10 July, 2015
The National People’s Congress Standing Committee released the draft Cyber Security Law (“CSL”) on July 6, 2015 to solicit public comments before August 5, 2015, after the first deliberation on June 26, 2015 . CSL was first included in the legislative plan of the 12th National People’s Congress (which is in session from 2013 to 2018) in 2013 and was included in the annual legislative working plan of the National People’s Congress Standing Committee since 2014 4 , however, no further schedule of its adoption has been published.
The publication of the draft CSL is closely related to the National Security Law (“NSL”) issued on July 1, 2015. NSL, for the first time, provides for “safeguarding the national cyberspace sovereignty”, and adds cyber and information security as an important part of national security. NSL further requires the state to establish a national security review system to review matters and activities that influence or may influencenational security, including that relating to network information technology products and services. The draft CSL further provides for “safeguarding the national cyberspace sovereignty” as a fundamental principle, and, for that purpose, the draft includes provisions on, inter alia, the strategy, plan and promotion of cyber security, network operation security, network information security, and alarm and emergency response systems.
Application Scope
According to the draft, CSL applies to the construction, operation, maintenance and use of the network and supervision and administration of cyber security within the territory of the PRC. “Network” includes networks and systems that are composed of computers and other information terminals and the relevant facilities and are used for purpose of collecting, storing, transmitting, exchanging and processing information in accordance with certain rules and procedures. A “network operator”, an important subject of legal obligations under CSL, is defined in the draft as “the owners, administrators and network service providers which use the network owned or administrated by others to provide relevant services, including basic telecommunication operators, network information service providers and important information system operators (Art. 65)”.
Responsible Authorities
The draft CSL provides that the national cyberspace administration authority, namely the Cyberspace Administration of China, is responsible for the coordination of cyber security work and the relevant supervision and administration work on a national level. It further provides that the Ministry of Industry and Information Technology, the Ministry of Public Security and other relevant government departments shall be responsible for the protection and supervision of cyber security within their respective authority (Art. 6).
Legal Requirements Relating To Network Operators
The key provisions of the draft relating to network operators are summarized below.
Strengthened Network Operation Security Obligations
The draft provides various security obligations of network product and service providers, such as not installing malware in products, informing customers of security defects and bugs, and providing constant security maintenance services for their products and services (Art. 18). Key network facilities and special products used for protecting network security shall comply with the relevant national standards and compulsory certification requirements, and may only be offered for sale after being certified by the qualified security certification authority or passing the relevant security tests (Art. 19). The draft also makes classified network security protection a legal obligation of network operators, which shall adopt measures including classifying data as well as backing up key data and encrypting the same (Art. 17). Network operators are also required to provide necessary assistance and support to investigation authorities where necessary for protecting national security and investigating crimes (Art. 23).
Security Of Key Information Infrastructure Facilities.
The draft provides heightened protection for the operation of key information infrastructure facilities, in particular including (a) internal organization, training, data backup and emergency response requirements (Art. 28); (b) requiring key information infrastructure facility operators to store personal information of citizens and other important data within the PRC territory, in principle (Art. 31); (c) establishing security review requirements on the procurement of network products and services by key information infrastructure operators (Art. 30); (d) annual valuation of network security risks (Art. 31). "Key information infrastructure facilities" are defined as including the base information network that provides public communication, broadcasting and television transmission services, etc., important information systems in the public service sector including water and gas supply, medical treatment and healthcare and social security, etc., military networks, government networks of state organs of cities divided into districts and higher levels, and networks and systems owned or managed by internet service providers with a significant number of users (Art. 25). However, the draft CSL provides no specific explanations as to how such definition is to be applied, for example what circumstances would be deemed as providing internet services to a "significant number of users” and what types of internet services would be included.
Strengthened Network Information Security
The draft includes requirementsfor network operators on the protection of personal information of users (Art. 34-Art. 38). Such requirements are primarily based on the requirements of existing laws and regulations, with a few new requirements such as notifying users who may be affected in the event of a data breach. The draft also requires network operators to record the real identity of users, to cease and prevent the dissemination of unlawful and harmful information, and to make records and report to government (Art. 20, Art. 40 and Art. 41).
Establishing Network Security Alarm And Emergency Response System
The draft requires the relevant departments of the State Council to establish a network security alarm and information report system, to establish a network security emergency response system and to formulate emergency plans. The draft also allows the State Council, or the provincial governments upon approval by the State Council, to restrict network communication for the purpose of safeguarding internet security and public order or dealing with major emergent social security accidents (Art. 44-Art. 50).
Legal Liabilities
The draft CSL provides a series of punishments for violations of the relevant provisions. Punishments, including monetary fines, suspension of business and making corrections, closing websites, repealing the relevant business permits and licenses, may be imposed on the basis of specific situations and the seriousness of violations (Art. 51-Art. 64).
Our Observations
Once adopted, CSL will be the first law in the PRC specially focusing on cyber security matters, in response to the increasing prevalent problems such as cyber invasion and attack, information leakage, cyberspace sovereignty and security, and it will become a fundamental law of the PRC in the administration of telecommunications and the Internet. The draft CSL adopts some existing provisions on cyberspace administration, such as real identity requirements and classified data protection requirements, which were, in the past, scattered in implementing measures and rules as legal requirements.
The draft CSL also introduces certain new important concepts and requirements, such as the establishment of a network security review system, the definition of key information infrastructure facilities and related strengthened protection, and the establishment of cyber security alarms and emergency response mechanisms. Once adopted and implemented, CSL may influence the technology and Internet industries significantly, and may even impact enterprises in finance, energy, transportation, medical and health services and other public service areas. At this stage, the draft CSL is only published for public comments and is still open to public discussion and feedback from the interested parties. We will follow the development of CSL closely.
For further information, please contact:
Marissa (Xiao) Dong, Partner, Jun He
dongx@junhe.com
Clement (Kemeng) Cai, Jun He
caikm@junhe.com
