Cybersecurity Law sparks data concern for MNCs

The implementing rules will probably provide more clarity on their procedure and scope, but until that happens, investors contemplating opening up or even running existing operations in China will have to deal with the uncertainty of how the law will be enforced.

“This produces a chilling effect on MNCs that have or want data to travel between jurisdictions freely,” said Peter Bullock of Pinsent Masons. “The key concern lies in the possibility of having to undertake security assessments in relation to international transfer of data and the fear that these tests will lead to delays and disclosure of commercial secrets.”

Information security evaluations have already been underway as the government relies on the existing smaller pieces of legislation that govern networks. Although enforcement of these rules hasn't been consistent, it is clear that China is determined to implement the Cybersecurity Law in its entirety.

Laws have been issued since 2000 that address data privacy in the broadest of terms, with overlapping regulations that deal with personal information, finance data outflows and data breaches. Although China has clamped down on data protection in recent years, it is difficult to tell what the new security assessment requirement under the pervasive Cybersecurity Law will entail.

Data storage: servers in China

The Cybersecurity Law requires operators of “critical information infrastructure” to store certain data in Chinese territory, effectively requiring the setting up of servers in the country. This can be expensive, apart from sparking worry about who will be able to access the information.

“The definition of so-called critical information infrastructure operators is still very vague,” said Guo. Although it is broad enough to catch an extensive range of operators, “enforcement will most likely be first focused on sectors of genuine security concern like finance, infrastructure-based cloud computing and telecom-related services,” he said.

The draft explains that critical information infrastructure includes not just radio and TV transmission services, but also systems in sectors such as energy, transportation, water conservancy and finance, all of which are rather broad. It also encompasses government and military networks as well as public service sectors like power and public gas utilities and healthcare.

Many of these services involve mass data and are managed by information systems, and there is a growing concern regarding a lack of protective measures.

Then there is the catch-all provision: the data storage requirement also applies to all “operators of networks and systems with a very large number of users.” What counts as a network operator or provider remains ambiguous, as does what constitutes a significant number.

“This is extremely broad and the government has not decided how far it will go to enforce it,” said Guo. “It doesn't have the bandwidth to deal with all these sectors altogether.”

What MNCs need to do

One way around the security assessments is to not transfer data internationally, said Bullock, adding that having good connections can get businesses around certain requirements.

“If MNCs need data to be kept in China, they will need servers in China,” said Guo. In fact, this is what many companies are doing.

It is unlikely that the government intends to unnecessarily and unreasonably restrict commercially justifiable data collaboration involving multiple jurisdictions as long as the security issue is addressed, Guo said, as China is targeting specific types of data and security-sensitive sectors. He also said it is possible for businesses and regulators to reach a reasonable understanding.

Article 59 of the Cybersecurity Law imposes penalties for violations: fines between Rmb50,000 and Rmb500,000 for entities and between Rmb10,000 and Rmb100,000 for individuals and personnel.

The relatively low level of punishment reflects that China has not actually taken an excessively harsh stance on network and cyber information security. “It wouldn't be practical,” said Guo. “The intention is to bring the issue into the regulatory fold and step up with enforcement efforts.”

A report by DaHui Lawyers says that, given its significance, the Cybersecurity Law will most likely be fast-tracked for comments and revision, discussion and approval. MNCs and all network operators are advised to plan ahead accordingly.

Finance and healthcare

The scrutiny on international data transfers has been evident in the financial services industry with the Guidelines on Banks Using Secure and Controllable Information Technology issued on December 26 2014. These rules set a high bar for foreign technology suppliers to enter the Chinese market, requiring them to file source codes for network software and storage equipment with the CBRC and set up R&D centres in China.

Waivers have been granted to substantial banks to conduct offshore work on a semi-official basis following strong reactions from companies. But how China plans to come to a permanent arrangement remains to be seen.

The draft Cybersecurity Law has expanded the definition of “personal information” to include biometric data. This is in line with China's intention to further secure the personal (including medical) data of its citizens, reinforced by the healthcare sector being defined under the umbrella of critical information operators in the law.

China has much to gain from international expertise in healthcare, an area where one may not expect to export data. While China has been opening up to foreign investment with its healthcare reform, the draft is a reminder that China's data security concerns are not exclusive to particular industries and that all investors need to be cautious.

FDI implications

Alongside China's Internet+ initiative to propel modern industries, the application and enforcement of the Cybersecurity Law will only expand as new sectors emerge.

“The wider question for this law is how it will affect MNCs conducting M&A,” said Bullock. “It is already difficult for them to do deals in China, but this law could make it worse with all these extra requirements getting different agencies involved in clearances.”

On the other hand, some practitioners believe the law's impacts may have been overhyped. Apart from the security assessment (which will be clarified in the implementing rules), “the provisions and requirements in this draft are not actually new and merely repeat current practice and policies,” said Ben Chai of DaHui Lawyers.

“It doesn't make sense for the government to issue a law that imposes more FDI restrictions to the telcom and internet sectors, though there is a need to strengthen supervision and regulation,” he said.

China has relaxed restrictions in internet/e-commerce and, in general, widened the industry sectors open to FDI, and “any foreign company intending to operate in China must understand that any deregulation efforts will be qualified by information security measures,” said TransAsia's Guo.

By Katherine Jo