The People’s Republic of China Cyber Security Law will take effect on 1 June 2017. It was promulgated in conjunction with the issuance of other important supplementary laws and regulations, including the Public Opinion Draft of the Measures for the Security Review of Network Products and Services released in February 2017, and the Public Opinion Draft of the Measures for Evaluating the Security of Transmissions of Personal Information and Important Data Overseas (Personal Information Transmission Draft) released in April 2017. These recent legislative moves by the PRC government have been closely followed by multinational corporations (MNCs) operating in China. This article provides a brief overview and analysis of three important issues raised by these recent legislative moves.
Application of the Cyber Security Law
The Cyber Security Law applies to the construction, operation, maintenance and use of networks within the territory of the PRC. Without further clarification from PRC legislators, the current scope of application makes it difficult for some MNCs to determine whether they fall under the purview of the Cyber Security Law.
For example, entities engaged in certain services listed in the Catalogue on the Classification of Telecommunication Services issued by the Ministry of Industry and Information Technology are generally deemed as “network service providers”, which is a category of “network operator” (the definition of which is unclear in the Cyber Security Law). If operating within the territory of the PRC, such entities will need to comply with the requirements of the Cyber Security Law. But what about MNCs located outside China that provide such services to China-based users? A concrete example would be an offshore website that provides online shopping services for Chinese users and delivers items to Chinese addresses. If the service in question is technically hosted offshore, is it nonetheless “provided within the territory of the PRC” under the Cyber Security Law?
Currently, there appears to be no clear answer on whether such a company would need to comply with the Cyber Security Law based on existing laws and regulations. For now, MNCs will need to pay attention to further legislative activities and the enforcement practices of relevant authorities to determine whether, and under what circumstances, they need to comply with the Cyber Security Law.
Transmitting personal information and important data overseas
The Cyber Security Law provides that operators of key information infrastructure (including public communications and information service, energy, transport, water conservancy, finance, public services, information services, e-government administration) are generally required to store within the territory of the PRC “personal information” and “important data” gathered and produced during operations conducted in the PRC. If it is necessary to provide such information and data to overseas parties for business reasons, a security assessment must first be conducted in accordance with the measures formulated by cyberspace administrative authorities (including the Cyberspace Administration of China) in concert with relevant departments under the State Council.
The Personal Information Transmission Draft now goes a step further. It requires all “network operators” to satisfy the requirement placed on operators of key information infrastructure. If the current iteration of the Personal Information Transmission Draft goes into effect, any MNC that is deemed to be a “network operator” will be required to complete a security review prior to transmitting personal information and important data overseas.
The Cyber Security Law provides a fairly clear definition of “personal information”: information recorded electronically or through other means that can be used independently, or in combination with other information, to identify natural persons’ personal information. This includes names, dates of birth, ID numbers, biometric records, addresses and telephone numbers (among other things). The Personal Information Transmission Draft also defines “important data” as data that is closely related to national security, economic development, and social and public interests. Although this definition is broad, it may potentially provide a basis for the issuance of further guidelines. Going forward, MNCs may see further laws and regulations providing a more detailed definition of “important data”.
Extraterritorial effect of Cyber Security Law
The Cyber Security Law provides that where any overseas institution, organization or individual engages in any activity that endangers key information infrastructure of the PRC through attacks, invasions, interference or destruction, and results in serious consequences, it will be investigated according to the law. Based on the results of such an investigation, the public security organs of the State Council and relevant departments may decide to freeze the assets of such institution, organization or individual or take other necessary punitive measures against it.
In this regard, the Cyber Security Law follows the example of various other governments in providing the PRC government with a legislative basis for enforcing its cyber security laws extraterritorially. Currently (and likely intentionally), the Cyber Security Law does not clearly specify the content and means of taking the sanctions mentioned. As such, the extent to which these provisions will be enforced abroad against overseas companies remains unclear.
In summary, there remains a degree of uncertainty in the enforcement of the Cyber Security Law. It is suggested that MNCs pay close attention to any related legislation as well as implementation and enforcement activities that occur after the release of the Cyber Security Law. Moreover, it is recommended that companies consult their legal advisers on a timely basis to better determine whether they qualify as a “network operator” and how to satisfy any compliance requirements (such as completing a security review to transmit personal information and important data overseas).
Ben Chai and Cloud Li are associates at DaHui Lawyers
Suite 3720, China World Tower
1 Jianguomen Outer Street
Beijing 100004, China
电话 Tel: +86 10 6535 5888
传真 Fax: +86 10 6535 5899