PRC’s New Cybersecurity Law to be implemented on June 1, 2017: Potential Implications for Foreign Network Products and Services

 
May 30, 2017

Cybersecurity is of national strategic importance to China, which has the largest group of internet users and the largest internet market in the world. The Chinese government has stressed this point in the National Cyberspace Security Strategy (the "Strategy") issued by the Cyberspace Administration of China ("CAC") on December 27, 2016. In the Strategy, CAC set forth, inter alia, nine national strategic tasks with respect to cybersecurity, including, for example, defending China's cyberspace sovereignty, safeguarding national security and protecting the security of key information infrastructures. 

Legal Framework 

The China Cybersecurity Law 

Against such a political backdrop, the Chinese legislature enacted the well-known and somewhat controversial China Cybersecurity Law on November 7, 2016, which enters into effect as of June 1, 2017. The China Cybersecurity Law is the first formal legal instrument, of the effect of national law, to regulate matters relating to the supervision, construction, operation, maintenance and using of internet in China. 

Reuters has reported that the Chinese cybersecurity authority may be considering changing the effective date for all or part of the new law's provisions, in response to requests from businesses. (Reuters: Amid industry pushback, China offers changes to cyber rules: sources) However, to date there has been no official signal from the government that an extension for compliance purposes will be granted. Companies are advised, therefore, to continue to treat June 1 as the effective date for compliance unless or until the Chinese government says otherwise. 

The Regulations and Measures 

Following the enactment of the China Cybersecurity Law, several supportive rules and measures were also released, including: 

  • Regulations of the Administrative Enforcement Procedure of Internet Information Content (the "Regulations"), released by the CAC on May 2, 2017, entering into force as of June 1, 2017 (the same effective date of the China Cybersecurity Law); and 
  • Measures for Security Review of Network Products and Services (the "Measures"), also released by the CAC on May 2, 2017, entering into force as of June 1, 2017. 

Both the Regulations and the Measures were made pursuant to, inter alia, the China Cybersecurity Law, between which, the Regulations empowered CAC and its subordinates to supervise and regulate network-related matters, including penalizing illegal activities breaching the security of cyberspace; while the Measures provided general guidelines – further to the China Cybersecurity Law – on China's cybersecurity review system (see section below). 

China's Cybersecurity Review System 

Pursuant to the China Cybersecurity Law, the State will establish a cybersecurity review system, targeting key network equipment and cybersecurity products, especially the products procured by key information infrastructure operators that may impact national security. The relevant legal provisions include the following: 

  • Article 22: "Network products and services shall comply with the mandatory requirements of relevant national standards…"; 
  • Article 23: "Key network equipment and specialized cybersecurity products shall, pursuant to the mandatory requirements of relevant national standards, be sold or provided only after being security-certified or passing security examination by a qualified institution. The national cyberspace administration authority shall, in concert with the relevant departments under the State Council, formulate and release the catalog of key network equipment and specialized cybersecurity products…" [the "Catalog", emphasis added] 
  • Article 35: "Where key information infrastructure operators purchase network products and services, which may influence national security, they shall go through a security review organized by the national cyberspace administration authority in concert with the relevant departments under the State Council." 

The Measures further provided the following guidelines on China's cybersecurity review system: 

  • key network products and services that may impact the national security shall go through cybersecurity review (Article 2); 
  • the focus of the cybersecurity review is on the security and controllability of network products and services, which mainly include: (i) security risks of the products and services themselves; (ii) security risk in the supply chain of the products and its key components; (iii) risk in the supplier's illegal collection, storage, disposal of and use of user-related information, taking advantage of the products/services; (iv) risk in the suppliers damaging the cybersecurity and user's interests on the basis of the users' reliance upon the products/services; and (v) other risk that may endanger the national security (Article 4); 
  • a cybersecurity review committee (the "Committee") will be formed to take charge of the cybersecurity review-related matters, and a cybersecurity review office (the "Office") will be formed to specifically organize and implement cybersecurity review (Article 5); 
  • the Committee will engage relevant experts to form a cybersecurity review expert committee (the "Expert Committee"), which will, on the basis of third party evaluation, assess the security and reliability of relevant network products and services (Article 6); 
  • the State will, in accordance with the law, certify third party institutions (the "Institutions") to conduct the third-party evaluation work in the process of cybersecurity review (Article 7); 
  • the Institutions shall focus their evaluation on the following aspects of products/services: security, controllability, security mechanism and transparency of the technologies, etc. (Article 11); and 
  • the Office will unregularly publish security evaluation reports of network products and services. 

Potential Implications for Foreign Network Products and Services 

As this stage – and based on the current legal framework as discussed above – prior to the issuance of the Catalog, it is yet hard to determine which specific product/service would be subject to the China cybersecurity review system, hence requiring security certification or security examination. It is also unknown which third party institutions will be certified, and therefore qualified to become the evaluator(s) of network products, and what the relevant timelines and processes to pass a security evaluation/review will be. 

However, foreign network products/services suppliers should at least consider the following issues: 

  • try to identity whether their products could be viewed as "key network products" and/or "specialized network security products," or whether they are sold mainly to key sectors of public communication, energy, transportation, finance, public services, etc., that may have an impact on China's national security and public interests; 
  • if their products fall under the categories described above, be aware that it is highly likely that cybersecurity review (certification/examination) will be required; 
  • be on the alert for further developments with the following entities: the CAC, the to-be-formed Committee, Office and Expert Committee, as well as the to-be-certified third party Institutions.

Subscribe to Dechert Updates