1

1

China’s New Cybersecurity Law: Data Protection, Data Transfer and Breach Investigations in the World’s Second Largest Economy

IPSF 2018February 26, 2018

2

22

China's Cybersecurity Law

Enforcement Landscape

Takeaways for Companies Operating in China

Conclusion

AGENDA

3

3

China’s Cybersecurity Law

Network Security Law of the People’s Republic of China (“Cybersecurity Law” or “CSL”)

– Announced in 2016 by the Cyber Administration of China (“CAC”)

– Approved in November 2016 and took effect June 1, 2017

– Contains framework regulating network products, equipment, and services, as well the operation and maintenance of information networks, the protection of personal information, and the supervision and administration of cybersecurity in China

4

4

Relevant Regulators

Law refers to the “national cyberspace authority”—understood to be the Cyberspace Administration of China (CAC)

Other relevant regulators mentioned in the law

– State Council Department for Communications

– State Council Department for Public Security

– Other relevant organs (national and regional)

– Relevant industry organizations (national and regional)

5

5

Providers of Network Products and Services

Definition

Not expressly defined in the CSL Further information given by “Measures for the Security Review

of Network Products and Services” (“Security Review Measures”), published in final form on May 2, 2017 and came into force along with the CSL on June 1, 2017

Requirements

All network products and services to comply with national PRC standards

Upon discovery of security leaks or defects, must inform users and relevant authorities and adopt remediation measures

Must carry out security maintenance for customers Where a network or product has a function to collect user

information, must inform user and obtain consent, and comply with laws and regulation on protection of personal information

Network products and services that may implicate national security must undergo a security review by the CAC

6

6

Network Operators

Definition

Defined as “owners, operators, and service providers of networks” Broad definition that will likely encompass all businesses and

organizations that operate a network of computer terminals and/or data storage units in China

Likely also applies to entities that have websites, mobile apps, or online platforms operated or used in China

Requirements

Tiered security obligations Creation of an emergency response plan Technical support and assistance to state security bodies Protection of personal information of citizens

– Cannot disclose personal information without consent of owners– In the case of data leakage, must take remedial action and report to

authorities Must block, delete, and save relevant records of prohibited

information published by users and report to authorities Establish cybersecurity complaint and reporting systems

7

7

Critical Information Infrastructure Operators

Definition

No clear definition of CII is included in the CSL– Article 31 includes a non-exhaustive list of CII that does not include

healthcare, and a catch-all provision Sector regulators have made a list, nearly all CIIOs on the list are

SOEs

Requirements

Requirements are in addition to those for network operators Annual security assessment of cybersecurity threats When CIIOs purchase network products or services, they must

sign a security and confidentiality agreement with the vendor– If the network products or services might affect national security, then a

“national security review” is required Must designate bodies responsible for security management and

perform background checks on the people in those bodies Must provide cybersecurity and technical training for employees

and have drills in preparation for security incidents Must institute a system of backups for important systems

8

8

CII: Data Localization Requirement

Most significant requirement is data localization requirement– CIIOs must keep important data and personal information that they

have collected or produced in Mainland China within Mainland China– Data cannot be sent out of the country without a legitimate business need

and a security review Further details on security assessments to be given in Measures on

the Security Assessment for Personal Information and Important Data to be Transmitted Abroad (“Draft Data Transfer Measures”), which has not yet come into effect– Appeared to permit "implied consent" of data transfer through certain

actions

9

9

Penalties for Noncompliance

A wide range of penalties are mentioned, including:– Warnings– Suspension of websites– Confiscation of income– Fines from

RMB 10,000 to 1,000,000 depending on the offense

– Suspension of business/cancellation of business license

10

1010

China's Cybersecurity Law

Enforcement Landscape

Takeaways for Companies Operating in China

Conclusion

AGENDA

11

11

National-Level vs. Local Enforcement

Thus far, national-level enforcement appears to focus primarily on investigations into industry-wide issues and issuance of guidance.

The investigations have been undertaken by a number of government bodies.

It has also taken the form of meetings with China’s largest internet companies regarding possible Cybersecurity Law violations.

Local-level enforcement (either by local branches of national bodies or by province/local-level bodies) has looked at companies more specifically and has issued fines and other punishments.

12

12

Data Collection

Bike Sharing

Internet Products

National-Level Enforcement

• A working group from the CAC, MIIT, MPS, and SAC, reviewed the privacy policies of ten internet products and services

• As a result, the ten companies signed a joint “personal data protection proposal”

• A group of 10 government departments looked into bike sharing apps in China

• The report called on bike sharing services to install servers in China, implement efficient network security ranking protection, etc.

• MIIT met with Baidu, Alipay, and Toutiaoregarding possible violations of the CSL, including improper collection and handling of personal data

• Companies promised to change; MIIT has set up a monitoring system

13

13

Jiangsu –Baidu

Guangdong –Network

Companies

Chongqing –China Youth

Daily

Local-Level Enforcement: Chongqing

• PSB found that company did not maintain user login network information while providing internet data center services

• Warning asked the company to rectify its behavior within 15 days; company immediately rectified

• Four network companies sanctioned for breaching various provisions of the CSL

• The penalties included a reprimand, a requirement to rectify, a fine, and a requirement to shut down a particular website

• Lawsuit filed against Baidu for gaining access to user information without their consent on two of its mobile apps

• Rectification plan was inadequate because it did not remind consumers of the purpose, mode, and scope of authorization in regard to PI

14

14

Enforcement Against Foreign Companies

No enforcement actions for the elements of the traditional cybersecurity elements of the law have yet been seen for foreign companies.

However, as discussed previously, network operators are also expected to control illegal content on their networks.

This came to the fore in January when the Shanghai Huangpu District Market Supervision Bureau launched an investigation into Marriott for disseminating an online questionnaire that referred to Taiwan, Hong Kong, Macau, and Tibet as separate countries.

The Shanghai Cyberspace Authority closed down Marriott’s China website, initially for a week.

15

15

Enforcement Against Foreign Companies

Along with Marriott, on January 12, 2018, the Shanghai CAC criticized Zara, Qantas, Delta, and Medtronic (among others) for listing Taiwan as a “country” on their websites.

The companies were ordered to remove “illegal content” from their sites and make public apologies by 6 p.m. on the same day. The companies all did so.

The Shanghai CAC posted on its microblog: “Cyberspace is not an extralegal place, and multinational corporations should abide by relevant laws and regulations.” The listing of Taiwan as a separate country was “a possible violation of cybersecurity laws.”

16

1616

China's Cybersecurity Law

Enforcement Landscape

Takeaways for Companies Operating in China

Conclusion

AGENDA

17

17

Major Changes May Be Necessary

In fall 2016, U.S. submitted a document for debate to the WTO Services Council arguing that the Cybersecurity Law would be in violation of the General Agreement on Trade in Services (GATS).

– China has not changed its policies, however, and no formal action has been brought to date.

Meanwhile, major American companies have been forced to take actions to comply with the law:

– Cloud services providers have been forced to partner with local providers.

– Apple opened a data center in Guizhou so that it can store users’ data onshore.

18

18

Major Areas for Companies to Be Aware Of

Companies may need to be prepared to:– Get consent from users

related to use and cross-border transfer

– Meet network security requirements

– Receive oversight from public security bodies and regulators

– Receive complaints should their websites or electronic communications contain information to which the government objects/considers harmful to national security

19

1919

China's Cybersecurity Law

Enforcement Landscape

Takeaways for Companies Operating in China

Conclusion

AGENDA

20

20

Conclusion

Questions?