.jpg)
8 December, 2016
China’s Cyber Security Law, which will take effect from 1 June, 2017 was finally adopted on 7 November. The third draft of the law adopted by the Standing Committee of the National People’s Congress, China’s highest legislative authority, contained few changes from the second draft put forward for comment in July, 2016.
The net result is on-going controversy coupled with uncertainty, with multi-national businesses in particular questioning the intent behind the law and criticising its vagueness. All in all, the direction of travel is towards a much more heavily regulated Chinese internet and technology sector. In this briefing, we shine a light on the aspects of the new law that are most relevant to intellectual property ("IP") law.
A Quick Recap The Cyber Security Law’s seventy-nine articles address a wide range of issues, focusing on three main aspects: Technology regulation: The Cyber Security Law seeks to regulate the technology that can or cannot be used in China’s cyber space ; Co-operation with authorities: The Cyber Security Law imposes duties on “network operators” to provide technical support and assistance in national security and criminal investigations and to retain weblogs for at least 6 months; Data Localisation: The Cyber Security Law requires operators of “critical information infrastructure” to store personal information and “important data” within China, save where it is truly necessary to send this data offshore, and the offshoring arrangements have cleared a security assessment process that is yet to be defined. Continuing Uncertainty as to Scope Obligations under the Cyber Security Law attach to two main classes of business: “network operators” and operators of “critical information infrastructure.”
Neither of these terms are defined in any detail under the new law, leaving, as with most of China's IT and cyberspace laws, much room for speculation and interpretation by the authorities. In its press release on the Cyberspace Inspection, the CAC set out a non-exhaustive list of critical businesses within each of the critical industries identified. In relation to telecommunications and internet sector, a wide swathe of facilities and non-facilities-based services were identified, from voice, data, basic internet networks and hubs, through to domain name resolution systems and data centre and cloud services. IP implications of the new law 1.
IT technology (software copyright or patented technology) The new law imposes strict requirements on both domestic and foreign technology used in China's cyber space by (1) imposing a requirement of prior certification of any “critical network equipment” and “specialised security products” (this could have an impact on, e.g. anti-virus and firewall software etc.) and (2) designating certain systems as “critical information infrastructure” that will be subject to national security reviews, with more detailed implementing regulations to be issued later by the State Council.
The concern here is whether there will be a protectionist slant to these measures that will make it difficult for foreign players to compete. Another concern for businesses commercializing their software or other IT solutions in China is the requirement imposed upon the broad category of “network operators” to provide technical assistance to the Chinese government agencies in support of national security and criminal law investigations. It is for now not yet sure whether this duty to provide technical assistance includes, for instance, a duty to install software “back doors”, enabling uninterrupted access by Chinese law enforcement to data and communications. Such back doors would obviously present serious threats to confidentiality of proprietary information and trade secrets. Similarly, when analysing the black letter law, it seems like several of the world's most popular instant communication tools (and other encrypted software and IT tools) would have to adapt their encryption software for China, as end-to-end encryption would likely not be compliant with the provider's duty to provide technical assistance to the Chinese law enforcement agencies. These measures could also lead to the creation of China-specific government approved technical standards, thereby stimulating the creation of separate patent pools for China, and could also compromise the interoperability of software and other IT systems across the globe. 2. Online content (copyright) In the area of online content, the new law confirms and complements China's new farreaching online publishing regulations (see our earlier briefing). The new law prohibits threatening national security by posing threats to the reputation or "interests of the state".
These concepts are obviously very much open to interpretation and government discretion, which echo the provisions of the earlier online publishing regulations, thereby further tightening the state's control over China’s media and publishing sector. 3. Personal Data The new law contains China's first comprehensive regulation of personal data gathering and processing, and seems to draw heavily on existent US and EU data protection legislation.
The explicit regulation of personal data could constitute a marked improvement, as China's personal data protection rules were formerly spread over a patchwork of laws and sector-specific regulations. The new data protection regime can be summarized as follows: network operators collecting personal information must (i) obtain the user's consent, (ii) expressly indicate the purpose, method and scope of information collection, (iii) must limit their data collection to proportional data collection (i.e. the data collection must be appropriate, necessary and directly related to the services provided), and (iv) the user has the right to correct incorrect personal data that is stored about him.
Network operators must finally also adopt technical and other measures to ensure the security of the personal information they collect, and to prevent the disclosure of, destruction of or loss of such information. Practical Next Steps It is clear that businesses operating in China must review their technology and data protection arrangements in the light of the implications of the Cyber Security Law coming into effect on 1 June 2017.
Technology businesses will need to review their Chinese business strategies and evaluate whether or not their products and services fall within the scope of the new requirements and if so, for example, will be subject to some form of certification or worse still, face exclusion from the market. They also need to consider matters such as the nature of personal data collected in China and how and where this data is stored.
