The definition of network operators of “key information infrastructure”—which are all required to store certain data in the PRC territory according to the law—sparked much controversy last year and received an update in the new version, released on July 5, 2016.

In the first draft, such operators broadly encompassed industries including healthcare, energy, financial, utilities, transportation and government and military networks, even including a catch-all by way of “systems with a very large number of users.” However, Article 29 removes these examples from this year's version and defines such critical infrastructure as that which can seriously harm national security or public interest if destroyed or tampered with or if data is lost or leaked.

“While the legislators seem to be providing a definition of what constitutes 'key' or 'critical' information, there is still some uncertainty such as how they would measure the extent of destruction, impact or 'serious harm', for instance,” said Melody Wang, partner at Fangda Partners in Beijing. It's an inherent challenge to draw a clear-cut line in the law when it comes to national security, she added.

Personal data and “business data”

One interesting change in the second draft was the defined scope of data that key information infrastructure network operators are required to store in China. The wording in Article 35 has changed from “important data such as citizens' personal information” to “citizens' personal information and important business data”.

This shift in language highlights the importance of safeguarding citizens' personal data by distinguishing it from other types of information, but “important business data” is a new concept that has no precedent and needs to be further clarified by the regulators through implementing rules, guidelines or enforcement, said Wang.

“It's significant in the sense that the authorities want to make it clear that what they consider to be important data doesn't just include personal information—that it extends far beyond that,” said Chan.

One lawyer said to China Law & Practice when the first version came out that “Multinational companies can no longer take for granted that they have a free hand to move data around…It's necessary for foreign companies to have specific discussions with regulators to understand what the parameters are, which would depend on the operational model used by the individual businesses.”

The second draft also proposes to add a provision requiring big data applications to anonymize citizens' personal details. This is a positive clarification and will be helpful in terms of helping businesses or groups utilize and share big data while protecting individuals' information, Chan said. Companies engaging in big data trading usually redact user ID numbers, names, contact details and addresses.

National security

China also tightened a requirement in the initial draft that was received with much criticism: Article 27, which originally stated that network operators 'may' provide support to PRC authorities investigating national security-related crimes, has now made this assistance mandatory.

“It sets a strict obligation for network operators to cooperate in investigations,” Wang said. Whether doing so would involve handing over key sensitive data remains unclear. (A set of regulations issued by the China Banking Regulatory Commission in late 2014 in fact set software source code disclosure and hardware backdoor key requirements, and was highly negatively received by global IT suppliers and foreign banks.)

Another issue that was met with controversy in the 2015 Cybersecurity Law draft was the national security review required for key data transfers or for procurement of products and services related to network infrastructure. This year's version hasn't changed much with respect to this assessment.

The overall spirit of the requirements for businesses in the draft law is placing the onus on those that use and collect big user data, and requiring them to store all sovereign data in China, said Wang. “With the huge volume of information being generated and exchanged, the authorities are requiring all cross-border data transfers to undergo a security review.”

While China is yet to set up a dedicated and unified reviewing mechanism to enforce this provision and the myriad existing industry-specific regulations governing data security, companies need to have a monitoring and evaluation system to at least be able to categorize information most likely subject to restrictions, she said.

Whether a Chinese firm is subject to cross-border litigation in the U.S. or an American corporation is under regulatory investigation back home involving its Chinese subsidiary, an increasing number of circumstances are arising where companies need to have established cybersecurity management systems.

“It's highly advisable for companies to have an internal protocol in place to show that they have taken the necessary steps to protect information, minimize risks and to have a solid defense as to the reasons and methods used for transferring data,” Wang said.

Such an assessment varies case by case but general principles include understanding the recipient, the type, content and volume of data, the nature of the industry—whether it's a critical sector like telecom, healthcare, financial or energy—as well as the governing information compliance regime, she explained. “We conduct a risk analysis of all these factors, determine where the situation lies on the scale and put together a protocol for the client, she added.

Companies that use online platforms like the cloud may not have their servers hosted in China which brings challenges for monitoring, but there are those who have—or are looking at having—an infrastructure network (i.e. data center) in place in the country and want to ensure they are in full compliance, especially as the Cybersecurity Law requires PRC data to be stored in domestic servers.