China’s Cyber Security Law, which will take effect from 1 June, 2017 was adopted on 7 November. The third draft of the law adopted by the Standing Committee of the National People’s Congress, China’s highest legislative authority, contained few changes from the second draft put forward for comment in July, 2016 (see our briefing). The net result is continued controversy coupled with a dose of uncertainty (never a good combination), with multi-national businesses in particular questioning the intent of the law and criticising its vagueness. The final draft contains a number of broadly-framed defined terms that are critical to its interpretation which continue to leave much to be resolved through detailed measures that may or may not follow, as a lack of clarity leaves room for interpretation. All in all, the direction of travel is towards a much more heavily regulated Chinese internet and technology sector, with an open question as to whether China’s cyber space will be integrated with the rest of the world in the coming years or will plough its own virtual furrow.
A Quick Recap
The Cyber Security Law’s seventy-nine articles address a wide range of issues, but as previously noted we see a particular focus on three main aspects:
- Technology regulation: The Cyber Security Law seeks to regulate what technology can or cannot be used in China’s cyber space, including by: (i) imposing requirements for pre-market certification of “critical network equipment” and “specialised security products”; and (ii) designating certain systems as “critical information infrastructure” that will be subject to national security reviews and detailed measures to be issued by the State Council. Concerns here centre on whether this will lead to criteria that make it difficult for foreign investors to compete in China.
- Co-operation with authorities: The Cyber Security Law imposes duties on “network operators” (including “network service providers”) to provide technical support and assistance in national security and criminal investigations and to retain weblogs for at least 6 months.
- Data Localisation: The Cyber Security Law requires operators of “critical information infrastructure” to store personal information and “important data” within China, save where it is truly necessary to send this data offshore and the offshoring arrangements have gone through a security assessment process that is yet to be defined. Revisions in the final draft broaden the scope of personal data from “citizen’s person data” to “personal data”, suggesting that personal information of foreigners in China will also be subject to the localisation requirement, which does little to reassure foreign residents who may need to move data across borders for any number of good reasons.
For our full briefing, please click here.