Compliance risk management under Cybersecurity LawAuthor: Sharon Shi and Shin Feng 2020-04-075741
Since the implementation of the Cybersecurity Law on 1 June 2017, a series of supplementary implementing measures have been publicized. To help enterprises better understand their compliance obligations under these rules, this article analyzes the legal framework of the Cybersecurity Law and raises some practical suggestions.
Applicable subjects. Any enterprise that “builds, operates, maintains, and uses the internet” in China is subject to the Cybersecurity Law. Specifically, the Cybersecurity Law applies to “network operators”, which cover “network owners, administrators and network service providers”.
Among all the network operators, some are referred to as “critical information infrastructure operators” (CIIOs). CIIOs are network operators related to public services and peoples’ livelihoods. Providers of network products and services, and any individual, enterprise and social organization that uses interactive information systems to communicate should also comply with the Cybersecurity Law.
Specific compliance obligations. The Cybersecurity Law aims to achieve protection at two levels. For the protection of the public interest of society, network operators should establish a sound network operation system and formulate contingency plans for cybersecurity incidents. For the protection of user privacy, network operators should establish a corresponding system that keeps confidential the users’ information collected.
(1) Cybersecurity protection scheme. In general, the Cybersecurity Law requires network operators to act in accordance with the standards of the multi-level protection scheme (MLPS) to protect cybersecurity.
The “multi-level” of the scheme means that the security protection obligations of network operators are specified at different levels, depending on the potential consequences of cyber-attacks. In this aspect, attention should be drawn to the Information Security Technology – Baseline for Classified Protection of Cybersecurity. Enterprises should formulate their internal systems according to the levels of obligation applicable to them.
Apart from differentiated levels of obligation, in order to deal with urgent cybersecurity incidents, the Cybersecurity Law requires network operators to formulate corresponding contingency plans for such incidents. Under the Circular on the National Contingency Plans for Cybersecurity Incidents, issued by the Cyberspace Administration of China on 10 January 2017, when formulating contingency plans, applicable enterprises should designate the main responsible persons, notification mechanisms, remedial measures and other details upon occurrence of emergencies. Such incidents shall also be reported to the local cyberspace administration department as soon as possible, so that relevant departments may promptly initiate emergency responses.
(2) Confidentiality rules and regulations for users’ information. Another mission of the Cybersecurity Law is to establish a confidentiality system to protect users’ information when applicable enterprises collect such information. Applicable enterprises should detect illegal information released by users and promptly take measures to delete and report such information.
The enterprise should expressly state the purposes, methods and the scope of information collection and use. When the enterprise is to collect personal information, consent from such persons should be obtained. Furthermore, the personal information collected by an enterprise must be related to the service it is to provide.
The Cybersecurity Law gives a non-exhaustive list of “personal information”. The key to determining whether a piece of information is personal information is to assess whether such information can be used to identify “personal identity” alone, or in combination with other information. In practice, some enterprises collect information such as time and location of a user when he/she is using a service, which may be combined with other information to identify a user’s personal identity. Such a combination may fall into the scope of “personal information”.
(3) Cross-border data security assessment. Article 37 of the Cybersecurity Law requires that personal information and important data collected and generated by a CIIO during its operations within China shall be stored within Chinese territory. Where there is a genuine need to transfer such information overseas, a security assessment shall be carried out in advance.
This imposes strict data compliance requirements for applicable enterprises in China. Furthermore, the Measures of the Security Assessment for Cross-border Transfer of Personal Information (Draft for comments) were issued on 13 June 2019, and are specially focused on the cross-border transfer of personal information.
Suggestions. (1) Do the Cybersecurity Law and the measures treat domestic and foreign enterprises equally? Yes, no additional obligations are imposed on foreign entities. Nevertheless, since foreign entities are more likely to be engaged in the cross-border transfer of information, it is necessary to establish a data transfer compliance system.
(2) Does an enterprise categorized as a network operator have to fulfil the “data localization” obligations? It depends. Firstly, it is certain that CIIOs, under article 37 of the Cybersecurity Law, bear the “data localization” obligation. Secondly, the measures require security assessments for all network operators that provide overseas access to personal information collected during operations in China in any form.
Theoretically, these network operators need to obtain the approval of provincial cyberspace administrations in advance. Although the measures are not in effect yet, relevant enterprises should treat the measures as guidance for personal data processing, conduct relevant feasibility studies, and be prepared to meet the requirements.
(3) Are foreign invested enterprises (FIEs) operating in China required to report occasional cross-border data transfer? For FIEs in China that are not network operators, if the scope and the subject of the personal information to be transferred are limited, plus if the FIE has assessed all the circumstances related to data transfer, and has provided appropriate measures to protect personal data, then for the time being it seems that it is not necessary to report under the measures.
For those FIEs in China that are network operators and have been identified as CIIOs (such as foreign banks), if they transfer personal information collected in China to overseas, assessment shall be conducted according to the measures. FIEs shall pay close attention to regulatory updates in this regard.