This article was written by Susan NING(Partner) and Han WU(Senior Associate).
2017 saw the official implementation of the Cybersecurity Law of the People's Republic of China (“Cybersecurity Law”), building on past efforts and bringing new implications for the future. The implementation of the Cybersecurity Law brought clarity to cybersecurity regulations in various industries. Meanwhile, under the new regulatory system, coordination between the National Cyberspace Administration (CAC) and competent industry authorities has led to the implementation of the Cybersecurity Law that marks a new stage of development for China’s cybersecurity supervision.
In fact, the official implementation of the Cybersecurity Law on June 1, 2017, accelerates the pace of introducing relevant departmental rules, judicial interpretations, and national standards, many of which are still receiving public opinion. Further, law enforcement in cybersecurity is under way in various industries, and departments for cyberspace affairs, telecommunication, and public security have strengthened their law enforcement efforts within their respective administration. The roll-out of the Cybersecurity Law and relevant supportive measures have triggered wide reaction, receiving extensive attention from domestic and international enterprises, organizations and media.
Before the formation of the Cybersecurity Law, regulations and rules on cybersecurity were scattered among various Chinese regulations of departments and committees. In absence of a framework for the upper-level law, these regulations and rules were fragmented and may have even been in conflicting with one another. The introduction of the Cybersecurity Law streamlined the regulatory systems in cybersecurity, and specified the responsibilities of law enforcement authorities, offering guidance for subsequent supporting measures. From the adoption of the Cybersecurity Law to the current implementation, the CAC, in cooperation with competent and regulatory departments of relevant industries, national, and industrial standard development organizations, and others, released a series of relevant provisions and supporting measures under the Cybersecurity Law. Such legislation aims to provide more specific guidance on implementation of specific provisions of the Cybersecurity Law and establishes a comprehensive and effective set of regulatory systems.
(The chart below summarizes current legislative achievements and progress in China’s cybersecurity)
The current legislative progress indicates the comprehensive, innovative, and multi-tiered legislation in China’s cybersecurity laws.
First, China’s cybersecurity legislation covers a broad range of content. In regard to both “security of network operation” and “security of network information”, the Cybersecurity Law provides rights, obligations and duties of network operators, as well as monitoring, early warning, emergency response, and other mechanisms required for safeguarding cybersecurity. For network operation security, the Cybersecurity Law provides network operators and CII operators their respective internal systems duties and obligations for technical measures, source of purchase, data storage, and cross-border transmission. In addition to the general provisions on network operation security, the Cybersecurity Law summarizes fragmented provisions on PI protections: Chapter Four of the Cybersecurity Law focuses on network operators’ obligations to protect PI, and individuals’ right to their PI, while Chapter Six provides liabilities for infringing upon individuals’ PI. Moreover, the Cybersecurity Law also provides the requirements for management of network information content. CAC issued subsequent departmental rules and normative documents governing the management of network information content, which gave further detail and comprehensive provisions on the management of network information content with respect to industry, law enforcement procedures, application, and other aspects. These provisions included the Administrative Provisions on Internet News Information Services, the Provisions on the Administrative Law Enforcement Procedures for Internet Information Content Management, the Administrative Provisions on Evaluating the Safety of New Technologies and Applications for Internet News Information Services, and the Administrative Provisions on Internet Forum and Community Services.
Second, the Cybersecurity Law and its supporting measures clearly depict the innovation of CAC’s legislative technique. From the perspective of legislative technique, the Cybersecurity Law, on the one hand, sorted out and summarized existing provisions of the industry. In addition to provisions on PI protection, the “graded system for cybersecurity protection” provided in the Cybersecurity Law is derived from the graded protection for computer information systems defined in the Regulations on the Security Protection of Computer Information System formulated by the State Council in 1994, further detailed in the Administrative Measures for the Graded Protection of Information Security formulated by the Ministry of Public Security and other authorities in 2007. Therefore, the “graded system for cybersecurity protection” is summarized and refined from existing provisions. On the other hand, the Cybersecurity Law and its supporting measures are also innovatively coordinated with other existing legal provisions and administrations. For example, under the Cybersecurity Laws the catalog of key network equipment and specific network safety products increases administrative efficiency by reducing their repetitive certification and testing of network equipment and products by multiple administrations. This also helps reduce the waste of resources and eases the burdens on enterprises.
In terms of its content, the Cybersecurity Law is the first to introduce a number of new concepts and legislative mechanisms, including network operators, CII, and emergency plans for cybersecurity incidents. In regards to CII, a new regulatory system will be established, focusing on “CII protection” by introducing a number of new rules, including the Regulations on Security Protection of CII, the Guidance on Examination and Assessment of the Security of CII, the Guidance on Identification of CII, and the Evaluation Index System for Security of CII.
Third, the introduction of rules in cybersecurity is achieved through the hierarchy of “strategy - law - regulation - national and industrial standards”. Although the two national strategies, the National Strategy for Cyberspace Security and the Strategy for International Cooperation in Cyberspace, do not provide specific implementation rules for rights and obligations of network operators, they have served as an important part of cyberspace security in China and have provided programmatic guidance for the establishment of specific rules. As the fundamental law in cybersecurity, the Cybersecurity Law elaborates on the basic content of network operation security and network information security. More importantly, departmental regulations and related supporting measures provide significant provisions for the implementation of the Cybersecurity Law. These regulatory documents, usually based on the specific articles of the Cybersecurity Law, materialize the rights and obligations of the legal entities involved to provide legally binding rules and guidelines. In addition, the national and industrial standards are also helpful supplements to the legislative work in the field of cybersecurity. Even though industrial standards may not have legally binding force, they could aid interpretation and supplement the Cybersecurity Law for specific issues, and provide more practical guidelines for law enforcement, judicial action, and compliance practices.
In conclusion, the Cybersecurity Laws of China is progressing. Under the leadership of the State Council, coordinating with the CAC, various ministries, and committees, the Cybersecurity Law and its supporting measures cover a wide range of content in diversified formalities which developed very rapidly. We appeal to all sectors of society to treat the cybersecurity legislation from a strategic perspective of securing national cybersecurity. Therefore, we should fully participate in legislative activities, and voice opinions so as to ensure the validity and practicality of the rules. But also pay extensive attention to the implementation of the Cybersecurity Law and its supporting measures, and work together to promote the development of China's cybersecurity system.
Law Enforcement Status
The implementation of the Cybersecurity Law and successive promulgations of related supporting measures, the CAC, local cybersecurity administration, and other law enforcement authorities are also advancing law enforcement in cybersecurity. Given various concerning compliance obligations, each law enforcement authority is performing duties within their respective jurisdiction. This leads to a diversification of law enforcement in regards to both subject and content. Typical law enforcement activities are summarized in the following table:
From the above mentioned law enforcement cases, it is not difficult to see that the focus of recent cybersecurity law enforcement regards certain core issues, such as the graded protection of cybersecurity, PI protection, and security of CII. Nevertheless, the CAC has taken cybersecurity law enforcement actions encompassing a very diverse and comprehensive rules for specific sectors. In fact, enforcement against obvious violation of the Cybersecurity Law is not substantially affected by the fact that certain corresponding supporting measures have not yet been adopted.
In addition, apart from the normal administrative investigations, new methods of law enforcement in cybersecurity, such as joint special inspection, has been adopted. For example, in July 2017, the CAC, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Standardization Administration of China launched a special review on privacy policies. Therefore, it is foreseeable that the joint review and inspection of major enterprises will continue to be one of major methods of cybersecurity law enforcement in the future. This supervision and inspection on mainstream network products and services will not only actively promote the awareness of cybersecurity compliance across the industry, but it will also popularize the importance of cybersecurity in all sectors.
Outlook and proposals
1. Supporting measures to be further materialized; national and industrial standards worth more attention.
With the establishment of a framework of cybersecurity rules, new supporting measures of Cybersecurity Law will provide law enforcement authorities and enterprises a more detailed implementation of rules, practical guidance, and compliance. For instance, the Regulations for the Security Protection of CII and the Guideline on Identification of CII are expected to be officially promulgated to fully address corresponding CII security protection obligations, to provide more security support, and to assist in safeguarding CII. In addition, the Measures for the Security Assessment of PI and Important Data to be Transmitted Abroad and the Guidelines for the Security Assessment of Data to be Transmitted Abroad may be finalized and published in 2018. This will raise and clarify some eye-catching issues (such as the subject, application, scope, and regulatory approach of security assessment in cross-border data transfer). Furthermore, in relation to the graded protection for cybersecurity, the national guideline will further clarify its relationship with the traditional graded protection for computer information system, and in practice provide more specific guidance.
It is worth noting that, due to the strong technical characters of cybersecurity compliance, irrespective of the controlling laws, departmental rule, regulatory document under Cybersecurity Law, departmental regulations, or regulatory rules, makes it impossible to provide detailed technical requirements for cybersecurity compliance. Therefore, “guidelines”, represented by national and industrial standards, will become significant reference for cybersecurity law enforcement and enterprises’ compliance. The national and industrial standards, like the Specification for PI Security, can not only provide guidance to enforcement and compliance through its elaborated technical provisions and requirements, but also flexibly minimize the impact on the stability of the laws and regulations engendered by the fast-developing technology.
2. "Key Breakthrough" in cybersecurity law enforcement; law enforcement expected to become normalized.
Provided that the cybersecurity law enforcement is still in its preliminary stage, key issues under the Cybersecurity Law, such as the graded protection of cybersecurity, the protection of CII and PI, will predictably remain the focus of future enforcement. However, with the issuance of the Cybersecurity Law’s supporting measures, enforcement, such as the security assessment of cross-border transfer and the national security review on network products and services, will continue to increase. Meanwhile, internet information and content management enforcement, which has a sufficient substantial basis for law enforcement, may also be fully assessed in accordance with the Administrative Enforcement Procedures for the Administration of Internet-based Information Contents.
To the contrary, considering the wide range of network operators, the subject of network operators’ duties and obligations are not limited to Internet enterprises, foreign and domestic-funded enterprises in traditional industries may also be included. In addition, further clarification of law enforcement authorities’, law enforcement systems’, the CAC, and competent industrial departments’ coordination and functionality will lead to constant improvement. Since there is a variety of cybersecurity issues, as well as sufficient law enforcement power, it is foreseeable that law enforcement in cybersecurity may become normalized in the near future.
Different from traditional industries, cybersecurity features high technicality and rapid renewal. Under the background of cyberspace sovereignty, legislation and law enforcement in cybersecurity will serve to safeguard national security and cybersecurity, enhance the comprehensive national strength, and improve the market competitiveness of enterprises. In addition to the full respect for laws of industrial development, striving to maintain cybersecurity and enhance industrial competitiveness, we suggest that the legislation and law enforcement authorities seek opinions from enterprises and technical experts when formulating rules and implementing regulatory practice.
As for enterprises, the urgency of cybersecurity compliance, as well as the positive feedback upon the competitiveness of specific enterprises, shall be recognized. In addition, enterprises shall established the "technology + compliance" conception, and assess their internal cybersecurity measures and data compliance as soon as possible. Therefore, an elaborated internal compliance system should be implemented to ensure the smooth development of both technology and compliance.
Currently, China has become the world's largest Internet market. According to the Internet Security Report in the First Half of 2017, released by Tencent Security, stating that as of December 2016, the scale of China's Internet users has reached 731 million, equivalent to the total population in Europe. However, the concern arises that despite the rapid development in China’s network economy, there are other countries holding a skeptical attitude on China’s current cybersecurity situation due to the lack of cybersecurity supervision resulting in China’s network economy being in a high-speed but unstable situation. Although China has never underestimated the significance of cybersecurity, the lack of a clear regulatory system has exacerbated other countries’ distrust of China's cybersecurity. With the continued development of big data technology and the economy, in the future, the globalization trend of the digital economy will emerge, and cross-border flows of data will be inevitable. Currently, many countries and regions, including China, have required the cybersecurity assessment of the data-receiving country during cross-border data transfer, but usually China is not in the “White List” of who would be deemed to have the same degree of cybersecurity protection. In order to safeguard China's cybersecurity, network sovereignty, national security, and its future status in the global digital economy, there is no better time to promulgate and implement the Cybersecurity Law and its supporting measures. Facing the doubt of lack of cybersecurity supervision in China, we can refute that, “羌笛何须怨杨柳，春风已度玉门关” In the meantime, we expect, through the wind stirred up be the Cybersecurity Law, China's cybersecurity development can be prosperity abundant.
Note:The article was first published in the 2017 Final Issue of LexisNexis China Legal Review.