Scope of the Law and Key Provisions
China’s Cybersecurity Law focuses on the nature and flow of digital information that has been generated in China. It places a strong emphasis on securing personal information and other important data that has been collected in China, and standardises its collection and usage.
Network operators (currently defined as the owners and administrators of networks and network service providers) are expected, amongst other things, to:
clarify cybersecurity responsibilities within their organisation;
take technical measures to safeguard network operations and prevent data leaks and theft; and
report any cybersecurity incidents to both users of the network and the relevant implementing department for that sector.
According to recently released draft guidelines, network operators can transfer data overseas under most circumstances. However they would be required to carry out regular security self-assessments to gauge the risk of data transfers based on factors such as quantity, scope and sensitivity of the data. Where the nature of the data is deemed to be “important” (for example, if it relates to population and health, marine environment or sensitive geographic information, or other information likely to affect national security or the public interest), network operators would be subject to further inspection, and could be prevented from transferring the data overseas.
Critical information infrastructure operators face additional, more stringent, obligations. There is currently no fixed definition of the term “critical information infrastructure operator”. This means that organisations operating in sectors removed from telecommunications infrastructure could still be impacted by the law’s more stringent requirements.
Such operators are expected, amongst other things, to:
store personal information and important data collected and generated in China within mainland China. If transmission of such data out of China is necessary due to business needs, clearance procedures shall be followed according to separate rules formulated by the Cyberspace Administration of China;
procure “safe and controllable” Internet technologies, products and services; and
conduct regular audits of cyber-technology systems and processes.
Securing the supply chain – regulating the use of certified network products and services
Specialised equipment, products and services designed to ensure network security (such as routers, switches and servers) must adhere to compulsory government standards in order to be used in China. Any critical information infrastructure operator using network-related products and services that are important to national security and the public interest must go through network security reviews.
Related measures on cloud services operations
Cloud service operators are expected, amongst other things, to:
hold a value-added telecommunications license (which are still subject to certain foreign investment restrictions);
construct cloud service platforms within the territory of China; and
locate service and data storage facilities in China for services that target Chinese users.
Cloud service providers may also need to follow the same draft requirements for security self-assessment and potential audits by regulators as are applicable to network operators when transferring personal information and “important data” across borders.