China s New Cybersecurity Law: Data Protection, Data Transfer and Breach Investigations in the World s Second Largest Economy IPSF 2018 February 26, 2018 1 1
AGENDA China's Cybersecurity Law Enforcement Landscape Takeaways for Companies Operating in China Conclusion 2 2
China s Cybersecurity Law Network Security Law of the People s Republic of China ( Cybersecurity Law or CSL ) Announced in 2016 by the Cyber Administration of China ( CAC ) Approved in November 2016 and took effect June 1, 2017 Contains framework regulating network products, equipment, and services, as well the operation and maintenance of information networks, the protection of personal information, and the supervision and administration of cybersecurity in China 3 3
Relevant Regulators Law refers to the national cyberspace authority understood to be the Cyberspace Administration of China (CAC) Other relevant regulators mentioned in the law State Council Department for Communications State Council Department for Public Security Other relevant organs (national and regional) Relevant industry organizations (national and regional) 4 4
Providers of Network Products and Services Definition Not expressly defined in the CSL Further information given by Measures for the Security Review of Network Products and Services ( Security Review Measures ), published in final form on May 2, 2017 and came into force along with the CSL on June 1, 2017 Requirements All network products and services to comply with national PRC standards Upon discovery of security leaks or defects, must inform users and relevant authorities and adopt remediation measures Must carry out security maintenance for customers Where a network or product has a function to collect user information, must inform user and obtain consent, and comply with laws and regulation on protection of personal information Network products and services that may implicate national security must undergo a security review by the CAC 5 5
Network Operators Definition Requirements Defined as owners, operators, and service providers of networks Broad definition that will likely encompass all businesses and organizations that operate a network of computer terminals and/or data storage units in China Likely also applies to entities that have websites, mobile apps, or online platforms operated or used in China Tiered security obligations Creation of an emergency response plan Technical support and assistance to state security bodies Protection of personal information of citizens Cannot disclose personal information without consent of owners In the case of data leakage, must take remedial action and report to authorities Must block, delete, and save relevant records of prohibited information published by users and report to authorities Establish cybersecurity complaint and reporting systems 6 6
Critical Information Infrastructure Operators Definition Requirements No clear definition of CII is included in the CSL Article 31 includes a non-exhaustive list of CII that does not include healthcare, and a catch-all provision Sector regulators have made a list, nearly all CIIOs on the list are SOEs Requirements are in addition to those for network operators Annual security assessment of cybersecurity threats When CIIOs purchase network products or services, they must sign a security and confidentiality agreement with the vendor If the network products or services might affect national security, then a national security review is required Must designate bodies responsible for security management and perform background checks on the people in those bodies Must provide cybersecurity and technical training for employees and have drills in preparation for security incidents Must institute a system of backups for important systems 7 7
CII: Data Localization Requirement Most significant requirement is data localization requirement CIIOs must keep important data and personal information that they have collected or produced in Mainland China within Mainland China Data cannot be sent out of the country without a legitimate business need and a security review Further details on security assessments to be given in Measures on the Security Assessment for Personal Information and Important Data to be Transmitted Abroad ( Draft Data Transfer Measures ), which has not yet come into effect Appeared to permit "implied consent" of data transfer through certain actions 8 8
Penalties for Noncompliance A wide range of penalties are mentioned, including: Warnings Suspension of websites Confiscation of income Fines from RMB 10,000 to 1,000,000 depending on the offense Suspension of business/ cancellation of business license 9 9
AGENDA China's Cybersecurity Law Enforcement Landscape Takeaways for Companies Operating in China Conclusion 10 10
National-Level vs. Local Enforcement Thus far, national-level enforcement appears to focus primarily on investigations into industry-wide issues and issuance of guidance. The investigations have been undertaken by a number of government bodies. It has also taken the form of meetings with China s largest internet companies regarding possible Cybersecurity Law violations. Local-level enforcement (either by local branches of national bodies or by province/local-level bodies) has looked at companies more specifically and has issued fines and other punishments. 11 11
National-Level Enforcement Internet Products Bike Sharing Data Collection A working group from the CAC, MIIT, MPS, and SAC, reviewed the privacy policies of ten internet products and services As a result, the ten companies signed a joint personal data protection proposal A group of 10 government departments looked into bike sharing apps in China The report called on bike sharing services to install servers in China, implement efficient network security ranking protection, etc. 12 MIIT met with Baidu, Alipay, and Toutiao regarding possible violations of the CSL, including improper collection and handling of personal data Companies promised to change; MIIT has set up a monitoring system 12
Local-Level Enforcement: Chongqing Chongqing China Youth Daily Guangdong Network Companies Jiangsu Baidu PSB found that company did not maintain user login network information while providing internet data center services Warning asked the company to rectify its behavior within 15 days; company immediately rectified Four network companies sanctioned for breaching various provisions of the CSL The penalties included a reprimand, a requirement to rectify, a fine, and a requirement to shut down a particular website 13 Lawsuit filed against Baidu for gaining access to user information without their consent on two of its mobile apps Rectification plan was inadequate because it did not remind consumers of the purpose, mode, and scope of authorization in 13 regard to PI
Enforcement Against Foreign Companies No enforcement actions for the elements of the traditional cybersecurity elements of the law have yet been seen for foreign companies. However, as discussed previously, network operators are also expected to control illegal content on their networks. This came to the fore in January when the Shanghai Huangpu District Market Supervision Bureau launched an investigation into Marriott for disseminating an online questionnaire that referred to Taiwan, Hong Kong, Macau, and Tibet as separate countries. The Shanghai Cyberspace Authority closed down Marriott s China website, initially for a week. 14 14
Enforcement Against Foreign Companies Along with Marriott, on January 12, 2018, the Shanghai CAC criticized Zara, Qantas, Delta, and Medtronic (among others) for listing Taiwan as a country on their websites. The companies were ordered to remove illegal content from their sites and make public apologies by 6 p.m. on the same day. The companies all did so. The Shanghai CAC posted on its microblog: Cyberspace is not an extralegal place, and multinational corporations should abide by relevant laws and regulations. The listing of Taiwan as a separate country was a possible violation of cybersecurity laws. 15 15
AGENDA China's Cybersecurity Law Enforcement Landscape Takeaways for Companies Operating in China Conclusion 16 16
Major Changes May Be Necessary In fall 2016, U.S. submitted a document for debate to the WTO Services Council arguing that the Cybersecurity Law would be in violation of the General Agreement on Trade in Services (GATS). China has not changed its policies, however, and no formal action has been brought to date. Meanwhile, major American companies have been forced to take actions to comply with the law: Cloud services providers have been forced to partner with local providers. Apple opened a data center in Guizhou so that it can store users data onshore. 17 17
Major Areas for Companies to Be Aware Of Companies may need to be prepared to: Get consent from users related to use and crossborder transfer Meet network security requirements Receive oversight from public security bodies and regulators Receive complaints should their websites or electronic communications contain information to which the government objects/considers harmful to national security 18 18
AGENDA China's Cybersecurity Law Enforcement Landscape Takeaways for Companies Operating in China Conclusion 19 19
Conclusion Questions? 20 20