Aug 15, 2017
On June 1, 2017, China’s Cybersecurity Law (the “Cybersecurity Law”)1 came into effect, marking a step up in the People’s Republic of China (“PRC”) government’s assertion of control over online personal and proprietary information of Chinese persons.2 The Cybersecurity Law requires network product and service providers to collect and maintain individual users’ data and information in Mainland China, while at the same time requiring that all such providers obtain users’ consent to such data collection. The implication of the Cybersecurity Law is that many internet service providers must establish and maintain data storage servers in Mainland China – an expensive proposition – and face limitations on their ability to transport overseas information maintained on such servers.
The purported goals of the Cybersecurity Law, as set forth in the law itself, are to safeguard China’s cyberspace sovereignty, national security interests and societal public interest, to protect the lawful rights and interests of its citizens, legal persons and other organizations, and to promote the healthy development of economic and social informatization.3
Versions of the Cybersecurity Law were contemplated for almost three years prior to its final adoption at the 24th session of China’s Standing Committee of the 12th National People’s Congress on November 7, 2016. Despite a proposal submitted by more than 40 foreign business entities requesting the postponement of its effective date,4 the law took effect as scheduled on June 1, 2017.
While not every provision of the Cybersecurity Law applies to all businesses operating online in China, the law was drafted such that it applies to a fairly large swath of internet product and service providers. Nonetheless, many provisions apply only to companies that fit the description of “network operators” and “critical information infrastructure,” or “CII providers.”
Network operators are defined as “network owners, managers and network service providers,"5 which includes telecom operators and internet firms, but could also include banking or financial services institutions or other entities whose business is dependent on collecting personal information on its users while providing a service through an online platform. The definition of CII providers is less clear-cut. However, Article 31 of the Cybersecurity Law sets forth the areas that are considered to involve CII providers, including “key … public communication and information services, power, traffic, water, finance, public service, electronic governance and other critical information infrastructure that if destroyed, losing function or leaking data might seriously endanger national security, national welfare and the people's livelihood, or the public interest, on the basis of their tiered protection system.”6
Thus, the definition of these two types of entities casts a wide net. Network operators may include not only operators in the communications and internet sectors, but can also include those who operate or host email, online video, blogs, ecommerce platforms, instant messaging systems and even company websites, thus encompassing many business sectors. Network operators are required to follow strict rules relating to data collection and monitoring, and are required to work with public security and state security authorities in these efforts, including activities to preserve national security and investigate crimes. Such requirements are vague and could be deemed invasive, depending on how such rules are enforced.
For CII operators, additional and even stricter obligations apply. Among other things, CII operators have to meet data localization requirements, which require personal information and other important data gathered or produced by such operators within mainland China to be stored within Mainland China. Here, the term “other important data” is not defined and, thus, detailed implementation rules are required in order for companies to fully comply. Foreign CII’s operating in China may find this aspect of the rule difficult to comply with as not only are they required to establish data storage facilities on the mainland, but they are also restricted in their ability to transfer certain types of data outside of Mainland China.
Non-Chinese companies operating in China are more likely to transport information outside of China. This is due not only to the nature of their businesses but also to the general flow of information to their overseas corporate headquarters. As a result, establishing a system that is in compliance with the Cybersecurity Law may be quite burdensome for foreign entities doing business in China. Some large multinationals doing business in China have already taken advance steps to comply with the law. In December 2016, AirBnB announced that it had begun storing data for its Chinese users on servers in China. Other multinational giants, including Uber, Evernote, LinkedIn and Apple, have announced that they have done the same.7
While compliance with the Cybersecurity Law is expected to be costly but manageable for large multinational companies, compliance may be unduly burdensome for small to mid-sized companies. Thus, for many international companies operating in China or looking to do business there, the new Cybersecurity Law is viewed as a new barrier to entry and/or maintaining operations in the PRC. As was the case with China’s anti-terrorism law that went into effect on January 1, 2016, which required tech companies operating in China to provide decryption assistance to PRC authorities on demand (a work-around to the draft law’s original requirement that all tech companies provide encryption keys, or backdoors, into their computer systems), it is feared that this new Cybersecurity Law may be another means of conducting cyber espionage by allowing authorities to gain access to international firms’ proprietary intellectual property, information and information systems.
There are many unknowns about how the Cybersecurity Law will be implemented and enforced, or how it will affect the overall market for businesses operating in China. In early August, Chongqing’s Public Security Bureau issued a warning to a local internet data center company for its failure to preserve a user login information blog, ordering the company to rectify it within 15 days.8
Just last week local branches of the Cyberspace Administration of China (one of the agencies charged with enforcing the Cybersecurity Law) launched investigations into Baidu Inc., Weibo Corp. and Tencent Holdings Ltd. for user-generated content “laden with ‘violence, porn, rumors’” that it claimed to be disruptive to social order.9 In addition, the PRC government has shut down some live streaming services and websites, perceived as a tightening of regulations surrounding internet access.10 However, one may question if such crackdowns are really anything new, since internet content has long been closely monitored and subject to PRC government censorship.11 The true intent of the Chinese government on this Law’s enforcement will be seeing what enforcement actions are actually brought, how they relate to the storage and usage of users’ personal data and information and whether and how those enforcement actions are brought against foreign internet service providers.
Laws regulating personal information privacy and network security have long existed in other countries and regions, including the U.S. and the EU. Russia implemented a law quite similar to the Cybersecurity Law in 2015.
For our clients operating or looking to operate in China, it is essential to work with legal professionals to determine whether your Chinese business operations meet the definition of network operators or CII operators or if they otherwise fall within the scope of the Cybersecurity Law. While detailed implementation guidelines have yet to be published, observing how and against whom the PRC and local governments bring Cybersecurity Law enforcement actions or investigations, including the scope of and the nature of the enforcement action, can help provide clarification surrounding the PRC government’s intentions and govern or dictate the actions our clients should take or avoid.
In the meantime, CKR Law will continue to monitor developments surrounding China’s Cybersecurity Law. Should you have any questions or desire further insight, feel free to contact our New York-based China Law team, including Partners Jeffrey A. Rinde (email@example.com), Jing Li (firstname.lastname@example.org) and Megan J. Penick (email@example.com), and Associate Joy Xiao (firstname.lastname@example.org), at (212) 259-7300.
DISCLAIMER: This article is not intended to provide legal or tax advice, and no legal, tax, or business decision should be made based on its contents.
1For an unofficial translation of the Cybersecurity Law, visit https://www.chinalawtranslate.com/bilingual-2016-cybersecurity-law/?lang=en.
2Here, Chinese persons include individuals, legal persons and organizations within Mainland China.
3See Article 1 of the Cybersecurity Law.
4Wee, Sui-Lee, “China’s New Cybersecurity Law Leaves Foreign Firms Guessing,” The New York Times, June 1, 2017, available at: https://cn.nytimes.com/business/20170601/china-cybersecurity-law/en-us/.
5See Article 76(3) of the Cybersecurity Law.
7Horwitz, Josh, “A key question at the heart of China’s new cybersecurity law: where should data live?” Quartz, June 7, 2017.
8See report in Chinese on the official website of the Chongqing Municipal Public Security Bureau http://www.cqga.gov.cn/jfzx/53137.htm.
9“Chinese Regulator Launches Probe Into Tencent, Weibo and Baidu,” Bloomberg News, August 11, 2017, available at: https://www.bloomberg.com/news/articles/2017-08-11/chinese-regulator-starts-probe-into-tencent-weibo-and-baidu.
11Bennett, Isabella, “U.S. Internet Providers and the ‘Great Firewall of China,’” Council on Foreign Relations, February 23, 2011.