Cyber security draft law tightens rules on China’s network security – what does it mean for you?

The Chinese government on 6 July 2015 released for public comment a consultation draft of a new PRC Cybersecurity Law (Draft Cybersecurity Law). The Draft signals that Beijing is preparing to tighten its rules on domestic networks and data security, in line with its focus on reinforcing national security. The Draft Cybersecurity Law applies to the construction, operation, maintenance and use of information networks in China.

This article examines some of the key aspects of the Draft that would affect Australian and other corporations having business operations in China. A more comprehensive analysis of the Draft Cybersecurity Law by Rui Wang and Andrew Fuller of our Beijing office is available here.

Network operators have increased obligations

Many of the obligations under the Draft Cybersecurity Law apply to “network operators”, which is widely defined to include owners, administrators and network service providers who use networks owned or administered by others in order to provide relevant services. This includes, but is not necessarily limited to, basic telecommunications operators, network information service providers, and important information system operators.

Key obligations on network operators include that they must:

• have cybersecurity protocols in place and take steps to protect against viruses, invasions and other attacks;
• ensure, when purchasing network products or services, that those products meet relevant national and industry standards;
• take immediate action and promptly notify affected users upon becoming aware of security flaws; and
• verify the identity of users for phone and internet services.

Given that the Draft Cybersecurity Law applies expressly to both Chinese and international businesses, foreign companies that are “network operators” and own or operate network infrastructure in China may be required to comply with these obligations.

Key IT hardware and equipment must be certified for sale

In addition to the stringent obligations imposed on network operators, the Draft Cybersecurity Law also imposes obligations on providers of information network products and services, raising concerns for foreign suppliers.

Network products and service security

The Draft Cybersecurity Law sets up a system where key IT hardware and equipment must meet mandatory security qualifications and acquire government certification before being sold and implemented.

Foreign IT suppliers in particular are likely to face greater challenges when attempting to provide such products or services. Until recently, Chinese companies and administrative authorities widely used foreign hardware and software in their IT systems. However, with the occurrence of a number of spying and hacking scandals around the world in recent years, the Chinese government was alerted to the inherent dangers of foreign IT products. In light of this, more and more Chinese companies and administrative authorities have ceased using foreign IT products, instead turning to domestically developed products and services, or developing their own technologies. The Draft Cybersecurity Law is another step in the same direction, which may make it more difficult for foreign IT suppliers to succeed in the Chinese market.

Certain “important information” must be stored within mainland China

To address the Chinese government’s concerns regarding the privacy of personal and sensitive information, the Draft Cybersecurity Law proposes new regulations on data storage. Under Article 31, when information collected or generated by key information infrastructure facilities is deemed “important” or “critical” by the Chinese government, such information must be stored exclusively within the territory of the People’s Republic of China (in practice, this will be interpreted as mainland China). What might constitute “important” information is a mystery, and exceptions to this policy are narrow and vague. If, for legitimate business reasons, the data needs to be stored abroad, or must be provided to a foreign organisation or person, the entity must complete a security evaluation according to the measures issued by the national network and information authority and the relevant departments of the State Council.

In practice, many companies store information on offshore servers for any number of reasons (e.g. for better storage service, to back up data, or to store the data in their offshore headquarters). If this provision comes into effect, companies in China with such practices will need to reconsider their data management protocols, their relevant operational mode, and their IT infrastructure deployment. Foreign providers of data storage facilities may find themselves having to comply with security evaluations, or potentially see customers turning away to ensure their own compliance. Cloud service providers may also encounter difficulties, given the inherently amorphous nature of cloud server structures and locations.