环球律师事务所. Ren Qing Partner GLOBAL LAW OFFICE. Beijing, June

Transcription

1 An Introduction to the PRC Cyber Security Law 环球律师事务所 GLOBAL LAW OFFICE Ren Qing Partner Beijing, June 2017

2 Overview: 7 Chapters and 79 Articles. Chapter I General Provisions Cyber Security Law of the People's Republic of China Chapter II Support to and Promotion of Network Security Chapter III Network Operation Security Section I General Stipulations Section II Operation Security of Critical Information Infrastructures Chapter IV Network Information Security Chapter V Monitoring, Early Warning and Emergency Response Chapter VI Liabilities Chapter VII Supplementary Provisions 2

3 Scope of Application Article 2 This Law shall apply to the construcon, operation, maintenance, and use of networks as well as the supervision and administration of network security within the territory of the People's Republic of China. Network : any system that is composed of computers or other information terminals and relevant equipment and that collect, store, transmit, exchang, and process information according to certain rules and procedures. within the territory of PRC e.g., mobile phone, ipad In principle this Law does not apply to foreign persons/entities which provide services utilizing network facilities located overseas, except that : If any information originating from outside of the PRC is prohibited from publication or transmission under the PRC laws and/or administrative regulations, the PRC authority may take technical measures and other necessary measures to block its transmission. Any foreign persons/entities that engages in the activities of attacking, intruding, disturbing, damaging or otherwise endangering the critical information infrastructures, resulting in serious consequences, shall bear liabilities; the PRC authority may decide to adopt measures of freezing property or other necessary sanctions against such institution, organization or individual. Who is subject to the law? network operators, i.e. owners and administrators of networks and network service providers. Network service provider covers a wide range of entities that provide service through networks, including not only internet enterprises that mainly provide on-line services, e.g. e-commerce platform, web portal, APP, self-media etc., but also traditional off-line business that provide network services. Suppliers of network products. Users of networks. they are prohibited from stealing PI or publishing illegal information etc. 3

4 Regulatory Framework Cyberspace Administration of China (CAC ) is responsible for comprehensive arrangement and coordination of work in connection with network security and relevant supervision and administration. Minister of Industry and Information Technology (MIIT ) and Ministry of Public Security and other relevant departments under the State Council are responsible for the security protection, supervision and regulation within their respective competences in accordance with the provisions of this Law and relevant laws and administrative regulations. Other relevant departments include NDRC, Ministry of State Security, Ministry of Finance, Ministry of Communication, MOFCOM, People s Bank of China, AQSIQ, National Energy Administration, etc. 4

5 Operation Security: General Provisions (I) The State implements a system of hierarchical protection of network security. Network operators shall, in accordance with the hierarchical protection system, fullfill the following obligations: formulating internal security management system and operating procedures, designating responsible person(s) in charge of network security, and implementing responsibility for network security protection; adopting technical measures to prevent computer virus and activities endangering network security such as network attack and network intrusion; adopting technical measures for monitoring and recording network operation status and network security incidents and keeping relevant network logs for at least 6 months in accordance with relevant provisions; adopting measures such as data classification, back up and encryption of important data; and Real-Name System:Network operators shall, when providing network access, domain name registration, access formalities for fixed-line telephone or mobile phone, or the service of information release and instant messaging etc., require users to provide authentic identity information. 5 tiers in total. See Administrative Measures for Hierarchical Protection of Information Security (2007) some of the following obligations may be irrelevant to some networks. Network operators shall formulate emergency response plan for network security incidents; in event of network security incidents, they shall report to competent authorities in accordance with relevant provisions. Network operators shall provide technical support and assistance to the public security / state security organs during their activities of protecting national security and investigating crimes in accordance with the Law. 3

6 Operation Security: General Provisions (II) Providers of network products and services shall not set up malicious programs shall immediately take remedial measures and promptly notify users and report to competent authorities in accordance with relevant provisions, when they discover security defects, loopholes, and other risks in their network products and/or services; shall provide security maintenance of their products and/or services on a continuous basis and shall not terminate security maintenance within the period as prescribed or agreed upon by the parties; shall clearly indicate to users and obtain their approval if the products and/or services are capable of collecting user information; where user's personal information is concerned, shall also comply with provisions regarding personal information protection of this Law, other relevant laws and administrative regulations. Where compulsory national standards apply, network products and network services shall comply with such compulsory requirements. 8

7 Information Security: Obligations of Network Operators (I) Network Operators shall keep users information (broader than personal information) they have collected stricty confidential. Personal information (PI): Collection and use of PI shall be subject to the principles of legality, legitimacy, and necessity; network operators shall: Shall publicize the rules and explicitly indicate the purpose, method and scope of the collection and use, and obtain approval from those whose PI is collected. Shall not collect PI irrelevant to the services they provide, or to collect and/or use PI in violation of laws and administrative regulations and the agreements of the parties. shall not divulge, tamper with, or damage the PI they have collected; shall not provide to others such PI without consent of those from whom the information is collected, except for the information that has been processed and cannot be recovered and through which no particular individual can be identified. shall take technical measures and other necessary measures to ensure the security of the PI they have collected and prevent it from being divulged, damaged or lost. Further Reading: SPC-SPP Joint Judicial Interpretation on Several Issues regarding Criminal Cases of Personal Information Infringement.

8 Information Security: Obligations of Network Operators (II) Information management obligations: When discovering information published by users is prohibited from publication or transmission by laws and administrative regulations, network operators shall immediately stop the transmission of such information, take measures such as removal to prevent the spread of the information, keep records and report to competent authorities. electronic information delivery service providers and application software downloading service providers who are aware that electronic information sent by or applications provided by users contain malicious programs or contain information prohibited from publication or transmission, shall cease to provide services, take measures such as removal, keep records and report to competent authorities. Obligations to cooperate with supervision and inspections of the authorities.

9 Critical Information Infrastructure (CII) Scope of CII The State shall, on the basis of system of hierarchical protection of network security, give priority to the protection of CIIs in important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, and e-government affairs, and other CIIs that may endanger national security, people's livelihood and public interests, in case of damage, disfunction or data leakage. The detailed scope of and implementing measures of CII protection shall be formulated by the State Council. Additional obligations of CII operators: In principle, CIIs are to be determined within the networks at Tier Three and above set up special security management departments and person in charge, and conduct background check of the person in charge and persons in key positions; carry out network security education, technical training and skill assessment for the personnel on a regular basis; carry out disaster recovery back up of important systems and database; Not every information networks in these industries constitutes CII. A draft is expected to be published soon for soliciting public comments; besides, specific guiding documents and standards will be formulated. formulate emergency response plans for network security incidents and conducting drilling on a regular basis Purchase of network products and services:national security review (see latter slides); confidentiality agreement. PI and important data:be stored within the PRC territory; security assessment before being transmitted abroad (see latter slides). Others: security assessment at least once a year; priorities of regulation by the authorities (e.g. random inspection, emergency drilling).

10 Security Review for Network Products and Services(I) Measures for Security Review of Network Products and Services (For Trial Implementation). Scope of the Review:Important network products and services purchased for the network and information system concerning national security. Specifically, network products and services purchased by CII operators that may affect national security. Content of the Review:security and controllability of network products and services, mainly including: security risks of the products and services themselves and the risks of they being illegally controlled, interfered with and interrupted from operation; security risks in the supply chain of products and key components in the course of their production, testing, delivery and technical support; To be determined by the departments in charge of CII protection. risks of illegal collection, storage, process or use of relevant user information by products and services providers taking advantage of their convenient positions; and risks of products and services providers impairing the network security and the interests of users by taking advantage of users' reliance on their products and services.

11 Security Review for Network Products and Services(II) Mechanism of the Review: Review Committee: led by CAC, joined by NDRC, MIIT, MPS, MSS, MOF, MOC, MOFCOM, PBS, AQSIQ, NEA, etc. Expert Committee: experts nominated by relevant departments and appointed by the Review Committee Review Office: currently assumed by China Information Security Certification Center ( ISCCC ) Third Party Institution:selected from existing national-level network security technical institutions MIIT, MOC, PBS, NEA may establish review taskforce to carry out security assessment of specific industries. Procedure of the Review: Determine the subject of review: ministries may recommend the Review Committee to initiate review; when national industrial associations so recommend or users request, the Committe will determine whether to initiate review. Third party evaluation: a third party institution selected, through laboratory testing, onsite inspection, online monitoring, background investigation etc., make evaluation on the security and controllability of the products/services. Expert Evaluation: Expert Committee conducts comprehensive evaluation based on the third party evaluation results and formulate draft conclusions of the review. Conclusion of review: having been approved, conclusions will be published or notified within certain range.

12 Data Storage and Export (I) A draft Measures on Security Assessment of the Cross-Border Transmission of Personal Information and Important Data has been published. PI and important data collected or generated by CII operators within the PRC territory shall be within China. If it is necessary to provide the data abroad out of operational needs, security assessment shall be conducted. Scope of application: The draft extended to all network operators and stipulated analogical application to other individuals and organizations (Article 16). It is reported the Article 16 has been deleted; besides, according a CAC statement on May 31, data localization might only apply to CII operators. PI:refers to various types of information, recorded electronically or in other forms, that can be used alone or in combination with other information to identify a natural person, including but not limited to name, date of birth, identity certificate number, personal biological identification information, address, telephone numbers etc. (Article 76 of Cyber Security Law) A judicial interpretation further clarifies as: various types of information that can be used alone or in combination with other information to identify a natural person or to indicate the movement/location thereof, including but not limited to name, identity certificate number, contact information, address, account and password, financial status, and physical location information, etc. Relevant national standards: Personal Information Security Standards are under development. Important Data:data closely related to national security, economic development and public interests; in another word, data that are important for a company are not necessarily important data. Identification Guidance for Important Data will soon be released. Provide Abroad (Export):Provide PI and important data in electronic form to overseas institutions, organizations and individuals.

13 Data Storage and Export (II) Self-Assessment: Network operators or CII operators shall conduct data export security assessment depending on the type, quantity, and importance of the data export. In event of major changes in the purpose, scope, type, quantity etc., of data export, changes in data receiver, or the occurrence of significant security incidents, re-assessment shall be conducted in time. The Draft prescribes that self-assessment shall be conducted at least once a year. It is sais this has been deleted. Security Assessment by authorities (industry administrative, supervisory departments or CAC) is required if: The export contains or in aggregate contains PI of more than 500,000 persons; the data exported exceeds 1,000 gigabytes (reported to have been deleted) Data that contain information with respects to nuclear facilities, chemical biology, national defense, public health; large-scale project activities, marine environments, sensitive geographic information; and cybersecurity information regarding CII s system vulnerabilities and specific protection measures etc. Operators of CII transmitting PI and important data abroad(reported to have been deleted) other circumstances that may potentially affect national security and the social public interests

14 Data Storage and Export (III) Guidance for Data Export Security Assessment is under development. Data Export Security Assessment shall focus on: legality, legitimacy, and necessity of the data export; PI involved, including its quantity, scope, type, sensitivity and the consent from the information subject etc.; important data involved, including its quantity, scope, type, etc.; security protection ability, measures and environments of the data receiver; risks of divulgence, damage, alteration or misuse of the data transmitted abroad and further transferred; potential risks to national security, social and public interest, and legitimate personal interests arising from the export. Conclusion of Assessment:the data cannot be exported: If the export is in violation of relevant state regulations; where the subject of the PI has not consented to the export of such PI; where the export of data poses risks to national politics, economy, technology, national defense, etc. and may affect national security or impair social public interests; in others circumstances determined by the national internet information departments, public security departments, state security departments etc.

15 Critical Network Equipment and Dedicated Network Security Product Critical network equipment and dedicated network security products can be sold or provided only if they have pass security certification or security testing conducted by qualified institutions (e.g. ISCCC) in accordance with the compulsory requirements of national standards. CAC shall, in conjunction with MIIT, MPS and CNCA, formulate and promulgate the catalogue of critical network equipment and dedicated network security products. The first batch of catalogue is expected to be promulgated soon. Equipment and products listed in the catalogue shall obtain security certification or pass the security testing; those that have been previously certified need not undergo certification or testing before the expiration of that certification.

16 Advice to Enterprises The Cyber Security Law has a broad scope of application. Severe liabilities may be incurred under the Cyber Security Law: Fines, confiscation of illegal gains, suspension of business for rectification, revocation of business license or operating certificate, criminal liabilities Institution + individual Provisions of the Cyber Security Law and even its implementing rules are rather general or ambiguous, requiring more specific rules, standards or guidelines to be formulated: hierarchical protection of network security CII Protection Network Security Review Data Storage and Export Recommendations: Attach much importance to cybersecurity compliance; Keep close attention to relevant rules, normative documents and national standards to be promulgated; Seek professional advice when necessary.

17 Further Reading: Other Relevant Laws and Regulations Criminal Law (2015 revised) Law on Penalties for Administration of Public Security (2005) Electronic Signature Law (2005) State Security Law (2015) Decision on Preserving Computer Network Security (2000) Decision on Strengthening Network Information Protection (2012) Telecommunications Regulation (2016 revised) Regulations for Safety Protection of Computer Information Systems (2011 revised) Administrative Measures on Internet Information Services (2011 revised) SPC-SPP Joint Judicial Interpretation on Several Issues regarding Criminal Cases of Personal Information Infringement. MPS s Administrative Measures for Hierarchical Protection of Information Security (2007) MPS s Administrative Measures for Protection of the Security of International Internetworking of Computer Information Networks (2011) MIIT s Administrative Measures for the Security Protection of Communication Networks (2010) MIIT s Provisions on Protecting the Personal Information of Telecommunications and Internet Users (2013) 17