New Chinese Cybersecurity and Data Privacy Requirements
The Situation: Since China's Cybersecurity Law (the "Cybersecurity Law") went into effect on June 1, 2017, China has ushered in new laws and regulations that set out stricter requirements in every respect, including various national standards requiring localization of cloud infrastructure in China.
The Result: Cybersecurity and personal information protection are expanding action plans for the Chinese government. More laws and regulations are expected to be issued in the next six months to one year.
Looking Ahead: Businesses should continue to monitor China's cybersecurity developments, implement the prescribed security and privacy protection requirements, and be aware of the applicable risks and exposures, particularly the broad wide investigative powers of the Chinese authorities into companies' IT systems.
After China's Cybersecurity Law took effect on June 1, 2017, China ushered in new laws and regulations that set out stricter requirements, including various national standards to regulate companies (including Chinese affiliates of foreign companies) that set up their cloud infrastructure, including servers, virtualized networks, software, and information systems in China.
Introduction of Mandatory National Standards
On December 1, 2019, China introduced the "cybersecurity multi-level protection system 2.0" or "MLPS 2.0," which includes three Chinese national standards (issued by the Chinese State Administration for Market Regulation and the Standardization Administration of China). The Chinese national standards require companies to fulfill cybersecurity protection obligations, which vary depending on the companies' nature of business or operation, to ensure their networks are free from interference, damage, or unauthorized access, and prevent network data from being divulged, stolen or falsified. Under these standards, networks are classified into five levels, depending on their potential risk of harm in case of security breaches, with systems that would suffer the least harm classified as level 1 and those that would suffer the most harm classified as level 5.
The national standards require companies' procurement and use of encryption products and services to be preapproved by the Chinese government for networks classified as level 2 or above. The standards further require companies (including Chinese affiliates of foreign companies) to set up their cloud infrastructure, including servers, virtualized networks, software, and information systems, in China. Such cloud infrastructures are subject to testing and evaluation by the Chinese government. Overseas operation and maintenance of Chinese cloud computing platforms must also follow Chinese laws and regulations. The national standards also state that customers' data and users' personal information processed by cloud service providers should be stored inside China, which is an additional requirement. It is currently uncertain how these national standards would be enforced and there has not yet been reports of enforcement.
Chinese Authorities Have Published Other National Standards
- Information Security Technology—Implementation Guide for Classified Protection of Information System (GB/T 25058-2019) (effective March 1, 2020) specifies the rules for implementing classified protection of information systems and is an amendment to the 2010 version.
- Information Security Technology—Classification Guide for Classified Protection of Cybersecurity (GB/T 22240-2020) (effective November 1, 2020) specifies [that company must incorporate a] method of classifying targets of classified protection that are not involved in state secrets. Targets are classified into five levels of cybersecurity protection according to their importance in national security, economic construction, and social life, and their adverse impact to national security, social order, public interest, and the legitimate rights of citizens, legal persons and other organizations when the information systems of the targets are attacked, or when their data are otherwise modified, leaked, lost or destroyed. Targets that would suffer the least harm after the aforesaid events are classified as level 1 while those that would suffer the most harm are classified as level 5.
Even though there has not yet been reports of enforcement of these standards, companies doing business in or with China should review these and other Chinese government mandatory standards for compliance.
Critical Information Infrastructure
Chinese regulators and law enforcement have wide discretionary powers to review and inspect the IT systems of companies, particularly in the case of security breaches. Multinational companies, therefore, should implement strong and secure IT systems to lessen security incidents and avoid investigations.
The Cybersecurity Law requires critical information infrastructure operators (which are not yet defined in law) in important industries and fields to fulfill certain security protection obligations, including to (i) develop internal security management rules and operating procedures, designate persons in charge of cybersecurity and carry out cybersecurity protection responsibility; (ii) take technical measures to prevent computer viruses, network attacks and intrusions and other acts that endanger cybersecurity; (iii) take technical measures to monitor and record the status of network operation and cybersecurity incidents, and preserve relevant weblogs for not less than six months; (iv) take measures such as data categorization, and back-up and encryption of important data; and (v) perform other obligations as prescribed by Chinese laws and regulations.
On April 27, 2020, the Cyberspace Administration of China, the National Development and Reform Commission, and 10 other governmental departments jointly promulgated the Measures for Cybersecurity Review (effective June 1, 2020) to ensure the security of the supply chain of critical information infrastructure and to safeguard national security. The Measures apply to operators of critical information infrastructure, requiring national security and other reviews when purchasing network products and services.
The Information Security Technology—Basic Requirements for Cybersecurity Protection of Critical Information Infrastructure (GB/T 39204-2020) was introduced in 2018 and is currently under final approval. The standard stipulates the overall cybersecurity framework of critical information infrastructure and the corresponding requirements for identification, safety protection, detection and evaluation, monitoring and early warning and emergency response. In December 2019, the Chinese Information Security Standardization Technical Committee rolled out a pilot test on the practicality of the standard in order to accumulate experience and provide technical support for actual implementation. In August 2020, implementation plans for critical information infrastructure and classified protection of information systems were discussed in the 2020 Beijing Cyber Security Conference hosted by the investigation team of the Ministry of Public Security.
Virtual Private Network
The Notice of the Ministry of Industry and Information Technology on Cleaning Up and Regulating the Internet Access Service Market provides that no company may, without the approval of competent telecommunications authorities, construct or lease special circuits, including virtual private networks ("VPN") and other telecommunications channels, to conduct cross-border business activities. The Notice also requires telecommunications companies to set up profiles of users of their international private lines, and remind such users not to connect private lines to domestic or overseas data centers or business platforms to perform telecommunication business activities, but rather use them within the organization. The Notice prohibits the renting of VPNs from telecommunications companies not designated by the Chinese government. Currently, there are four telecommunication companies so designated by the Chinese government: China Mobile, China Unicom, China Telecom, and the British-based BT Group plc. The renting of VPNs from telecommunication companies not so designated was responsible for the recent website blockage of many companies.
The new Encryption Law of the People's Republic of China (effective January 1, 2020) stipulates that commercial encryption products relating to national security, the national economy, people's livelihood, or public interest may be sold or provided only after a government-designated institution confirms that the product has passed security authentication or otherwise complies with security requirements. Commercial encryption products used in mass consumer products are not subject to import licensing and export control systems, which is a striking change from the old Commercial Encryption Regulation.
The Provisions on Internet Security Supervision and Inspection by Public Security Organs govern the security inspection and investigations to be carried out by public security bureaus in respect of cybersecurity obligations. Public security bureaus have wide inspection powers. Companies doing business in China—regardless of industry—must cooperate with public security bureaus' inspections and investigations.
Cloud Computing Services
The Cloud Computing Services Security Assessment Measures govern the security of cloud services. Cloud service providers are subject to security assessments conducted by the Chinese government.
Personal Information Protection National Standard
Information Security Technology—Personal Information Security Specification (GB/T 35273-2020) in effect on October 1, 2020 (replacing Information Security Technology—Personal Information Security Specification (GB/T 35273-2017) (effective May 1, 2018)) sets out detailed requirements for data controllers—namely companies doing business in China—on the collection of personal information for default consent, bundled consent, forced consent, or repeated seeking of unwilling consent, and refines measures to be taken by data controllers when processing the deregistration of users' accounts. GB/T 35273-2020 also requires data controllers to retain log files relevant to the handling of personal information, and to implement measures to manage third-party products and services collecting personal information from data subjects via data controllers (this is particularly common for mobile applications that allow access to third-party programs or software). GB/T 35273-2020 requires data controllers to specify details of cross-border data transfers in their personal information protection policies, including the geographical location where the data is transferred, the types of data being transferred and the relevant standards, agreements and legal basis in support of such data transfer. On November 18, 2020, the National Information Security Standardization Technical Committee organized a kick-off event to roll out a pilot test on the implementation of the standard: The subjects of this pilot test included applications, software development kits, cloud computing platforms, mini programs and portable devices in fields such as biometrics, medical, finance, and property rental.
On May 28, 2020, the 13th National People's Congress of the People's Republic of China passed the Civil Code of the People's Republic of China (to take effect January 1, 2021) (the "Civil Code"), which contains a chapter on the "Right of Privacy and Protection of Personal Information" (Chapter VI). The Civil Code specifies the right of privacy enjoyed by natural persons and, in line with the Cybersecurity Law, defines personal information as "information recorded electronically or in other forms that can identify a specific natural person separately or in combination with other information, including a natural person's name, date of birth, identity card number, biological recognition information, address, telephone number, email address, health information, and whereabouts information." The Civil Code also specifies the conditions of handling personal information in order to satisfy the principles of lawfulness, justification and necessity, such as seeking a data subjects' consent, expressly indicating purpose, method and scope of handling personal information, implementing technical measures to protect personal information that has been collected or stored from leakage, tampering and loss, and not disclosing personal information without consent.
Personal Information Protection Law
The draft Personal Information Protection Law is expected to be promulgated this year. The draft law sets out a stricter data localization requirement, requiring that personal information processed by state organs, critical information infrastructure operators (not yet defined), and data processors that have reached or exceeded the personal information processing threshold specified by the National Cyberspace Administration in terms of quantity, shall be stored inside China or undergo risk assessment by the National Cyberspace Administration or related departments when cross-border data transfer is required. The draft law provides that personal information processed by other entities may be transferred outside of China for business needs if the data processors have (i) gone through security assessment by the Chinese government (the National Cyberspace Administration); (ii) been certified by a government designated institution according to the requirements of the National Cyberspace Administration; (iii) contracted with overseas data recipients to set forth the rights and obligations of the parties and require the transfer activities to comply with the draft law; or (iv) otherwise complied with any other Chinese laws, administrative regulations, and requirements. The draft law also repeats current legal requirements that data processors must obtain data subjects' consents and notify data subjects of the identity and contact information of overseas data recipients, the purpose and method of data processing, the types of data transferred, and the way of enforcing their rights against overseas data recipients.
To comply with this new law, many U.S. and European companies have been taking compliance measures, such as segregating local Chinese data from other data. Various companies have also started offering cloud services (including Microsoft and Amazon Web Services) in China to meet the business needs of multinational companies doing business in China.
Two Key Takeaways
- Cybersecurity and personal information protection are expanding action plans for the Chinese government. More laws and regulations are expected to be issued in the next six months to one year.
- Businesses should continue to monitor developments, comply with the prescribed security and privacy protection requirements, and be aware of the applicable risks and exposures, especially the requirements for localization of cloud infrastructure, data localization requirements, and wide investigative powers of Chinese authorities into companies' IT systems.