- Banking and Finance Laws
- China Law News
- Cybersecurity
- Foreign Direct Investment
- Technology Media and Telecom
Cybersecurity Law sparks data concern for MNCs
July 31, 2015 | BY
CLP Temp &China's draft Cybersecurity Law, which restricts cross-border data transmissions and requires the setting up of servers in the country, has prompted foreign companies to assess risks regarding delay, disclosure and costs
China's first comprehensive Cybersecurity Law, unveiled on July 6, extends far beyond cyberspace and makes it clear that the authorities want control over all segments that can lead to information security risks, including data storage and migration.
The draft, officially called the PRC Network Security Law, contains guidelines for the notification of data breaches, grading of information security systems as well as screening and regulation of encryption products. It also sets requirements that restrict cross-border data flows, which can disrupt the operations of businesses in multiple jurisdictions. Comments are due August 5 2015.
This comes on the back of the controversial PRC National Security Law, which subjects certain foreign investments, key technology and internet products and services to similar controls.
“Multinational companies (MNCs) can no longer take for granted that they have a free hand to move data around,” said Kevin Guo of TransAsia Lawyers. “It's necessary for foreign companies to have specific discussions with regulators to understand what the parameters are, which would depend on the operational model used by the individual businesses.”
|Data transfers: security assessments
The Cybersecurity Law requires all international data transfers to undergo security assessments. This also inevitably includes information transmitted in and out of China by cloud-computing and data-processing services.
The implementing rules will probably provide more clarity on their procedure and scope, but until that happens, investors contemplating opening up or even running existing operations in China will have to deal with the uncertainty of how the law will be enforced.
“This produces a chilling effect on MNCs that have or want data to travel between jurisdictions freely,” said Peter Bullock of Pinsent Masons. “The key concern lies in the possibility of having to undertake security assessments in relation to international transfer of data and the fear that these tests will lead to delays and disclosure of commercial secrets.”
Information security evaluations have already been underway as the government relies on the existing smaller pieces of legislation that govern networks. Although enforcement of these rules hasn't been consistent, it is clear that China is determined to implement the Cybersecurity Law in its entirety.
Laws have been issued since 2000 that address data privacy in the broadest of terms, with overlapping regulations that deal with personal information, finance data outflows and data breaches. Although China has clamped down on data protection in recent years, it is difficult to tell what the new security assessment requirement under the pervasive Cybersecurity Law will entail.
|Data storage: servers in China
The Cybersecurity Law requires operators of “critical information infrastructure” to store certain data in Chinese territory, effectively requiring the setting up of servers in the country. This can be expensive, apart from sparking worry about who will be able to access the information.
“The definition of so-called critical information infrastructure operators is still very vague,” said Guo. Although it is broad enough to catch an extensive range of operators, “enforcement will most likely be first focused on sectors of genuine security concern like finance, infrastructure-based cloud computing and telecom-related services,” he said.
The draft explains that critical information infrastructure includes not just radio and TV transmission services, but also systems in sectors such as energy, transportation, water conservancy and finance, all of which are rather broad. It also encompasses government and military networks as well as public service sectors like power and public gas utilities and healthcare.
Many of these services involve mass data and are managed by information systems, and there is a growing concern regarding a lack of protective measures.
Then there is the catch-all provision: the data storage requirement also applies to all “operators of networks and systems with a very large number of users.” What counts as a network operator or provider remains ambiguous, as does what constitutes a significant number.
“This is extremely broad and the government has not decided how far it will go to enforce it,” said Guo. “It doesn't have the bandwidth to deal with all these sectors altogether.”
|What MNCs need to do
One way around the security assessments is to not transfer data internationally, said Bullock, adding that having good connections can get businesses around certain requirements.
“If MNCs need data to be kept in China, they will need servers in China,” said Guo. In fact, this is what many companies are doing.
It is unlikely that the government intends to unnecessarily and unreasonably restrict commercially justifiable data collaboration involving multiple jurisdictions as long as the security issue is addressed, Guo said, as China is targeting specific types of data and security-sensitive sectors. He also said it is possible for businesses and regulators to reach a reasonable understanding.
Article 59 of the Cybersecurity Law imposes penalties for violations: fines between Rmb50,000 and Rmb500,000 for entities and between Rmb10,000 and Rmb100,000 for individuals and personnel.
The relatively low level of punishment reflects that China has not actually taken an excessively harsh stance on network and cyber information security. “It wouldn't be practical,” said Guo. “The intention is to bring the issue into the regulatory fold and step up with enforcement efforts.”
A report by DaHui Lawyers says that, given its significance, the Cybersecurity Law will most likely be fast-tracked for comments and revision, discussion and approval. MNCs and all network operators are advised to plan ahead accordingly.
|Finance and healthcare
The scrutiny on international data transfers has been evident in the financial services industry with the Guidelines on Banks Using Secure and Controllable Information Technology issued on December 26 2014. These rules set a high bar for foreign technology suppliers to enter the Chinese market, requiring them to file source codes for network software and storage equipment with the CBRC and set up R&D centres in China.
Waivers have been granted to substantial banks to conduct offshore work on a semi-official basis following strong reactions from companies. But how China plans to come to a permanent arrangement remains to be seen.
The draft Cybersecurity Law has expanded the definition of “personal information” to include biometric data. This is in line with China's intention to further secure the personal (including medical) data of its citizens, reinforced by the healthcare sector being defined under the umbrella of critical information operators in the law.
China has much to gain from international expertise in healthcare, an area where one may not expect to export data. While China has been opening up to foreign investment with its healthcare reform, the draft is a reminder that China's data security concerns are not exclusive to particular industries and that all investors need to be cautious.
|FDI implications
Alongside China's Internet+ initiative to propel modern industries, the application and enforcement of the Cybersecurity Law will only expand as new sectors emerge.
“The wider question for this law is how it will affect MNCs conducting M&A,” said Bullock. “It is already difficult for them to do deals in China, but this law could make it worse with all these extra requirements getting different agencies involved in clearances.”
On the other hand, some practitioners believe the law's impacts may have been overhyped. Apart from the security assessment (which will be clarified in the implementing rules), “the provisions and requirements in this draft are not actually new and merely repeat current practice and policies,” said Ben Chai of DaHui Lawyers.
“It doesn't make sense for the government to issue a law that imposes more FDI restrictions to the telcom and internet sectors, though there is a need to strengthen supervision and regulation,” he said.
China has relaxed restrictions in internet/e-commerce and, in general, widened the industry sectors open to FDI, and “any foreign company intending to operate in China must understand that any deregulation efforts will be qualified by information security measures,” said TransAsia's Guo.
By Katherine Jo
This premium content is reserved for
China Law & Practice Subscribers.
A Premium Subscription Provides:
- A database of over 3,000 essential documents including key PRC legislation translated into English
- A choice of newsletters to alert you to changes affecting your business including sector specific updates
- Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
Already a subscriber? Log In Now