it directed users to third-party servers which did.
Changes in draft
The second draft differs from the first in ways that include the monitoring and recording network status security incidences need to be kept for a minimum of six months (Article 20); and the requirement to store data emphasises that businesses are obligated to store important business information (Article 35).
“Foreign companies need to be aware of the onshore data storage requirements and will be subject to censorship. Those not willing to accept will be isolated, so a compromise is needed,” says He.
“The inclusion of data privacy aspects is critical,” says Hu. “For example, Article 41 makes sure that personal information obtained through big data that identifies who the person is should not be included.”
Meaning of critical information infrastructure
The definition of critical information infrastructure has been defined as any infrastructure that, if it were to be destroyed, lose functionality, or suffer a data breach, may cause a serious threat to national security, social or economic well-being of the nation or the public interest (Article 29). What is included as critical network equipment and specialised cybersecurity products will have to be defined and will need to be certified by a qualified institution before they can be sold.
Business should prepare for the implementation of the new laws by strengthening their existing infrastructure and creating contingency plans against cyberattacks. “Companies should have strong hardware systems, security plans and well drafted internal rules so that they can quickly respond to cyber leakage,” says Hu.
“It’s critical to communicate with the regulators and have open discussion channels,” says Cheng Lim, M&A partner at King & Wood Mallesons. “Foreign companies, especially those in the telecoms industry, will need to work with local partners to work around the grey areas.”
With increased societal concerns about data privacy and global cyber threats, the impact of the control of cyberspace on China’s national security is an issue that is quickly evolving. The cybersecurity law is only the tip of the iceberg.