Navigating national and cybersecurity risks in China

December 09, 2015 | BY

Katherine Jo

The country's national security, cybersecurity, anti-terrorism and financial IT rules can significantly impact foreign companies' operations, data privacy and cross-border information transfers. MNCs need to work together to prevent these costly and potentially risky changes

China has proposed a number of regulatory changes aimed at national and cybersecurity over the past 12 months. Multinational companies (MNCs) and foreign financial institutions can be significantly restricted in terms of their operations and data management, and are encouraged to make their voices heard regarding these proposals.

The new PRC National Security Law (国家安全法) (NSL) came into force in July 2015 and forms the centrepiece of a series of other proposed “security” laws, including a draft PRC Network Security Law (网络安全法) (Cybersecurity Law) and a draft PRC Anti-terrorism Law (反恐怖主义法). Combined with the currently suspended Guiding Opinions on the Application of Secure and Controllable Information Technology to Strengthen the Network Security and Information Technology Development of the Banking Industry (关于应用安全可控信息技术加强银行业网络安全和信息化建设的指导意见) (CBRC Opinions) issued by the China Banking Regulatory Commission (CBRC), these have caused increasing concern among international investors operating in China.

|

National Security Law

The NSL has a much wider ambit than its 1993 predecessor, which focused on the prevention of espionage and state secrets leakage. The NSL adopts a very broad definition of “national security” that goes beyond state security in its traditional sense and extends to the economy, finance, technology, information and cybersecurity (among others).

In addition to the broad interpretation, the legislation also sets out very general principles regarding the powers of the PRC government to take action when “national security” issues arise. The legislature has yet to clarify exactly how these principles will be implemented in practice, creating uncertainty as to how the NSL affects companies' ability to conduct business in China. The application of this overarching law is only the beginning and sets a framework for further regulations that will have a more specific and defined impact on investors.

At this stage, it appears that the obligations to cooperate on matters of national security are greatly increased under the new regime. For example, the broad definition could make it possible for the authorities to demand compliance, information and much else under the guise of protecting “national security”. Financial institutions could potentially be required to share sensitive customer or commercial data without a demonstrably real national security risk being shown by the requesting authority.

It is also worth noting that Articles 24 and 25 of the NSL specifically refer to the need for core technology, critical infrastructure, information systems and data in core areas to be “controllable”. The term is consistent with the proposals in the draft Cybersecurity Law and the CBRC Opinions, which indicate an increased move to regulate the use of technology and the control of information and data held by private companies within China. There is a real fear that this could make it very difficult for businesses to use technology products and software supplied by foreign IT suppliers within their operations in China.

|

Cybersecurity Law and Anti-terrorism Law

The draft Cybersecurity Law highlights the government's move towards cyber sovereignty through tightened controls on IT networks and data.

For example, Article 19 of the draft states that “critical information infrastructure” and specialized cybersecurity products must pass a security certification or inspection before they can be sold. The national cyberspace authority, together with the relevant departments of the State Council, will draw up the certification requirements and publish a catalogue listing the specific infrastructure and products. The movement towards IT control is also reflected in the now-suspended CBRC Opinions and would not only affect companies' procurement policy but the integrity of their IT infrastructure as well. One of the key concerns of international businesses operating in China is that the use of foreign IT products and solutions may be banned.

The Cybersecurity Law may also require “critical information infrastructure operators” to conduct an annual evaluation of their network security. Such operators traditionally include financial institutions, telecom network providers, energy companies and healthcare firms, but the definition could potentially include any major organization that has a network or system with a massive numbers of users. The results, key risks and any identified corrective actions must be reported to the relevant State Council department. This is a fairly onerous – and potentially costly – undertaking.

Article 31 could also require these operators to retain the data collected from its PRC customers within the territory. Only if it is “really necessary” as a result of “business requirements” may the data be transferred to other jurisdictions. In addition, the information is subject to a mandatory security assessment prior to any transfer. This is a significant departure from current practice, which allows foreign businesses to transfer data out of China with customer consent.

This data storage requirement can make day-to-day operations difficult, particularly for cross-border transactions. Businesses that have shared offshore facilities, such as legal and operational support, may need to consider bringing these operations onshore.

In addition to the draft Cybersecurity Law, the government has tabled a draft Anti-terrorism Law that also regulates the use of technology in China. If passed in its current form, the Anti-terrorism Law would require telecom and internet companies to hand over encryption keys and install backdoors to their software so as to facilitate counter-terror investigations. This may push companies to be more cautious about engaging the services of telecom and internet companies in China. In addition, foreign TMT companies may be reluctant to provide services within the country due to these burdensome requirements.

|

CBRC Opinions

The CBRC Opinions, which are applicable to all financial institutions in China, were released in late 2014. They require the application of secure and “controllable” technology to strengthen the network security of the banking sector.

They mandated a number of factors to make a technology product “secure and controllable”, such as requiring key IT hardware to meet mandatory security qualifications and acquire government certification before being implemented (similar to the requirements of Article 19 of the draft Cybersecurity Law). This is troubling for a financial institution using a particular IT solution globally that does not meet the necessary requirements or have the relevant PRC certification. It (or potentially its supplier) will need to absorb the costs of obtaining the certification or select another certified supplier (most likely a local one) and use different equipment in its China offices.

Another international concern of the CBRC Opinions was the obligation to submit the source code of certain types of software and hardware to the CBRC. IT vendors are naturally very cautious about disclosing their source code and may be reluctant to supply these types of software and hardware to financial institutions in China. The CBRC Opinions also require IP to be registered, and for IT vendors to have a research and development centre, in China.

The effect of the CBRC Opinions was largely seen to promote the use of local technology to financial institutions in China. U.S. and European financial institutions, as well as a trade group representing 60 technology companies, have protested against the rules.

Financial institutions had begun to work towards meeting these requirements but continued to lobby (with the support of other affected parties) relevant government departments. As a result of this pressure, the CBRC Opinions were suspended on April 13 2015. The official reason given was that they were “not in line with China's national principles and positions” and needed further revision.

While financial institutions may take some comfort from the fact that the CBRC Opinions have been put on hold, similar guidelines will most likely be re-introduced, particularly as they align with the principles under the NSL and the draft laws on cybersecurity and anti-terrorism.

|

Data and technology control

The consistent use of “controllability” throughout the NSL, the draft Cybersecurity Law and the CBRC Opinions in particular, confirms the government's intention to extend its influence in relation to the use of, and access to, IT networks and equipment in China. It may become very difficult for financial institutions and other multinational companies operating in China to continue to use non-Chinese IT suppliers for its local operations. This could result in the need to use different IT networks, systems and software in the country as opposed to those in its international offices.

The requirement to obtain consent before transferring data outside the territory could also have a significant impact on how financial institutions carry out their business.

It seems to be only a matter of time until further regulations are brought in by the PRC authorities to supplement the NSL. The consultations to implement the draft Cybersecurity Law and draft Anti-terrorism Law continue and the CBRC Opinions will likely be re-introduced in some form that will reinforce the government's authority over data.

MNCs and foreign financial institutions should ensure they make their voices heard whenever possible to prevent these additional laws and regulations from being implemented in their current form. This can take the form of direct lobbying to the PRC authorities, participating in trade groups and lobbying their own national governments to make strong recommendations. This was effective in the initial suspension of the CBRC Opinions, and hopefully will be again in pushing for revisions, if they are to be reinstated at all.

Nigel Stamp, Kirstin McCracken, Hong Kong, and Jing Bu, Beijing, Eversheds

This premium content is reserved for
China Law & Practice Subscribers.

  • A database of over 3,000 essential documents including key PRC legislation translated into English
  • A choice of newsletters to alert you to changes affecting your business including sector specific updates
  • Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
For enterprise-wide or corporate enquiries, please contact our experienced Sales Professionals at +44 (0)203 868 7546 or [email protected]