29 July 2015

Cybersecurity draft law tightens rules on China’s network security – What does it mean for you?

The Chinese government on 6 July 2015 released for public comment a consultation draft of a new PRC Cybersecurity Law (Draft Cybersecurity Law). The Draft signals that Beijing is preparing to tighten its rules on domestic networks and data security, in line with its focus on reinforcing national security. The Draft Cybersecurity Law applies to the construction, operation, maintenance and use of information networks in China.

This article examines some of the key aspects of the Draft that would affect foreign corporations having business operations in China. A more comprehensive analysis of the Draft Cybersecurity Law by Rui Wang and Andrew Fuller of our Beijing office is available here.

Network operators have increased obligations

Many of the obligations under the Draft Cybersecurity Law apply to “network operators”, which is widely defined to include owners, administrators and network service providers who use networks owned or administered by others in order to provide relevant services. This includes, but is not necessarily limited to, basic telecommunications operators, network information service providers, and important information system operators.

Key obligations on network operators include that they must:

  • have cybersecurity protocols in place and take steps to protect against viruses, invasions and other attacks;
  • ensure, when purchasing network products or services, that those products meet relevant national and industry standards;
  • take immediate action and promptly notify affected users upon becoming aware of security flaws; and>
  • verify the identity of users for phone and internet services.

Given that the Draft Cybersecurity Law applies expressly to both Chinese and international businesses, foreign companies that are “network operators” and own or operate network infrastructure in China may be required to comply with these obligations.

Key IT hardware and equipment must be certified for sale

In addition to the stringent obligations imposed on network operators, the Draft Cybersecurity Law also imposes obligations on providers of information network products and services, raising concerns for foreign suppliers.

Network products and service security

The Draft Cybersecurity Law sets up a system where key IT hardware and equipment must meet mandatory security qualifications and acquire government certification before being sold and implemented.

Foreign IT suppliers in particular are likely to face greater challenges when attempting to provide such products or services. Until recently, Chinese companies and administrative authorities widely used foreign hardware and software in their IT systems. However, with the occurrence of a number of spying and hacking scandals around the world in recent years, the Chinese government was alerted to the inherent dangers of foreign IT products. In light of this, more and more Chinese companies and administrative authorities have ceased using foreign IT products, instead turning to domestically developed products and services, or developing their own technologies. The Draft Cybersecurity Law is another step in the same direction, which may make it more difficult for foreign IT suppliers to succeed in the Chinese market.

Certain “important information” must be stored within mainland China

To address the Chinese government’s concerns regarding the privacy of personal and sensitive information, the Draft Cybersecurity Law proposes new regulations on data storage. Under Article 31, when information collected or generated by key information infrastructure facilities is deemed “important” or “critical” by the Chinese government, such information must be stored exclusively within the territory of the People’s Republic of China (in practice, this will be interpreted as mainland China). What might constitute “important” information is a mystery, and exceptions to this policy are narrow and vague. If, for legitimate business reasons, the data needs to be stored abroad, or must be provided to a foreign organisation or person, the entity must complete a security evaluation according to the measures issued by the national network and information authority and the relevant departments of the State Council.

In practice, many companies store information on offshore servers for any number of reasons (e.g. for better storage service, to back up data, or to store the data in their offshore headquarters). If this provision comes into effect, companies in China with such practices will need to reconsider their data management protocols, their relevant operational mode, and their IT infrastructure deployment. Foreign providers of data storage facilities may find themselves having to comply with security evaluations, or potentially see customers turning away to ensure their own compliance. Cloud service providers may also encounter difficulties, given the inherently amorphous nature of cloud server structures and locations.

Key contacts

Belt and Road Hub

We explore the opportunities the Belt and Road Initiative brings for your business, and provide our comprehensive, professional services to help.

Belt and Road

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    The manner in which China will regulate data security in the automotive industry has become much clearer.

    24 August 2021

    GSCA requires German companies to analyze and report compliance with certain human rights and environmental standards along their supply chain.

    29 July 2021

    How can the brand centric beauty industry which traces its origins to ancient Egypt remain fresh to modern day consumers? By updating claims and science. Advances in science filter through to greater...

    15 July 2021

    Keepwell deeds, also known as letters of comfort, are a credit protection tool commonly used by Chinese companies issuing debt offshore.

    23 February 2021

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.