By Wang Rui, Xiao Yu, and Andrew Fuller, King & Wood Mallesons’ M&A Group

汪律师Introduction

As early as 27 February 2014, President Xi Jinping, the head of the Office of the Central Leading Group for Cyberspace Affairs, said that “No cyber safety means no national security.”[1] On 1 July 2015, the National Security Law of the People’s Republic of China (《中华人民共和国国家安全法》)( NSL )[2] came into effect. For the first time, the NSL clearly provides that the state shall “safeguard sovereignty, security and development interests of cyberspace in the state.”[3]

Cyber security has become an increasingly prominent issue, and the Chinese government chosen to focus on several key areas of concern. First, illegal intrusions and attacks in cyberspace that seriously threaten China’s information infrastructure across all significant sectors. Second, increased illicit online activities that harm Chinese society, particularly in the areas of personal information theft and intellectual property misappropriation. Third, the increased use of China’s networks to promote terrorism, extremism, instigation, or subversion of the system, all of which threaten national security and the public interest.[4]

On 6 July 2015, the Standing Committee of the National People’s Congress released the Cyber Security Law of the People’s Republic of China (Draft) ( 《中华人民共和国网络安全法(草案)》)( Draft ) for public comments.   Once adopted, this will be the first Chinese law that focuses exclusively on cyber security. The Draft signals that the Chinese government is preparing to tighten its grip on domestic networks and data security, which is in line with the government’s focus on reinforcing national security.

In this article, we will provide an overview of the Draft, and then discuss the potential impacts the Draft may have on business interests. Particular focus will be given to Draft provisions on network products and services security, network operation security, network data security, and network information security.

Overview of the Draft

The Draft aims to safeguard the sovereignty of national cyberspace and Chinese national security.[5] According to Article 2 of the Draft, the following areas will be governed under this new law: the construction, operation, maintenance, and use of networks[6]; and the supervision and administration of cyber security within the territory of the People’s Republic of China.

The Draft contains 68 articles and has a broad regulatory scope on cyber security, including specific provisions on: the strategic plan for cyber security; network products and service security; network operation security; network data security; network information security; alarm and emergency response systems; and, a regulatory regime for network supervision.

The Draft establishes a comprehensive regulatory regime for cyber security, creates legal responsibilities for network operators and network service providers, and defines some important terms in the context of cyber security.[7] The Draft states that the “national network and information authority”[8] is responsible for comprehensively planning and coordinating network security efforts and related supervision and management efforts of different government authorities.[9]

Network Products and Service Security

Ensuring the security of network products and services is fundamental to cyber security. The Chinese government intends to implement a strict policy on network products and services to improve China’s cyber security. The Draft sets up a system where key IT hardware and equipment must meet mandatory security qualifications, and acquire government certification, before being sold and implemented.

Article 19 of the Draft states that key network facilities and special network safety products may only be sold after being certified or after passing a test established by the relevant authority. The catalog of key network facilities and special network safety products will be published by the national network and information authority and relevant departments under the State Council separately.

However, this approach may not be novel—it may be a reflection on, and consequence of, recent events. Specifically, foreign IT suppliers may face greater challenges when attempting to provide any of the aforementioned products or services.

Until recently, Chinese companies and administrative authorities widely used foreign software and hardware in their IT systems. However, when the PRISM project was uncovered in 2013, the Chinese government was alerted to the inherent dangers of foreign IT products; products from American IT tycoons like IBM, Oracle, and EMC ( IOE ) were ubiquitous. Since these foreign IT products create the potential risk that foreign governments could be provided with critical and confidential information, more and more Chinese companies and administrative authorities stopped using foreign IT products (including, but not limited to, IOE[10]). Instead, Chinese entities have turned to domestically developed products and services, or have started developing their own technologies.[11]

In response to these concerns, the Guidelines on Banks Using Secure and Controllable Information Technology (2014-2015) (《银行应用安全可控信息技术推进指南(2014-2015)》) ( Guidelines ) were promulgated by the Ministry of Industry and Information Technology and the China Banking Regulatory Commission ( CBRC ) on 26 December 2014.[12] While the Guidelines does not explicitly prohibit foreign suppliers from selling IT software and hardware to the Chinese banking industry, it does set a very high bar for foreign suppler entry into the market. For example, source codes of the software attached to certain network equipment (e.g. backbone routers ) and storage equipment (e.g. storage FC switches) must be filed with the Technology and Information Department of CBRC for recording purposes; the monitoring and administering interface of certain network equipment (e.g. firewalls) must be tested and certified by the Technology and Information Department of CBRC; suppliers of certain kinds of network equipment (e.g. core switches) and storage equipment (e.g. tape library) are required to establish R&D centers in China.[13]

In early 2015, CBRC compromised with the fierce critics of the Guidelines, stating that the guidelines apply to all companies without regard for nationality.[14] However, if banks are using secure information technology platforms that fall within the scope of “key network facilities and special network safety products,” as governed by the Draft’s Article 19, then the Draft rules will apply. As a result, if the Draft’s standards turn out to be higher than those listed in the Guidelines, the banking industry may be subject to stricter regulation, despite any previously reached compromises under the Guidelines.

Network Operation Security

In order to safeguard the security of key information infrastructure facilities, the Draft implements new requirements for operators of these facilities. The Draft sets high requirements for the operational security of facilities deemed to be part of China’s “key information infrastructure facilities,” and includes the integration of national security examinations under certain circumstances. However, due to the ambiguity of some terms in the Draft, the impact of this new regulatory requirement will largely depend on the scope of these terms as interpreted by the regulatory authorities.

Definition of Key Information Infrastructure Facilities

According to Article 25 of the Draft, “key information infrastructure facilities” include: basic information networks[15]; important information systems in important industries[16] or in public service sectors[17]; military networks; government networks for state organs at city level or higher; and networks and systems owned or managed by network service providers with a significant number of users.

This broad scope of key information infrastructure facilities leaves space for the regulatory authorities’ interpretation of the law. And given this, it is hard to know how these ambiguities will interact with one another once this Draft enters into force. For instance, since there is no definition for what will be considered a “network service provider,” it is most probable that all kinds of services provided via communication networks (such as Internet) will fall under “network service.” It is also unclear how many users will constitute a “significant number of users,” thus triggering the regulatory requirements. Yet another example is the concept of “important,” used to define the terms “important information systems” and “important industries” in the definition of “key information infrastructure facilities.” Since there is no definition, or indication of what systems qualify as “important information systems” in the “important industries,” it is at the discretion of the regulatory authorities on a case-by-case basis.

Security Examination

The Draft introduces new standards and requirements for ensuring the integrity of both network infrastructures and the people who are essential to the operation of those networks.

Article 28 of the Draft provides that key information infrastructure facilities operators must set up specialized internal security management divisions and assign appropriate person(s) responsible for security management. Additionally, these operators must conduct background checks on the person(s) responsible for security management and on personnel in critical positions.

Article 30 of the Draft provides that when operators of the key information infrastructure facility purchase network products or services that may affect or involve national security, the operator must pass a security examination jointly arranged by the national network and information authority and the relevant government departments. Essentially, Article 30 provides that when a key information infrastructure facilities purchasing activity may affect national security, the national security examination process, as outlined in Article 59 of the NSL,[18] will be triggered.

Under the Draft, we anticipate that foreign businesses who may be seen as “key information infrastructure operators” will need to carefully consider the effects of these new, stricter regulations, as it will likely raise the bar of entry into the effected industries.

Network Data Security

Data security is also a critical aspect of cyber security. In order to address the government’s concerns regarding the privacy of personal and sensitive information, the Draft proposes new regulations on data storage. Under these proposed rules, when information collected or generated by the key information infrastructure facilities is deemed “important” or “critical” by the Chinese government, such information must be stored exclusively within mainland China; the exceptions to this policy are narrow and vague.

Article 31 provides that the operators of key information infrastructure facilities must store important data collected and generated, including citizens’ personal information, exclusively within the territory of the People’s Republic of China (in practice, this will be interpreted as mainland China). If, for legitimate business reasons, the data needs to be stored abroad, or data must be provided to a foreign organization or person, the entity must complete a security evaluation according to the measures issued by the national network and information authority and the relevant departments of the State Council.

In practice, however, many companies store information on offshore servers for any number of reasons (e.g. for better storage service, to back up data, or to store the data in their offshore headquarters). If this provision comes into effect, companies with such practices will need to reconsider their data management protocols, their relevant operational mode, and their IT infrastructure deployment, generally. Cloud service providers may also encounter difficulties, given the inherently amorphous nature of cloud server structures and locations. Article 31 also contains ambiguities. For instance, the Draft does not provide criteria for determining how information qualifies as “important.” Moreover, “security evaluation” is also left undefined. Will the principles for national security examinations also be applicable for security evaluations? Since this is not discussed in the current version of the Draft, the answer to this is uncertain.

Network Information Security

The Draft provides powerful methods for maintaining network information security and sets increasingly more stringent requirements for network operators. Instead of a purely top-down approach to regulating the dissemination of information within China’s networks, the new Draft imposes duties on network operators and service providers. As a result, it is now not only the government’s responsibility to regulate the spread of illicit information, but also the responsibility of network operators and service providers as well.

Article 65 of the Draft provides that “network operator” includes network owners or administrators and network service providers who use networks owned or administrated by others to provide relevant services. This includes, but is not necessarily limited to, basic telecommunication operators, network information service providers, and important information system operators.[19]  In practice, network information service providers may include the operators of social community services (like Weibo), search engines (like Baidu, Sogou, Bing), video websites (like Youku, Tudou, LeTV), e-commerce platforms (like Taobao, JD), the sites of corporations, and even some non-commercial websites that publish information, like university websites.

Draft Article 40, and the second paragraph of Article 41, establish censorship duties for network operators, including digital information distribution service providers and application software download service providers. When these operators notice a prohibited publication, or the transmission of illicit information, they must promptly stop transmitting the information and take measures necessary to prevent the spread of that information. Operators must maintain a record of these incidents when they occur and report them to the competent authorities.

Draft Article 43 provides relevant subjects with solid legal authorities who are empowered to take measures to cut off any transmission(s) of prohibited information on communication networks. Upon finding prohibited information, those authorities will require that the network operators stop the transmission and take the necessary measures to remove any prohibited content. Where the above prohibited information comes from outside the territory of China, these authorities may request that all related institutions to take necessary measures to stop the flow of prohibited information. If the Draft comes into effect with Article 43 unchanged, the currently obscure landscape of cyber censorship mechanisms will become clearer.

Conclusion

The Chinese government is determined to assert a tighter grip over China’s networks in order to increase national security and stability. With broad reaching implications, the Draft Cybersecurity law proposes to accomplish that through strict regulation of network operation and network information security.

Under the current Draft, some network operators (e.g. those network service providers who have significant number of users) will be deemed as the operators of the key informational infrastructure facilities and will be required to adhere to the new key informational infrastructure facilities regulations. Network information security will be regulated under both a top-down and bottom-up regulatory structure which holds network operators responsible for controlling the publication of information on their networks and platforms.

Currently, the Draft is open to public discussion and comments until 5 August 2015. Once adopted, it will almost certainly have significant influence on all sectors of business in China. Especially given China’s broader Internet+ strategy[20], adoption of the Draft would have broad and fundamental effects on Chinese society. We will follow the legislative process on this Draft closely.

Note:

[1] See The First Meeting of the Office of the Central Leading Group for Cyberspace Affairs is Convened and Xi Jinping Makes Important Speech (http://www.cac.gov.cn/2014-02/27/c_133148354.htm).

[2] Promulgated by the Standing Committee of the National People’s Congress and went into effect as of the date of promulgation.

[3] The NSL further provides that the State shall establish systems and mechanisms for national examination and supervision on China’s network information technology products and services that may or potentially may affect the national security of China, so as to prevent and neutralize state security risks in an effective way. See Article 25 and 59 of the NSL.

[4] See the Explanation of Cyber Security Law of the People’s Republic of China (Draft) (《关于<中华人民共和国网络安全法(草案)>的说明》) attached to the Draft Cyber Security Law.

[5] See Article 1 of the Draft.

[6] “Network” is defined to mean the network and system comprised of computers or other information terminals, and/or relevant facilities that collect, store, transmit, exchange and process information in accordance with certain rules and protocols. See Article 65 of the Draft.

[7] See the Explanation of Cyber Security Law of the People’s Republic of China (Draft).

[8] Currently, the “national network and information authority” in China includes the Office of the Central Leading Group for Cyberspace Affairs established on February 27, 2014 and the Cyberspace Administration of China. The Cyberspace Administration of China was established on May 4, 2011. It is a subsidiary organ of the State Council Information Office of the People’s Republic of China.

[9] See Article 6 of the Draft.

[10] In 2008, the chief architect of Alibaba, Wang Jian, introduced his idea to “Removing IOE” for the first time. This meant removing IBM minicomputers, Oracle databases, and EMC storage devices from Alibaba’s IT structure. Alibaba would rather use inexpensive PC servers, open source self-developed databases based on MY SQL, and low end storage devices. In making these changes, Alibaba intends to keep all of its key IT facilities and products completely under its control. See Removing IOE, Where to Go (http://news.ccidnet.com/art/1032/20140709/5528735_1.html) and Removing Apple, Removing Antivirus, and Removing IOE, Who Will Become the Beneficiary (http://luochao.baijia.baidu.com/article/25131).

[11] Ibid.

[12] Coming into force as of the date of promulgation

[13] See the Guidelines and its Attachment.

[14] On 12 February 2015, the CBRC promulgated the Explanation of the Guidelines. In the explanation, the CBRC stated that the related requirements in the Guidelines do not have any nationality difference. Moreover, the source code filing requirements are still seeking comments from different perspectives and not implemented yet.

[15] Those that provide public communications, broadcasting, and television transmission services, etc.

[16] Such as energy, transportation, water conservancy, finance, etc.

[17] Including electric, water, and gas supply, medical treatment and healthcare, social security, etc.

[18] According to Article 59 of the NSL, the state shall establish systems and mechanisms for national examination and supervision, carry out state security examination on foreign investment, specific items, key technology, network information technology products and services, construction projects related to state security, and other significant matters and events, so as to prevent and neutralize state security risks in an effective way.

[19] See Article 65 of the Draft. Identifying who qualifies as a Network Operator under the Draft is critical, as the label comes with legal obligations and duties to ensure network operation security (Article 17, 20, 21, 23 and 24 of the Draft), network data security (Article 34 to 37 of the Draft), network information security (Article 40, 42 and 43 of the Draft) and to coordinate with competent authorities in the alarm and emergency response systems (Article 48 of the Draft). Network Operators will bear related legal liabilities (Article 51, 53, 57, 59, and 61 of the Draft) for rule violations or breaches in their respective duties.

[20] See Interpretation: What Does the “Internet+” Mean in the Government Work Report by Li Keqiang? (http://economy.caijing.com.cn/20150305/3832729.shtml).

For more insights, please click here.