China s New Cybersecurity Law

Transcription

1 China s New Cybersecurity Law March 7, 2017 Presented by: Manuel E. Maisog Hunton & Williams LLP Beijing, China bmaisog@hunton.com

2 Hunton & Williams Global Privacy & Cybersecurity Team Known globally for our international scope, depth of experience, breadth of knowledge and outstanding client service Nearly 30 privacy professionals in the U.S., EU and Asia Our privacy clients have included 6 of the Fortune 10 companies Ranked as one of the top privacy and data security practices by Computerworld magazine, Chambers and Partners, and The Legal 500

3 Status First draft published in summer 2015; second draft published in summer 2016 Final text of the law published in early November 2016 Will become effective on June 1, 2017 Some important matters still need clarification, despite publication of the final text of the law Implementing rules and regulations will be key in clarifying some issues that remain in the final text 1

4 Principal Categories of Actors The State and Agencies thereof Operators of Key Information Infrastructure Network Operators Providers of Network Products and Services 2

5 Five Particular Aspects of Interest Data localization applies to operators of key information infrastructure Possibility of a local procurement requirement applies both to operators of key information infrastructure and to network operators Establishes rules on handling personal information applies to network operators and to providers of network products and services Cybersecurity compliance (performance) requirement applies to network operators and to operators of key information infrastructure Obligation to afford assistance and support to government agencies applies to network operators under this law, but also to citizens and organizations generally by way of other law 3

6 Some Significant Responsibilities of Enterprises in Each Principal Category The State: 1. Has the leading decision making roles in establishing policies, rules and standards Differs from the approach taken in the United States Might fail to assign responsibility to the party best suited to perform it 2. Establishes Cybersecurity Monitoring and Early Warning and Information Notification System 4

7 Some Significant Responsibilities of Enterprises in Each Principal Category Operators of Key Information Infrastructure: 1. Data Localization 2. Cybersecurity Performance Requirements 3. National Security Inspection; (possible) Local Procurement Requirement 4. Network Safety Assessment 5

8 Data Localization Requirement Operators of key information infrastructure may not transmit critical data or personal information which they collect or generate within China, in the course of operating their business in China, to a destination outside of China, unless they first undergo (and pass) a security assessment Key information infrastructure appears to mean information infrastructure of which damage, loss of functionality or data leakage would seriously jeopardize national security, the national economy, the people s livelihood and the public interest Appears to mean information infrastructure having truly national and/or macroeconomic significance Applies to operators of that infrastructure 6

9 Some Significant Responsibilities of Enterprises in Each Principal Category Network Operators: 1. Personal Information Protection 2. (possible) Local Procurement Requirement 3. Cybersecurity Performance Requirements 4. Assistance in Investigations Providers of Network Products and Services 1. Personal Information Protection 2. Compliance with Standards 7

10 Potential for Local Procurement Requirement The statutory text does not actually establish a local procurement requirement The statutory text does, however, empower the State to set cybersecurity standards This allows the possibility of a technical trade barrier What are the prospects that this would actually happen? 8

11 A Possibly Emerging Standard: Secure and Controllable ICT products may be required to meet a standard of being acceptably secure and controllable. Whether a product or service is secure and controllable may be determined as a result of a risk assessment. The risk assessment would examine these factors: Risk of illegal control, interference or suspension during operation; Risks arising during research and development, delivery and technical support of the product or service; Risk of illegal collection, storage, handling or use of user information by the provider; Risk of unfair competition or infringement of user interests by the provider; and Other risks that may implicate national security or the public interest. 9

12 Personal Information Protection Requirements Network operators must comply with the principles of legality, propriety and necessity when collecting and using personal information. Network operators must, when collecting and using personal information, clearly state the purpose, method and scope of their collection and use of the personal information. Network operators must not collect personal information that is not related to the services which they provide. Network operators must not collect or use personal information in violation of law or mutual agreement, and must process personal information in accordance with law and mutual agreement. Network operators must not disclose, adulterate or destroy personal information which they collect. Network operators may not, without the prior consent of the data subjects, provide the personal information to other persons. (Exception for irrecoverably de-identified information) Network operators are required to keep information pertaining to their users in strict confidentiality, and to establish security safeguards. 10

13 Personal Information Protection Requirements When leakage, destruction or loss of personal information has occurred or has become possible, the network operator must immediately adopt remedial measures, promptly notify users and report to the relevant government agencies. Data subjects have the right to request deletion when they discover that their personal information has been collected or used in violation of law or mutual agreement. Data subjects may request correction of errors in their personal information. Nobody may steal personal information or obtain it through other unlawful means. Nobody may unlawfully sell personal information or unlawfully provide it to others. Governmental agencies overseeing network security must maintain strict confidentiality of personal information, private matters and commercial secrets which they come to know in the course of performing their responsibilities. Also, they may not disclose, sell or unlawfully provide it to others. 11

14 Cybersecurity Performance Requirement Network operators are required to formulate internal security management systems. Network operators are required to determine personnel who will be responsible for cybersecurity. Network operators are required to implement responsibility for cybersecurity. Network operators are required to implement security safeguard measures. Network operators are required to monitor and record network operation status, and keep web log records for six months. Network operators are required to adopt data classification, backup and encryption measures. Network operators are required to adopt contingency plans for cybersecurity incidents. 12

15 Obligation to Afford Assistance and Support to Government Agencies Network operators are required to provide technical support and assistance to public security organs and state security organs in lawfully safeguarding national security and investigating crimes. This is a requirement that already exists/applies (for instance, 2012 rules governing personal information that has been electronically formatted). 13

16 Possible Penalties Generally, separate penalties are provided for violations of each particular type of obligation. For example: For network operators that fail to perform cybersecurity performance requirements, violators are subject to the following: 1. A warning 2. An order to effect corrections 3. A fine of between 10,000 to 100,000 RMB for the network operator itself 4. A personal fine of 5,000 to 50,000 RMB for responsible officers of the network operator 14

17 Possible Penalties for Two Important Types of Obligation Penalties against network operators and providers of network products and services for violating personal information protection requirements include: 1. A warning The PRC Cybersecurity Law Penalties against operators of key information infrastructure for violating the data localization requirement include: 1. A warning 2. An order to effect correction 3. Confiscation of illegal gains 4. A fine of 50,000 to 500,000 RMB 5. An order to suspend business, website shutdown, revocation of business permits and licenses 6. A personal fine of 10,000 to 100,000 RMB for responsible officers of the operator of key information infrastructure 2. An order to effect correction 3. Confiscation of illegal gains, or a fine of 1-10 x illegal gains or, where no illegal gains, a fine of up to RMB 1 million 4. A personal fine of 10,000 to 100,000 RMB for responsible officers of the network operator or provider of network products and services 5. Where circumstances are serious, an order to suspend business, website shutdown, revocation of business permits and licenses 15

18 Four Takeaways 1. The implementing rules and regulations are still being awaited. These will be important in clarifying a lot of existing questions. 2. Outstanding question: How will the category operator of key information infrastructure (to which the data localization obligation applies) be further clarified? 3. Outstanding question: How will the category network operator (to which the personal information protection obligations apply) be further clarified? 4. Outstanding question: How will the concept of secure and controllable be developed for the cybersecurity context? 16

19 Thank you! Manuel Bing Maisog Hunton & Williams LLP Beijing Representative Office South Office Tower, Beijing Kerry Centre No. 1 Guanghua Road Chaoyang District, Beijing China Tel: Fax: bmaisog@hunton.com 17