27 September 2016

Second draft of China's Cyber Security Law

This article was written by Cheng Lim, Jack Maher and Millie Zhong.


In an unusual move, the Standing Committee of the National People’s Congress published the PRC Cyber Security Law (Second Consultation Draft) (“2nd Draft”) for a second round of public comment on 5 July 2016 (the full text is available in Chinese here and an unofficial translation can be found here).

This draft follows from the first consultation draft released on 6 July 2015 (KWM’s alert on the first consultation draft can be found here and a more comprehensive analysis can be found here). The amendments in the 2nd Draft revise and clarify certain obligations imposed in the first consultation draft, tighten the regulation of data-flows and suppliers of technological products and services, and also provide some additional insights into aspects of what China’s anticipated cybersecurity strategy may contain.

Cybersecurity strategy

  • Significantly greater prominence has been given to a national cybersecurity strategy and cybersecurity defence capabilities, with the provision providing for the establishment of such a strategy (Article 4) being elevated from Part 2 (Support and Promotion of Cyber Security, formerly Strategy and Planning for Cyber Security) to Part 1 (General / Principal Provisions). In addition, new Article 5 also provides that the State will take measures to monitor, defend and deal with cybersecurity risks and threats from both within and outside its national territory, and in particular to protect key information infrastructure facilities from attack, invasion, interference and destruction.
  • The 2nd Draft also hints at the possibility of a more open cyber environment and more collaborative cyber governance. In addition to maintaining the invitation to the private sector to participate in the formulation of national and industry cybersecurity standards (Article 14), it also calls for the establishment of a multilateral, democratic and transparent cyber governance regime (Article 7).
  • The importance of data in driving innovation and economic development has also been recognised, and State support for open access to public data has been legislatively enshrined in new Article 17. In line with this, an exemption to the privacy and protection of personal data requirements has been introduced for de-identified data (where the risk of re-identification has been mitigated) in order to facilitate the use of Big Data (Article 41).
  • Verification and validation capabilities also appear to rank highly in China’s cyber policy. State support for cybersecurity certification, security assessment and risk evaluation services is now provided for in new Article 16. At the same time, in addition to providing support for the development of secure and interoperable technologies for the verification of digital identity, the 2nd Draft also elevates the establishment of a trusted online identity to a matter of national strategy (Article 23).
  • However, despite the call for a multilateral cyber governance system and more open access to data, the 2nd Draft also firmly keeps the control of cybersecurity related information in the hands of the State. In order to prevent the “the uncontrolled release of cyber security information”, such as announcements in relation to system vulnerabilities, computer viruses and network attacks and invasions from “impacting the maintenance of network security”, new Article 25 was introduced to require all publication of such information to be made “in accordance with the applicable laws”. Penalties for serious or repeated breaches of Article 25 can be harsh, and may include temporary closure of the business and shut down of the business’ website (Article 60). However neither the 2nd Draft nor the explanatory notes specify what these laws are (or whether they are yet to be legislated).

Significant revisions

Some of the uncertainties in the previous consultation draft continue while some have now been clarified:

  • Length of network operators’ record keeping obligations - Article 20 now makes clear that network logs used for monitoring and recording network status and network security incidences must be kept for a minimum of 6 months.
  • Definition of “critical information infrastructure” - This definition had been broadly defined in the previous draft to mean operators of basic information networks providing services such as public correspondence and radio and television broadcast, important information systems for industries in infrastructure, utilities, medical and social services as well as military and government affairs networks. The previous definition also included the even broader limb “networks and systems owned or managed by network service providers with massive numbers of users” which potentially would include a wide range of businesses that raise little practical connection to national security. The revised definition now refers to any infrastructure that, if it were to be destroyed, lose functionality, or suffer a data breach, may cause a serious threat to national security, social or economic well-being of the nation, or the public interest (Article 29). The Standing Committee stated in its Explanation of Revisions that it did not want to enumerate the scope of critical information infrastructure in the 2nd Draft. Consequently, Article 29 states that the specific scope of sectors and entities falling within this definition and the security protection rules which will apply to them will be determined by the State Council separately.

    While these information infrastructure and security protection rules will not be mandatory for network operators outside the field of critical information infrastructure, the State encourages all operators to voluntarily participate in the critical information infrastructure protection framework.

  • Onshore Data storage requirements - The requirement for operators of critical information infrastructure to retain certain information within China has also been clarified. As was the case with the 1st draft, the 2nd draft still requires storage in China of citizens’ personal information. However, the requirement to store “other important data” in China has been changed to a requirement to store “important business information” in China (Article 35), making it clearer that the scope of this obligation applies to business and not personal data. Interestingly, the 2nd draft no longer explicitly allows that information to be “stored” overseas, only allowing “disclosure” overseas where the criterion of business necessity is met and the specified security assessments have been conducted and satisfied. It is not clear if this is intended to only allow temporary storage overseas and will require the data to be destroyed once the purpose of the disclosure is met, or if the authorisation of disclosure implicitly carries with it the authorisation of storage. The security assessments which are yet to be released may provide further clarity on this issue.

Further regulation

The 2nd Draft has included further regulation in a number of areas:

  • New Article 9 introduces an explicit requirement that network operators comply with all laws and administrative regulations, and act in accordance with the principles of social ethics, honesty and fair commercial practice. Of particular interest is the obligation of network operators to “fulfil their duty of maintaining network security, accept government supervision and public scrutiny, and assume social responsibility”. When Article 9 is read in conjunction with amendments to include “the promotion of core socialist values” (Article 6) and the prohibition on “incitement for the overturn of the socialist system” (Article 12), it is possible that there could be a perception that the underlying purpose of these new obligations are to strengthen State control of the dissemination of information.
  • As part of their cybersecurity notification obligations, providers of network products and services are now required to report any risks such as security flaws or vulnerabilities to the relevant authority in accordance with the regulations, in addition to notifying end users (Article 21). As currently drafted, the provision would impose significantly higher disclosure burdens on those persons than existing and proposed notification schemes internationally, given that it relates to security risks rather than actual breaches, and does not have any materiality threshold.
  • The requirement to verify the identity of end users has been extended to providers of instant messaging services (Article 23). This requirement may limit the ability of overseas application, web messaging and VoIP service providers to enter into or continue operating in the Chinese market, since it will be more difficult for them to verify the identity of Chinese users without a physical presence in China.
  • Regulatory authorities have also been provided with explicit and enhanced monitoring, investigation and enforcement powers. A new clause added to Article 47 now expressly requires network operators to cooperate with the network and information departments and other relevant departments in their authorised supervision and inspection duties. At the same time, new Article 54 gives regulatory authorities investigatory powers and allows regulatory authorities at the provincial level or higher to request interviews with the legal representative or key responsible persons of network operators in the event of any significant security risks or security incidences. Network operators are required to implement mitigation strategies and security enhancements as directed.
  • The 2nd Draft also introduces some new penalties for breaches of the cybersecurity law. For example, a serious breach of Article 26 by engaging in activities which endanger national security or providing tools or assistance to those who endanger national security or network security is not just a civil offence with financial penalties, but is also a criminal offence punishable by detention for a period of up to 15 days. In addition, under the new Article 61, any person who intentionally engages in activities which endanger cybersecurity may be subject to a lifetime prohibition from working in network security management or in key network operations positions (in addition to other civil and criminal penalties). Corporations who breach cybersecurity law may also have such contraventions recorded in their credit files and made public (Article 68).

What does this mean for business?

The 2nd Draft is still open to the criticisms made in respect of the initial draft released in July last year, particularly about the vagueness and uncertainty around the scope and extent of the legislation. This is particularly apparent in the Standing Committee decision to not define “critical information infrastructure”. It remains unclear whether the final definition will be narrower or broader still than what was already contained in the 1st draft. While the 2nd Draft has not changed this uncertainty significantly and retains the onerous regulatory burdens of the initial draft, some of the policy positions and focus areas revealed in the new drafting have been made clearer.

The draft PRC Cybersecurity Law, when first released, appeared to consolidate State control over data and communications, and appeared to be a further step in the government’s protection of China’s technological sovereignty. This is still the case. The 2nd Draft still represents challenges for foreign companies operating in and seeking to access China’s technology and technology service markets, increases data residency requirements and necessitates greater cooperation with the State through disclosure rules and requirements to cooperate with authorities conducting supervision and investigations. The law still provides compelling reasons for companies to review how they handle data and the way which security qualifications will affect how they can sell their IT hardware and equipment in China.

However, there is hope that the Chinese government will respond positively to the concerns expressed on the draft Cybersecurity Law. For example, rules requiring companies in the financial sector to prove the “security and controllability” of their equipment through intrusive testing were suspended, and encryption code handover requirements under national security and counter terrorism laws were also rolled back.[1]

Consistent with this, the National Information Security Standardization Technical Committee (TC260), the body charged with defining cybersecurity standards, has taken a more inclusive approach in instituting its regulations. Earlier this year, foreign technology companies, which were previously only granted observer status on the committee, were allowed to take an active part in rule drafting for the first time. (Notable foreign companies on the committee include Amazon, Apple, IBM, Intel and Microsoft.[2])

More recently, on 10 August 2016, 46 trade associations wrote a joint letter to Premier Li Keqiang stating a concern that the Cybersecurity Law appeared to impose trade barriers in contravention of WTO principles. The letter stated that the onshore data retention requirements, increased government monitoring and strict parameters imposed on cybersecurity technology were seen as measures that would weaken security and separate China from the global digital economy.[3]

Public submissions to the 2nd Draft closed on 4 August 2016. Under the usual procedures, the Standing Committee of the National People’s Congress may conduct a third reading and make further revisions before putting the legislative bill to vote.

[1] http://www.bdlive.co.za/world/asia/2016/08/26/foreign-firms-take-part-in-drafting-cybersecurity-rules-in-china
[2] TC260 website
[3] WSJ (China Sets New Tone in Drafting Cybersecurity Rules); BBC China (46 Trade Associations Call for Revision of Cyber Security Law); Radio Free Asia (46 Overseas Trade Associations Write to Li Keqiang)

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

Cybersecurity webinar: Global trends, threats and safeguards

Increasingly businesses are facing cyber-threats and are having to tackle compliance issues on a multi-jurisdictional basis. KWM partners from across the globe discussed how businesses should address legislation, manage risk and respond to incidents.

Cyber-security webinar
Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    In a recent case a Federal Court judge found that the presentation of information to customers on a mobile phone screen was misleading in some circumstances.

    10 May 2021

    Structuring and negotiating a long term brand licensing deal is always challenging, even terrifying. The brand owner wants to protect it. The licensee wants the confidence to build the branded...

    16 March 2021

    China’s annual National People’s Congress parliamentary session will take place in March to approve the country’s social and economic development plans for the period 2021-25.

    09 February 2021

    On 11 January 2021 the Australian Information Commissioner and Privacy Commissioner (the Commissioner) made a determination 'WP' and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr...

    03 February 2021

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.