9 August, 2016
The full text of the second draft (the “Second Draft”) Cyber Security Law (the “CSL”) was released on July 5, 2016 to solicit public comment until August 5, 2016, after its second deliberation during the 21st session of the 12th NPC Standing Committee. The key differences between the Second Draft and the first draft of CSL released in July 2015 (the “First Draft”) are briefly summarized as below.
I. Enhanced Obligations of Network Operators
The Second Draft further imposes and specifies certain obligations of network operators, including:
(i) Network operators shall comply with laws and regulations, uphold social and commercial moral standards, perform cyber security protection obligations, accept government and public supervision,and observe social responsibility (Article 9);
(ii) The period for network operators to retain network logs is at least six months (Article 20);
(iii) Network operators providing instant message services are clearly required to verify users’ identities (Article 21);
(iv) Network operators shall cooperate with the supervision and inspection of cyberspace administrative authorities and other relevant authorities (Article 47).
II. Revision to the Definition and Protection of Critical Information Infrastructure (“CII”)
There are several major changes with respect to the definition and protection of CII. Firstly, the Second Draft removes the definition of CII with specific enumeration and leaves the specific scope of CII to the implementing regulation of the CSL to be issued by the State Council (Article 29). Secondly, the Second Draft has rephrased the scope of CII data subject to local storage requirements from “citizen’s personal information and other important data” in the First Draft, to “personal information and other important business data” (Article 35) in the Second Draft. Thirdly, the Second Draft adds that the State encourages network operators falling outside the statutory scope of CII to join the CII protection system voluntarily (Article 29). Fourthly, the Second Draft stipulates that the information obtained by the cyber administrative and other authorities from the CII protection activities shall only be used for cyber security protection purposes (Article 38).
III. Some Other Changes
The Second Draft also incorporates some other changes. For example, firstly, the Second Draft restricts the release of cyber security information regarding system loopholes, computer viruses, cyber-attacks, cyber invasions and etc. (Article 25). Secondly, the Second Draft provides that application of big data could only be carried out on the basis of data anonymization (Article 41). Thirdly, the State promotes the opening public data sources, and supports the development of cyber security management measures, utilization of new technologies and promotion of overall network security levels (Article 17). Fourthly, the punishments for violation of the CSL are more severe under the Second Draft.
The implications of these changes remain to be evaluated by companies in different industries and areas.
For further information, please contact:
Marissa Dong , Partner, Jun He
dongx@junhe.com
