30 July, 2015
China's National People's Congress issued the first draft of cyber security law (the "Draft") for public consultation on 6 July 2015. The legislation is intended to "safeguard China's cyber sovereignty", enhance the security of China's networks (particularly critical information infrastructure) and promote the protection of personal information. The Draft remains open for comment until 5 August 2015.
The regulation of Chinese cyber security dates back to 1994 when the State Council first issued the Regulations on Protection of Computer Information System Security ("Order 147"), which charged mainly the Ministry of Public Security (MPS) with responsibility for information systems. The State Council in 2003 and 2012 issued official opinions to increase information security. In 2007, the MPS, the National Administration for Protection of State Secrets (NAPSS) and the State Encryption Administration (SEA), led by the State Council, introduced a Multi-Level Protection Scheme (MLPS), which detailed the criteria and requirements for protection of information systems at different levels.
Since the 3rd plenum session of the 18th Central Committee of the Communist Party of China, cyber security has been given unprecedented priority, with the Central Leading Group for Cyberspace Affairs (the "Leading Group") established in February 2014 overseeing cyber security and information technology. The group is headed by President Xi himself and consists of high-ranking officials, including ministers of major ministries. The functions of the Leading Group are discharged by the Cyberspace Administration of China (CAC), a branch of the State Council.
The Draft follows hot on the heels of a new National Security Law effective on 1 July 2015. The National Security Law declares cyberspace to be part of China's national security interest and requires core network and information technology, critical infrastructure, and information systems and data of important sectors in China, to be "secure and controllable".
The Draft appears to be aimed at addressing some of the national security concerns that prompted the passage of the National Security Law, particularly the need to control China's critical information infrastructure. In the explanatory note attached to the Draft, Chinese lawmakers have indicated that they consider the Draft to be an "urgent matter".
Critical information infrastructure
"Critical information infrastructure" is defined broadly under the Draft to include:
information networks that provide the foundation for public telecommunications, broadcasting and television transmission and other services;
important information systems in important industries such as energy, transportation, water conservancy and finance and public utilities such as power supply, water supply, gas supply, medical hygiene and social security;
government networks for authorities at the municipal (cities which have districts) or higher levels; and
networks and systems owned or administered by network service providers with large numbers of users.
The effect of this broad definition is to strengthen scrutiny by the state in extensive sectors, particularly those in relation to national interest and people's livelihood. Large social media (such as Weibo, WeChat, etc.) may also be caught by the definition, and thus be subject to stricter regulation.
Protection of network products, service and operation safety
The Draft sets out various safety obligations for network products and service providers. For example, network products and service providers are prohibited from setting up malicious programs and must notify users of defects and bugs in a timely manner.
The Draft also upgrades the current MLPS into law, requiring network operators to take corresponding management measures and technical precautionary measures to maintain safety on a network.
The Draft indicates that the state will provide key protection for critical information infrastructure. This involves critical information infrastructure operators being required to sign safety and confidentiality agreements for the purchase of network products and services. If such purchases are considered to affect national security, then a safety review must be conducted by government authorities.
There is no general principle or guidance provided under the Draft in relation to the proposed safety review. The detailed measure of the safety review will be separately promulgated by the State Council. This has led to concerns particularly from foreign technology companies that China may seek to impose increasingly intrusive measures on foreign technology firms operating in China.
Protection of personal data safety
The Draft sets out specific provisions for the protection of personal data. In particular, network operators must comply with the principles of legality, legitimacy and necessity when collecting and using citizen's personal data. They must also explicitly disclose the purposes, methods and scope of collecting and using the information, and obtain the consent of the individuals.
Network operators must keep strictly confidential the collected personal data and cannot reveal, manipulate, or destroy such information or sell or illegally provide such information to others. More broadly, individuals and organization are prohibited from stealing or obtaining personal data in other illegal ways, or selling or illegally providing such information to others.
With respect to personal data collected from or arising out of the operation of critical information infrastructure, operators are required to store the personal data in China. If such information is actually required to be stored outside China or provided to overseas organizations or individuals, a security assessment must be carried out.
While the personal data protection measures reflect general principles under current laws and regulations, the new requirement on data storage is likely to cause legal and technical implications to the critical information infrastructure operators, particularly those whose servers are located outside China. Those needing to relocate servers into China might be subject to further data disclosure requirements.
The Draft establishes a real-name registration system for networks in China. Specifically, network operators, when handling the network access, domain name registration service, network connection formalities for telephone or mobile phone for users, and information dissemination service, must require users to provide their true identity at the time of the agreement for or confirmation of the services.
If users do not provide their true identity, network operators must not provide relevant services to such users. Network operators and government authorities are also granted certain obligations and powers to deal with illegal network information.
Early warning for surveillance and emergency response
The Draft proposes that the state will establish an early warning system for surveillance of network safety and information notification and reporting systems. If a network safety event occurs, the government authorities must immediately initiate the emergency plan, investigate and evaluate the events, require network operators to take necessary measures, and release warning information to the public in a timely manner.
Notably, in the event of a serious emergency, the government may restrict or take other interim measures on the network communication in certain regions in order to maintain state security and social public order. In the absence of specific definition and scope of "serious emergency on social security", and with the broad meaning of state security and social public order, this has given rise to concern that Chinese government may take interim measures on its own discretion.
The Draft sets out specific penalties for non-compliance, particularly for illegal acts of network operators. The administrative fines to be imposed on non-compliance activities are up to one million RMB.
3. OUR OBERVATIONS
First national law on cyber security
This is the first attempt of China to enact a national law on cyber security. Currently, rules on cyber security are scattered in a number of regulations and orders published by various ministries and departments. It is worth noting that most of the measures as set out in the Draft are already seen in existing regulations or practice. The draft is now laying the foundation for a legal framework to codify, consolidate and legalize current regulations, policies and practices, which could in turn provide the ministries with more power to promulgate specific rules for implementation.
Who are the regulators?
The CAC has been given the prominent role of "comprehensively planning and coordinating cyber security and related supervision and administration". We expect that CAC will be publishing high-level strategies and guidelines on cyber security in the future.
The Ministry of Industry and Information Technology (MIIT) and MPS are also named, although the Draft does not specify their detailed roles. We anticipate that MIIT, MPS and other related agencies are most likely to continue with their current roles. These current roles include:
- the SEA – encryption management
- the NAPSS – state secrets
- the General Administration of Quality Supervision, Inspection and Quarantine (GAQSIQ) and Certification and Accreditation Administration (CAA) – certification of network equipment and products
- Ministry of National Security – national security issues.
We would hope that the future draft could set out a clear delineation of the responsibilities of the ministries.
Who would be affected?
Under the Draft, anyone who constructs, operates, maintains and/or uses networks in the territory of China would be subject to the Cyber Security Law. The Draft also introduces the notion of "Network Operator" to mean "the owner and administrator of a network and the network service provider using a network owned or administered by others, including telecom infrastructure operator, network information service provider, and important information system operator." The definition is vague, and broad enough to catch an extensive range of operators in cyberspace.
Operators of the above-mentioned "critical information infrastructure" will also naturally fall into the notion of network operator. The term "critical information infrastructure" is broad enough to include "networks and systems owned or administered by network service providers with large numbers of users", and as a result would render most of the network infrastructure operators providing service to a sizable number of users susceptible to being deemed an operator of critical information infrastructure.
How would Network Operators be affected?
Amongst the measures proposed to be taken under the Draft, we would like to highlight the following impact on Network Operators:
- Manufacturers of network hardware and software (including security products): (i) Their products have to be tested or certified for compliance with compulsory industrial standards. Currently test centres of MPS, GAQSIQ and CAA are in charge of testing and certification. (ii) Supply of their products to operators of critical information infrastructure, if considered to have an impact on national security, would be subject to security review. Failure to have such a supply reviewed may result in a severe fine.
- Cross-border cloud-computing and data-processing service providers and users: cross-border cloud computing and data-processing inevitably involves transmission of data in and out of Chinese territory. Under the Draft, personal information and other data collected, generated and stored in China by the operator of critical information infrastructure must be evaluated for security purposes before being transmitted abroad. Violations may result in severe fine and administrative penalties.
- All Network Operators (including electronic information transmission service providers and application downloading service providers): all Network Operators are required to apply self-censorship as to information that is prohibited by law for dissemination and transmission. Moreover, upon their own discovery of such information, or at the request of authorities, Network Operators must stop providing services to the user, delete messages, maintain a record and report to the authorities. In particular instant messaging service providers, email providers, social networking service and other websites or applications providing such services would be subject to this requirement. The prohibited information is yet to be defined, and, based on previous regulations on the same topic, will tend to be expandable in scope by future regulations. Violations of the foregoing would result in severe fines and administrative penalties.
4. LOOKING FORWARD
The Draft contains a number of broad provisions which emphasise the importance of protecting national security and grants specific powers to authorities to restrict access to networks on national security and public order grounds. These provisions suggest that Chinese government is seeking to further tighten its grip on networks in China.
If passed as law, the Draft will affect many multinationals and their IT-related activities in China. It would also likely cause wider concern than the guideline (which was suspended earlier this year) requiring source code of certain IT products owned by financial insititutions to be disclosed to the government.
For further information, please contact:
Damien Bailey, Partner, Herbert Smith Freehills