The Cyberspace Administration of China Clarifies the Cybersecurity Law
At a press conference held on the eve of its launch, China’s Cybersecurity authority, the Cyberspace Administration of China (the “CAC”), provided clarification on some aspects of the Cybersecurity Law - notably on the purposes and intended scope of some of its provisions. The critical point to note is that the law is now in effect despite several implementation regulations, measures or standards required by the Cybersecurity Law (“implementation regulations”) not being yet enacted. All network operators in China have been asked to self-regulate and ensure compliance. Here are five key points from the CAC’s clarification which may assist in ensuring compliance.
1. The Law is effective despite the lack of Implementation Regulations - Self-regulation and compliance is expected. The CAC confirmed that the effective date of the Cybersecurity Law is 1 June 2017, quelling speculation in the media that there would be a delay in its launch1. While acknowledging that various implementation regulations are still being drafted, the CAC recommended that relevant corporations and institutions self-regulate, including in relation to the data localization requirement, and ensure that their network activities are compliant with the law. All network operators and critical information infrastructure operators are advised to prepare internal policies in compliance with the provisions of the Cybersecurity Law and ensure compliance.
2. Implementation Regulations will be enacted within one year. The CAC advised that all implementation regulations will be enacted or published by relevant authorities within one year of the effective date of the Cybersecurity Law. These implementation regulations include the Critical Information Infrastructure Protection Measures, Personal Information and Important Data Export Security Assessment Measures, Network Critical Equipment and Network Security Dedicated Products Catalog, and National Standard on Personal Information Safety Requirements. All network operators and critical information infrastructure operators are advised to keep a close eye on developments.
3. Data localization only applies to personal information and/or important data collected or generated by critical information infrastructure operators. The CAC clarified the scope of the data localization requirement, possibly due to the uncertainty created by the draft regulation on security assessment for provision of personal information and important data out of Mainland China issued for consultation on 11 April 2017 which appeared to extend the application of data localization requirement to all network operators2. The CAC noted that the purpose of data localization is to maintain state network security and protect public interest, not to restrict cross-border data flow or international trade. As such:
- the data localization requirement applies only to operators of “critical information infrastructure"3, not to all network operators;
- the data localization requirement only applies to “personal information” and “important data”, not all data;
- what amounts to “important data” is to be considered from the perspective of the state, not the perspective of corporations or persons;
- “data” can be provided out of Mainland China once a security assessment has been conducted and it is confirmed that the provision of such data will not harm national security or public and social interests;
- “personal information” can only be provided outside Mainland China if the subject of the personal information “consents”. “Consent” will be deemed on the subject dialing international calls, sending international emails, online cross-border purchasing through the internet, and undertaking other proactive personal activities.
4. The catalog of network critical equipment and security dedicated products that require mandatory certification will be released shortly, and prior to that, network products and services with valid certifications need not be re-certified. The CAC noted that the security assessment of network products and services which may impact on national security is being implemented to raise the quality of security control, prevent security risks on the supply side, and maintain national security and public interests. As such, the security assessment will focus on risks such as the risk of products being illegally controlled, interfered with or suspended from operation, the risk of illegal collection of user’s information, etc. The security assessment will not be directed at specific countries or regions, discriminate against foreign technologies and products, or restrict foreign products from entering the Chinese market. The relevant authorities will shortly release the first catalog of network critical equipment and network security dedicated products that require mandatory certification or testing in accordance with compulsory requirements of national standards. Until the first catalog is published, re-certification or re-assessment of network critical equipment or network security dedicated products is not necessary as long as the existing certification and/or assessment is still valid4.
5. The requirement to stop transmission of illegal information only applies to information “publicly disseminated”. The Cybersecurity Law requires network operators to immediately cease transmission of information on discovery that such information is prohibited by law or administrative regulation. The CAC clarified that this requirement is not meant to infringe upon the freedom of speech nor the privacy of any person. As such, it only applies to illegal information that is publicly disseminated by users, not information generally contained in personal communications5.
Footnotes
1) Prior to the press conference, there was speculation in the media that there would be a delay in the launch of the Cybersecurity Law, including speculation that there would be a grace period of up to the end of December 2018 for critical information infrastructure operators to comply with the data localization requirements. The official position is that all provisions of the Cybersecurity Law are effective from 1 June 2017.
2) Please refer to our OnPoint of 31 May 2017 on China Cybersecurity Law – Seven Key Points to Ensure You are Compliance Ready for further details.
3) The precise scope of what a critical information infrastructure operator encompasses is still to be clarified by the CAC and other relevant authorities by way of further guidance documents and standards.
4) Please refer to our OnPoint of 24 May 2017 on Potential Implications of the Cybersecurity Law on Foreign Network Products and Services for further details.
5) Note that the CAC did not clarify what constitutes “public dissemination”, in particular whether it covers emails and/or chats involving more than two persons, and if so, whether network operators are required to monitor such emails and chats and to cease transmission of the same on discovery of illegal information “disseminated” in these emails and/or chats.