China is increasingly emphasising government sovereignty on cyberspace and data, rapidly evolving its cybersecurity and data regime, enacting numerous rules and policies, and formulating national standards for cybersecurity and data protection. Privacy rights and security principles are rooted in the PRC Constitution, Civil Code and National Security Law, grounded in three established pillars of law: the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL).
INTERACTION OF PILLAR LAWS
Among those three pillar laws, the CSL is fundamental to cyberspace sovereignty, establishing the overall security framework. The DSL aims to protect the security of processed data, and PIPL is dedicated to regulating personal information processing.
The DSL and PIPL both claim extraterritorial power to protect data and personal information processed by infrastructure protected by the CSL. The DSL will punish any data processing outside the PRC if detrimental to national security or public interest, or the lawful rights and interests of any Chinese citizen or entity. Similarly, processing personal information outside the PRC for offering products or services to individuals or assessing the behaviour of individuals in the PRC needs to comply with the PIPL.
Businesses in China should also comply with specialised rules in specific industries and local data regulations. Continual efforts by various industrial regulators and local governments address cybersecurity, especially in medical and health, finance, automobile, and internet information services (such as algorithm recommendation services) locally and nationally.
The Cyberspace Administration of China (CAC) recently released long-awaited findings of a cybersecurity review against ride-hailing giant DiDi, resulting in a USD1.2 billion fine. The review was initiated before the revised Measures on Cyberspace Security Review came into effect on 15 February.
Since that revision, the scope of cybersecurity review has extended to specifically apply to network platform operators seeking overseas listing while processing personal information of more than a million users.
The review also applies to the procurement of network products or services by operators of critical information infrastructure, or data processing by operators of network platform operators, if national security is, or is likely to be, impacted.
Among those three circumstances triggering review, data processing by network operators is the most difficult to self-determine, as there is no explicit legal guidance about relevant factors. Seemingly, any big platform processing a large volume or various types of data may be subject to review.
To be safe, either don’t run a large network platform, or if you do, voluntarily apply for a cybersecurity review to receive notice of no further action. Otherwise, face a similar risk to huge academic research database China National Knowledge Infrastructure (CNKI), currently under review for national security reasons.
Multi-level protection requirements on information systems and networks are also updated under the CSL. Under the multi-level protection scheme (MLPS) regime, network application operators should assess their network applications and associated risks, with each application assigned a “security level” based on its nature, importance and severity of potential impact if compromised.
Levels range from one to five, and the higher the level, the more stringent the security requirements the operator should adopt. Subject to the security level, operators are required to get their network application assessments filed or assessed by the public security authority, and adopt appropriate security measures.
To safeguard data sovereignty, the CSL imposes data localisation requirements on critical information infrastructure operators. The DSL and PIPL stipulate that any request by a foreign judicial body or law enforcement authority for the provision of data or personal information stored in China is subject to prior approval by competent authorities.
The CAC Security Assessment Measures of Cross-border Data Transfer, which came into effect on 1 September, allow data processors a six-month transition period to comply. Previously, the CAC issued the draft Provision on the Standard Contract for Personal Information Cross-border Transfer, similar to the EU’s standard contractual clauses (SCCs). The National Information Security Standardisation Technical Committee (TC260) also released the Practice Guidelines for Cybersecurity Standards – Specification for the Security Certification of Personal Information Cross-Border Processing Activities, introducing a certification framework for cross-border data processing.
According to the measures, a CAC-led mandatory security assessment will be triggered under statutory situations prescribed in the CAC Security Assessment Measures of Cross-border Data Transfer.
By contrast, the security certification is expected to address frequent personal information transfers among subsidiaries or affiliates of the same corporate group, while the SCC will be the main tool for cross-border data transfers without needing prior CAC approval. However, given the low thresholds for security assessment, it likely will become the pervasive means to transfer cross-border data.
The DSL establishes a general requirement on data classification management and protection according to the importance of data to the national economy, national security, public interest and society, as well as the potential degree of harm in case of a security breach. A core data is the highest of the three-tier system, subject to strictest protection and expected to be determined by central government agencies.
Important data is in the mid-range. Industrial regulatory authorities and local governments will respectively define important data in various industries and administrative regions, and processors will follow the definition catalogue to determine the scope of their important data. But for now, there is only a draft national standard on important data identification, along with a preliminarily administrative regulation defining it in the auto industry, and a draft regulation in the industrial and information technology sectors. It may take a while for all core data and important data to be identified nationwide.
PERSONAL DATA PROTECTION
The PIPL provides comprehensive protection covering the entire processing cycle of personal information, requiring processors to take appropriate measures to ensure safety and imposing stricter requirements on processing sensitive information. Processors are required to obtain a lawful basis before processing any personal information, including a consent of data subjects and a variety of other lawful bases. They are also required to follow the principles of legality, legitimacy, necessity and good faith, comply with legal requirements, and retain relevant records to demonstrate compliance, or defend potential claims.
In addition, the PIPL grants data subjects comprehensive rights, both substantive and procedural, over their personal information, such as the right to know, decide, have portability and complain.
ENFORCEMENT AND PENALTY
The pillar laws impose harsh criminal, administrative and civil liabilities against cybersecurity and privacy violations. For example, under the PIPL, illegal gains may be confiscated, with fines ranging from RMB1 million (USD142,000) to RMB50 million, or 5% of annual business turnover. The person directly in charge and other directly liable persons can be fined up to RMB1 million. The record-breaking DiDi fine is the most recent example. A draft proposal to amend the CSL with even steeper penalties was released for public comment on 14 September. Chinese prosecutors and courts are clearly more active over personal information protection and data-related crimes in civil and criminal cases.
TRENDS AND DEVELOPMENTS
The government believes the digital economy and data assets will be the next key competition area in the world, and is prioritising building, maintaining and defending sovereignty in cyberspace.
It can be reasonably expected that the development trend in the next three to five years will very likely present:
- CSL enforcement, with MLPS 2.0 implementation, will be strengthened to establish a solid and secure base for cyberspace sovereignty;
- DSL development, through data categorisation and classification, will be completed and fully implemented in all industries and administrative regions; and
- The PIPL will continue to be localised by more judiciary enforcement against foreign entities, subject to the law.
The above trends and developments of the cyberspace security laws determine that there will be more administrative punishments, judicial review and extraterritorial enforcement efforts in the coming years. Therefore, multinational companies in China and offshore entities remotely interacting with China should keep a close watch on the legal, administrative and judicial developments and understand timely and clearly the relevant underlining statement of the development by working with qualified local counsels and making proper adjustments in its business operation for compliance purposes.
GLOBAL LAW OFFICE
35 & 36/F Shanghai One ICC, No.999
Middle Huai Hai Road, Xuhui District
Shanghai, 200031, China
Tel: +86 21 2310 8288
Several pieces of legislation, rules and sector-specific regulations govern India’s legal, regulatory and institutional framework for cybersecurity, promoting maintenance of security standards, defining cybercrimes and requiring incident reporting.
The Information Technology (IT) Act, 2000, is the primary legislation dealing with cybersecurity, data protection and cybercrime.
Its key features are:
- Granting statutory recognition and protection to electronic transactions and communications;
- Aiming to safeguard electronic data, information and records;
Aiming to prevent unauthorised or unlawful use of computer systems; and
- Identifying activities such as hacking, denial-of-service attacks, phishing, malware attacks, identity fraud and electronic theft as punishable offences.
Rules and regulations framed under the IT Act regulate different aspects of cybersecurity as follows:
- Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (2013 rules), established the Computer Emergency Response Team (CERT-In) as the administrative agency responsible for collecting, analysing and disseminating information on cybersecurity incidents, and taking emergency response measures. These rules also put in place obligations on intermediaries and service providers to report cybersecurity incidents to the CERT-In.
- Directions on information security practices, procedure, prevention, response and reporting of cyber incidents for a safe and trusted internet, issued in 2022 by the CERT-In, add to and modify existing cybersecurity incident reporting obligations under the 2013 rules.
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI rules) require companies that process, collect, store or transfer sensitive personal data or information to implement reasonable security practices and procedures.
- The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code Rules, 2021) require intermediaries to implement reasonable security practices and procedures to secure their computer resources and information, maintaining safe harbour protections. Intermediaries are also mandated to report cybersecurity incidents to the CERT-In.
- Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018, oblige companies that have protected systems – as defined under the IT Act – to put in place specific information security measures.
Other laws that contain cybersecurity-related provisions include the Indian Penal Code 1860, which punishes offences committed in cyberspace (such as defamation, cheating, criminal intimidation and obscenity), and the Companies (Management and Administration) Rules 2014 which require companies to ensure that electronic records and systems are secure from unauthorised access and tampering. There are also sector-specific rules issued by regulators and agencies, including the Reserve Bank of India, the Insurance Regulatory and Development Authority of India, the Department of Telecommunications, the Securities Exchange Board of India, the National Health Authority of India, among others, which mandate cybersecurity standards to be maintained by their regulated entities
Cybersecurity of critical information infrastructure (CII) – defined as any computer resource that can have a debilitating impact on national security, the economy, public health or safety if incapacitated or destroyed – is regulated by guidelines issued by the National Critical Information Infrastructure Protection Centre (NCIIPC).
Under the IT Act, the government may notify any computer resource that affects the facility of CII to be a protected system, prescribing cybersecurity obligations for companies handling protected systems. Designated CII sectors include transport, telecoms, banking and finance, power, energy and e-governance. Within these sectors, the appropriate authority can notify certain computer systems as protected systems. Sectoral regulators and agencies, including the Central Electricity Authority, have also formulated rules and guidelines on cybersecurity and CII.
Since cybersecurity is a cross-cutting issue, India has a complex inter-ministerial and inter-departmental institutional framework for cybersecurity, with several ministries, departments and agencies performing key functions. For instance, the Ministry for Electronics and Information Technology (MeitY) deals with policy relating to IT, electronics and the internet, including cyber laws. It set up the CERT-In as a nodal agency for co-ordination and handling of cyber incident response activities.
The Ministry of Home Affairs looks at internal security, including cybersecurity. For this purpose, it has set up the cyber and information security division, comprising a cybercrime wing, cybersecurity wing and monitoring unit. To combat cybercrime, it also established the Indian Cyber Crime Co-ordination Centre in 2018. The NCIIPC, the nodal agency for CII, is set up under the National Security Adviser. The National Cyber Security Co-ordinator is the nodal officer for cybersecurity, functioning under the Prime Minister’s Office and co-ordinating with various agencies at federal level.
At the federal level, the IT Act places security obligations on organisations handling sensitive personal data. These are laid out in SPDI rules requiring companies to institute managerial, technical, operational and physical security control measures. The rules are also subject to ISO/IEC 27001 international standards on information security management, with body corporates subject to audit checks by an independent government-approved auditor at least once a year, or as and when they significantly upgrade processes and computer resources.
Sectoral regulators and nodal agencies also prescribe security measures. The Reserve Bank of India prescribes standards for banks, including setting a mechanism for dealing with and reporting incidents, cyber crisis management, and arrangements for continuous surveillance of systems and the protection of customer information. It also mandates banks to follow the ISO/IEC 27001 and ISO/IEC 27002 standards.
A similar framework is applicable to non-banking finance companies. The Securities Exchange Board of India requires stock exchanges, depositories and clearing corporations to follow standards such as ISO/IEC 27001, ISO/IEC 27002 and COBIT 5.
CYBER INCIDENT REPORTING
The 2013 rules require organisations to report incidents to the CERT-In within a reasonable time. Incidents include denial of service attacks, phishing and ransomware incidents, website defacements, and targeted scanning of networks or websites.
In April 2022, the CERT-In issued a new directive modifying obligations under the 2013 rules, including requirements to report cybersecurity incidents within six hours, syncing system clocks to the time provided by government servers, maintaining security logs in India, and storing additional customer information. The IT Rules 2021 also require intermediaries to notify the CERT-In of security breaches as part of their due diligence obligations.
Various sector-specific reporting obligations also apply. For instance, in the financial services sector, every bank is required to report incidents within two to six hours of detection. Similarly, insurance companies must report cybersecurity incidents to the Insurance Regulatory and Development Authority within 48 hours of detection. Telecom licensees are required to establish a facility for monitoring intrusions, attacks and frauds on their technical facilities, and to provide reports of such incidents to the Department of Telecommunication.
Traditional criminal actions such as theft, fraud, forgery, defamation and mischief – all of which are covered under the Indian Penal Code, 1860 – might be included in cybercrimes. The IT Act addresses modern offences such as tampering, hacking, publishing obscene information, unauthorised access to protected systems, breach of confidentiality and privacy, and publishing false digital signature certificates. Sending threatening messages by email, defamatory messages by email, forgery of electronic records, cyber fraud, email spoofing, web-jacking and email abuse are also punishable offences.
The federal government, through the National Cyber Security Co-ordinator, is formulating a new national cybersecurity strategy. This aims to address certain gaps in India’s cybersecurity framework and enhance the country’s overall cybersecurity posture.
The government is also considering revamping the IT Act to align with advances in the global and domestic digital and technology environment. This may change the existing cybercrime, incident reporting, and security measures and standards framework.
New Delhi | Bengaluru
Various Indonesian government agencies and businesses are considering an emerging futuristic technology called the metaverse, a portmanteau of “meta” (meaning beyond) and “universe”, which promises to dramatically advance social connectivity via the internet, boosting virtual 3-D experiences from tourism and cultural exploration to interactive banking, consumer sales, office communication, education and daily life.
One especially controversial aspect of this gradual convergence of digital and physical worlds, however, is its requirement for the collection of biometric data used as personal identification to bring out the individual’s natural character in this virtual metaverse. But the acquisition of biometric data is a sensitive issue, given its inherent vulnerability to potential threats, while Indonesia’s regulatory framework is limited with personal data protection and safeguarding against cyberattacks.
In this article, the authors discuss the existing framework and long-awaited Law No. 27 of 2022 on Personal Data Protection Law (PDP Law) recently came into force in Indonesia, and whether a more specific regulation on biometric data is needed in anticipation of the metaverse evolution.
The pandemic encouraged many enterprises to reconsider how to carry out their businesses more effectively. Not surprisingly, many turned online using digital meeting platforms such as video-conferencing, webinars and many other forms of internet communication. However, despite certain clear benefits, these also had limitations that are considered somewhat confining compared to more flexible experiences in the real world. Hence the metaverse emerged, bridging the metaphysical gap to answer those problems, offering real-life experiences in a virtual world through a replica of the physical realm where parties can more effectively socialise, attend meetings and participate in events through avatars representing themselves without a physical presence.