China Cybersecurity And Data Protection: Review Of 2020 And Outlook For 2021.

Reminder of legal obligations
 

Under Article 21 of the Cyber Security Law, network operators are required to implement the multi-level protection scheme for network security. Under this scheme, each network operator must be assessed and graded according to the security protection level applicable to it. This will determine the set of security protection obligations that it must comply with.
 

A network operator’s security obligations include, among others:
 

In particular, Articles 31 to 39 impose more stringent obligations, including a data localisation requirement, on selected network operators of critical importance to state security or the national economy or public interest. These are known as critical information infrastructure (CII) operators. In July 2017, the Cyberspace Administration of China (CAC) published draft regulations on the protection of critical information infrastructure, which have yet to be enacted (please click here for our analysis on the draft regulations).

Under Articles 56 and 59, in the event of a breach of the security protection obligations, the competent authorities may (i) demand a meeting with the legal representative of the network operator; (ii) order rectification; (iii) issue warning letters; and (iv) impose a fine on the network operator and the person directly responsible for the breach. In serious cases, criminal penalties could arise. The Ministry of Public Security, namely the police, and its cyber police arm are charged with enforcing the regulations.
 

Regulatory developments
 

1.    MLPS 

The National Information Security Standardisation Technical Committee (TC260), the body responsible for drafting cybersecurity standards, continues to supplement the framework of standards for the MLPS, publishing the Guide for MLPS Grading in April 2020, among others. With the framework of standards being established, the Ministry of Public Security (MPS) is strengthening enforcement. In September 2020, the it released a guidance opinion urging the ministries and organisations of the central government and centrally-owned enterprises to step up their implementation of the MLPS and protection of CII
 

2.    CII
 

The authorities have yet to make any further progress in clarifying the protection regime governing CII. The guidance opinion urges the relevant ministries to draft rules for identifying CII in their respective industries or sectors and to take charge in identifying the CII and filing details with MPS. MPS’ role includes designing, implementing and establishing the overall protection scheme.
 

Enforcement developments
 

Whilst historically penalties for failing to implement the MLPS were usually triggered by investigations into security breaches (such as hacker intrusion), in 2020 we saw cases where the police conducted routine checks resulting in penalties for entities that had not implemented the MLPS. Inspection activities by local police relating to the MLPS have also been increasing.
 

Outlook for 2021
 

Establishing the framework for MPLS standards has cleared the obstacle preventing large-scale implementation of the scheme. We expect implementing regulations for the MLPS to be published in 2021, which will likely be coupled with more wide-sweeping enforcement campaigns. Whilst is unclear whether the authorities will offer more clarity on CII regulation, it is now clear that the industry and sector regulators will be responsible for drafting the rules. It remains to be seen which regulator will be the first to do so. Before that, however, we expect the long over-due regulations on the protection of CII to be published.