China s New Cybersecurity Law: Data Protection, Data Transfer and Breach Investigations in the World s Second Largest Economy

Similar documents
China s New Cybersecurity Law

DATA PROTECTION LAWS OF THE WORLD. China

环球律师事务所. Ren Qing Partner GLOBAL LAW OFFICE. Beijing, June

Technology and data privacy Global perspectives

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

China Cybersecurity Law Interpretation. Aug 2017

Cybersecurity Considerations for GDPR

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

Procuring Telecommunications and ICT Solutions in China. Neil Gallagher Director of Sales - Europe 31 st October 2018

Regulations for Compulsory Product Certification

USA HEAD OFFICE 1818 N Street, NW Suite 200 Washington, DC 20036

Data Processing Agreement

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

QUESTIONS AND ANSWERS ON BOA RESOLUTION

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Implementing China s Cybersecurity Law

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

National Policy and Guiding Principles

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

US-China Business Council Comments on The Draft Cybersecurity Law

Data Breach Preparation and Response. April 21, 2017

Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology

HIPAA Security and Privacy Policies & Procedures

Terms and Conditions of Mobile Phone Service (Post-Paid) Between Operator and Subscriber

MOTION FOR A RESOLUTION

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Cyber Security Law --- Are you ready?

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

General Data Protection Regulation (GDPR) The impact of doing business in Asia

GDPR: A QUICK OVERVIEW

Regulatory Measures on Organic Product Certification Management

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Unofficial English translation offered by EuropElectro, for reference only

SERVERS / SERVICES AT DATA CENTER AND CO-LOCATION POLICY

Legal framework of ensuring of cyber security in the Republic of Azerbaijan

Legal, Ethical, and Professional Issues in Information Security

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

DFARS Cyber Rule Considerations For Contractors In 2018

Hong Kong s Personal Data (Privacy) Ordinance

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

DATA PROTECTION LAWS OF THE WORLD. Bahrain

FDA & Medical Device Cybersecurity

Regulating Cyber: the UK s plans for the NIS Directive

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

INFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ

What is cloud computing? The enterprise is liable as data controller. Various forms of cloud computing. Data controller

Bradford J. Willke. 19 September 2007

THE CYBER SECURITY ENVIRONMENT IN LITHUANIA

The Integrity of Personal Data: Some Topical Issues & Implications of PDPO for Business

Talenom Plc. Description of Data Protection and Descriptions of Registers

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

01.0 Policy Responsibilities and Oversight

Acceptable Use Policy (AUP)

CERTIFIED MAIL LABELS TERMS OF USE and PRIVACY POLICY Agreement

JOINT MOTION FOR A RESOLUTION

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Data Protection System of Georgia. Nina Sarishvili Head of International Relations Department

Cloud Expo Asia, Hong Kong 2018 Hong Kong Convention and Exhibition Centre

Mastering Data Privacy, Social Media, & Cyber Law

PRC Enacts Cyber Security Law

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

General Data Protection Regulation (GDPR)

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

Review of the Canadian Anti-Spam Legislation

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Integrating HIPAA into Your Managed Care Compliance Program

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Data Protection Policy

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

GDPR - Are you ready?

EU Data Protection Agreement

Security of Critical Information Infrastructure: Legal Issues

How WhereScape Data Automation Ensures You Are GDPR Compliant

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

Putting It All Together:

Cyber Security Strategy

Security Information & Policies

PRIVACY POLICY OF.LT DOMAIN

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Data Privacy & Protection

Seven Requirements for Successfully Implementing Information Security Policies and Standards

International Conference on Automation, Mechanical Control and Computational Engineering (AMCCE 2015)

Views on the Framework for Improving Critical Infrastructure Cybersecurity

How to Prepare a Response to Cyber Attack for a Multinational Company.

Outsourcing und Data Protection

Enterprise Income Verification (EIV) System User Access Authorization Form

Transcription:

China s New Cybersecurity Law: Data Protection, Data Transfer and Breach Investigations in the World s Second Largest Economy IPSF 2018 February 26, 2018 1 1

AGENDA China's Cybersecurity Law Enforcement Landscape Takeaways for Companies Operating in China Conclusion 2 2

China s Cybersecurity Law Network Security Law of the People s Republic of China ( Cybersecurity Law or CSL ) Announced in 2016 by the Cyber Administration of China ( CAC ) Approved in November 2016 and took effect June 1, 2017 Contains framework regulating network products, equipment, and services, as well the operation and maintenance of information networks, the protection of personal information, and the supervision and administration of cybersecurity in China 3 3

Relevant Regulators Law refers to the national cyberspace authority understood to be the Cyberspace Administration of China (CAC) Other relevant regulators mentioned in the law State Council Department for Communications State Council Department for Public Security Other relevant organs (national and regional) Relevant industry organizations (national and regional) 4 4

Providers of Network Products and Services Definition Not expressly defined in the CSL Further information given by Measures for the Security Review of Network Products and Services ( Security Review Measures ), published in final form on May 2, 2017 and came into force along with the CSL on June 1, 2017 Requirements All network products and services to comply with national PRC standards Upon discovery of security leaks or defects, must inform users and relevant authorities and adopt remediation measures Must carry out security maintenance for customers Where a network or product has a function to collect user information, must inform user and obtain consent, and comply with laws and regulation on protection of personal information Network products and services that may implicate national security must undergo a security review by the CAC 5 5

Network Operators Definition Requirements Defined as owners, operators, and service providers of networks Broad definition that will likely encompass all businesses and organizations that operate a network of computer terminals and/or data storage units in China Likely also applies to entities that have websites, mobile apps, or online platforms operated or used in China Tiered security obligations Creation of an emergency response plan Technical support and assistance to state security bodies Protection of personal information of citizens Cannot disclose personal information without consent of owners In the case of data leakage, must take remedial action and report to authorities Must block, delete, and save relevant records of prohibited information published by users and report to authorities Establish cybersecurity complaint and reporting systems 6 6

Critical Information Infrastructure Operators Definition Requirements No clear definition of CII is included in the CSL Article 31 includes a non-exhaustive list of CII that does not include healthcare, and a catch-all provision Sector regulators have made a list, nearly all CIIOs on the list are SOEs Requirements are in addition to those for network operators Annual security assessment of cybersecurity threats When CIIOs purchase network products or services, they must sign a security and confidentiality agreement with the vendor If the network products or services might affect national security, then a national security review is required Must designate bodies responsible for security management and perform background checks on the people in those bodies Must provide cybersecurity and technical training for employees and have drills in preparation for security incidents Must institute a system of backups for important systems 7 7

CII: Data Localization Requirement Most significant requirement is data localization requirement CIIOs must keep important data and personal information that they have collected or produced in Mainland China within Mainland China Data cannot be sent out of the country without a legitimate business need and a security review Further details on security assessments to be given in Measures on the Security Assessment for Personal Information and Important Data to be Transmitted Abroad ( Draft Data Transfer Measures ), which has not yet come into effect Appeared to permit "implied consent" of data transfer through certain actions 8 8

Penalties for Noncompliance A wide range of penalties are mentioned, including: Warnings Suspension of websites Confiscation of income Fines from RMB 10,000 to 1,000,000 depending on the offense Suspension of business/ cancellation of business license 9 9

AGENDA China's Cybersecurity Law Enforcement Landscape Takeaways for Companies Operating in China Conclusion 10 10

National-Level vs. Local Enforcement Thus far, national-level enforcement appears to focus primarily on investigations into industry-wide issues and issuance of guidance. The investigations have been undertaken by a number of government bodies. It has also taken the form of meetings with China s largest internet companies regarding possible Cybersecurity Law violations. Local-level enforcement (either by local branches of national bodies or by province/local-level bodies) has looked at companies more specifically and has issued fines and other punishments. 11 11

National-Level Enforcement Internet Products Bike Sharing Data Collection A working group from the CAC, MIIT, MPS, and SAC, reviewed the privacy policies of ten internet products and services As a result, the ten companies signed a joint personal data protection proposal A group of 10 government departments looked into bike sharing apps in China The report called on bike sharing services to install servers in China, implement efficient network security ranking protection, etc. 12 MIIT met with Baidu, Alipay, and Toutiao regarding possible violations of the CSL, including improper collection and handling of personal data Companies promised to change; MIIT has set up a monitoring system 12

Local-Level Enforcement: Chongqing Chongqing China Youth Daily Guangdong Network Companies Jiangsu Baidu PSB found that company did not maintain user login network information while providing internet data center services Warning asked the company to rectify its behavior within 15 days; company immediately rectified Four network companies sanctioned for breaching various provisions of the CSL The penalties included a reprimand, a requirement to rectify, a fine, and a requirement to shut down a particular website 13 Lawsuit filed against Baidu for gaining access to user information without their consent on two of its mobile apps Rectification plan was inadequate because it did not remind consumers of the purpose, mode, and scope of authorization in 13 regard to PI

Enforcement Against Foreign Companies No enforcement actions for the elements of the traditional cybersecurity elements of the law have yet been seen for foreign companies. However, as discussed previously, network operators are also expected to control illegal content on their networks. This came to the fore in January when the Shanghai Huangpu District Market Supervision Bureau launched an investigation into Marriott for disseminating an online questionnaire that referred to Taiwan, Hong Kong, Macau, and Tibet as separate countries. The Shanghai Cyberspace Authority closed down Marriott s China website, initially for a week. 14 14

Enforcement Against Foreign Companies Along with Marriott, on January 12, 2018, the Shanghai CAC criticized Zara, Qantas, Delta, and Medtronic (among others) for listing Taiwan as a country on their websites. The companies were ordered to remove illegal content from their sites and make public apologies by 6 p.m. on the same day. The companies all did so. The Shanghai CAC posted on its microblog: Cyberspace is not an extralegal place, and multinational corporations should abide by relevant laws and regulations. The listing of Taiwan as a separate country was a possible violation of cybersecurity laws. 15 15

AGENDA China's Cybersecurity Law Enforcement Landscape Takeaways for Companies Operating in China Conclusion 16 16

Major Changes May Be Necessary In fall 2016, U.S. submitted a document for debate to the WTO Services Council arguing that the Cybersecurity Law would be in violation of the General Agreement on Trade in Services (GATS). China has not changed its policies, however, and no formal action has been brought to date. Meanwhile, major American companies have been forced to take actions to comply with the law: Cloud services providers have been forced to partner with local providers. Apple opened a data center in Guizhou so that it can store users data onshore. 17 17

Major Areas for Companies to Be Aware Of Companies may need to be prepared to: Get consent from users related to use and crossborder transfer Meet network security requirements Receive oversight from public security bodies and regulators Receive complaints should their websites or electronic communications contain information to which the government objects/considers harmful to national security 18 18

AGENDA China's Cybersecurity Law Enforcement Landscape Takeaways for Companies Operating in China Conclusion 19 19

Conclusion Questions? 20 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback