China adopted its controversial Cybersecurity Law on November 7, 2016. The law, which will take effect on June 1, 2017, has broad implications for how multinational companies operate in China. The law addresses a number of issues, including requiring certain companies to pass national security reviews, store user and business data in mainland China, and to provide technical support to Chinese authorities.
The law imposes obligations on two tiers of businesses: network operators and critical information infrastructure operators. “Network operators” are defined as owners or providers of any “network,” which in turn is defined as any system of computers or other terminals that collect, store, transmit, and process information. (Article 76.) Given the broad definition of a network—it likely includes most Internet platforms or any two connected computers—most businesses will come within the scope of this term. “Critical information infrastructure operators” are not precisely defined, but Article 31 suggests it includes any businesses operating in the communications, finance, water, power, or traffic sectors, as well as any other businesses using infrastructure that could harm China’s security, economy, or citizens if it were to fail. The law imposes stricter obligations on businesses coming within the scope of this term.
Technology Reviews, Inspections, and Certifications
The law imposes several requirements on the security of certain network products and services. Article 23, for example, requires “key network equipment and network security products” to meet China’s national standards and mandatory requirements. Also, before such equipment or products may be used in China, the equipment and products must either pass a safety inspection or be safety certified by a qualified agency. (Article 23.) The law states that the Chinese government will release a catalog of the types of network equipment and products subject to this requirement (id.), as well as the national standards and requirements that specific equipment and products must satisfy (Article 15), at some time in the future.
This requirement effectively narrows the types of network equipment and products that companies may use to a limited group of pre-approved technology. Companies that make key network equipment or products are likely to face challenges in ensuring their products meet China’s not-yet-released standards, and companies that use key network equipment and products will face similar challenges in obtaining approval for their use by a safety inspection or certification. The law does not specify the timeline for the certification process, which conceivably could take long enough to delay a product to market in China. Nor does the law specify how intrusively products will be “investigated,” which conceivably could include examinations of a company’s intellectual property and trade secrets.
Further obligations apply solely to critical information infrastructure operators, including a requirement that they undergo a “national security review” before purchasing any products or services that “may affect national security.” (Article 35.) The law does not describe what such a national security review entails, nor does it specify the types of products or services that may affect national security. Questions also remain as to the intrusiveness of the national security reviews, such as whether they will require disclosure of intellectual property or trade secrets.
Data Localization in Mainland China
Critical information infrastructure operators are also subject to a data localization rule, which requires they store “personal information”—e.g., name, birthdate, address, number—and “other important data” related to their Chinese operations on servers located within mainland China. (Article 37.) Although earlier drafts of the law referred to “citizens’ personal information,” the final version removed the reference to “citizens,” thus suggesting that “personal information” includes information of both citizens and foreigners. The law does not define “other important data.”
An operator may not send either category of information outside of China unless the operator can show it is “truly necessary” for business reasons and has passed the government’s “security assessment.” (Article 37.) The law does not define “truly necessary,” nor does it specify the requirements to pass a “security assessment.” Notably, while an earlier draft would have allowed operators to “send” and “store” such information abroad, the final law deleted the reference to “store.” Thus, the law likely prohibits operators from storing any such information abroad, even if it was necessary and passed a security assessment.
Multinational companies, which often rely on cross-border data flows, will find this requirement particularly troubling. Even under a narrow interpretation, a multinational company likely would have to segregate all information about its Chinese customers and their dealings onto Chinese servers. In effect, multinational companies would be required to have two global data systems: one for China and one for the rest of the world.
Close Cooperation with the Chinese Government
The law also requires companies to work closely with Chinese government under various circumstances. Significantly, Article 28 requires network operators to “provide technical support and assistance” to government authorities when needed to preserve national security or investigate crimes. The law provides no further details concerning the type of technical support and assistance required.
Business and rights groups have questioned the true intent behind this requirement. Some commentators worry the Chinese government may invoke it to require technology companies to provide “backdoor” access to their products or other information concerning their technology, such as source code. Concerns also remain that network operators may become entangled in disputes concerning their users’ online activities, particularly if Article 28 is invoked in conjunction with other provisions in the law. For example:
- Article 12 prohibits the use of any network to endanger national security, undermine national unity, or incite subversion, separatism, or the overthrow of the socialist system.
- Article 24 requires certain network operators—e.g., Internet and phone providers, domain name registrars, publishing and blogging platforms, and instant messaging services—to obtain their users’ real names before providing services.
- Article 21 requires network operators to monitor and log their networks’ statuses and security incidents, as well as retain those logs for no less than six months.
- Articles 47 and 48 require network operators to “strengthen management of information published by users,” and upon discovering that a user has transmitted “unlawful” information, the operator must stop the transmission and delete it from the public, “save relevant records,” and report the user to authorities.
- Article 58 allows the government to “take temporary measures regarding network communications,” including “restricting” such communications, when necessary “to protect national security and social public order.”These articles, which reduce users’ online anonymity and expand companies’ obligations to monitor and report users, may pose significant public relations challenges for companies.
Although drafts of the law underwent several revisions and were subject to substantial debate, much of the final law still remains unclear. The law’s few defined terms remain vague, and some of the most important terms are not defined at all. We expect Chinese authorities will issue further guidance in the coming months, which should provide more clarity regarding the scope of the law. In the meantime, we suggest that companies assess their exposure under the law, in particular whether they may qualify as “critical information infrastructure operators.” Should a company potentially fall within that definition, internal risk assessment of its current compliance with this law and the work required to bring it into compliance would likely be warranted.