By Susan NING and Han WU King & Wood Mallesons’ Commercial & Regulatory group.

2017 saw the official implementation of the Cybersecurity Law of the People’s Republic of China (“Cybersecurity Law”), building on past efforts and bringing new implications for the future. The implementation of the Cybersecurity Law brought clarity to cybersecurity regulations in various industries. Meanwhile, under the new regulatory system, coordination between the National Cyberspace Administration (CAC) and competent industry authorities has led to the implementation of the Cybersecurity Law that marks a new stage of development for China’s cybersecurity supervision.

In fact, the official implementation of the Cybersecurity Law on June 1, 2017, accelerates the pace of introducing relevant departmental rules, judicial interpretations, and national standards, many of which are still receiving public opinion. Further, law enforcement in cybersecurity is under way in various industries, and departments for cyberspace affairs, telecommunication, and public security have strengthened their law enforcement efforts within their respective administration. The roll-out of the Cybersecurity Law and relevant supportive measures have triggered wide reaction, receiving extensive attention from domestic and international enterprises, organizations and media.

Present legislation

Before the formation of the Cybersecurity Law, regulations and rules on cybersecurity were scattered among various Chinese regulations of departments and committees. In absence of a framework for the upper-level law, these regulations and rules were fragmented and may have even been in conflicting with one another. The introduction of the Cybersecurity Law streamlined the regulatory systems in cybersecurity, and specified the responsibilities of law enforcement authorities, offering guidance for subsequent supporting measures. From the adoption of the Cybersecurity Law to the current implementation, the CAC, in cooperation with competent and regulatory departments of relevant industries, national, and industrial standard development organizations, and others, released a series of relevant provisions and supporting measures under the Cybersecurity Law. Such legislation aims to provide more specific guidance on implementation of specific provisions of the Cybersecurity Law and establishes a comprehensive and effective set of regulatory systems.

(The chart below summarizes current legislative achievements and progress in China’s cybersecurity)

Name Issued by Issued/Effective on
1.     National strategies
National Strategy for Cyberspace Security CAC 27-Dec-16
Strategy for International Cooperation in Cyberspace Ministry of Foreign Affairs, CAC 1-Mar-17
2.     Law and judicial interpretations
Cybersecurity Law NPC Standing Committee

Issued on November 7, 2016

Effective June 1, 2017

General Rules of the Civil Law NPC Standing Committee

Issued on March 15, 2017

 

Effective October 1, 2017
Interpretation of Several Issues regarding Application of Law to Criminal Cases of Infringement of Citizen’s Personal Information (“PI”) Handled by the Supreme People’s Court and the Supreme People’s Procuratorate Supreme People’s Court, Supreme People’s Procuratorate

Issued on May 8, 2017

 

Effective June 1, 2017
E-commerce Law (Draft for the Second Deliberation) NPC Standing Committee Draft on November 7, 2017
3.     Departmental regulations and other supporting measures
Regulations on Security Protection of Critical Information Infrastructure (“CII”) (Draft for Comment) CAC Draft on July 10, 2017

Measures for the Security Assessment of PI and

 

CAC Draft on April 11, 2017
Important Data to be Transmitted Abroad (Draft for Comment)
Administrative Measures for Content Management Practitioners in Entities Offering Internet News Information Services CAC

Issued on October 30, 2017

Effective December 1, 2017

Administrative Provisions on Evaluating the Safety of New Technologies and Applications for Internet News Information Services CAC

Issued on October 30, 2017

Effective December 1, 2017

Administrative Provisions on the Administration of Information Services Provided through Chat Groups on the Internet CAC

Issued on September 7, 2017

Effective October 8, 2017

Administrative Provisions on the Information Services Provided through Official Accounts of Internet Users CAC

Issued on September 7, 2017

Effective October 8, 2017

Administrative Provisions on Internet Forum and Community Services CAC

Issued on August 25, 2017

Effective October 1, 2017

Administrative Provisions on Internet Follow-up Comment Services CAC

Issued on August 25, 2017

Effective October 1, 2017

Implementing Rules for the Administration of the Licensing for Internet News Information Services CAC Issued and effective on May 22, 2017
Provisions on the Administrative Law Enforcement Procedures for Internet Information Content Management CAC

Issued on May 2, 2017

 

Effective June 1, 2017
Provisions on the Administration of Online Live-streaming Services CAC

Issued on November 4, 2016

Effective on December 1, 2016

National Emergency Response Plan for Cybersecurity Incidents CAC Issued and effective on January 10, 2017
Measures for Examining the Security of Network Products and Services (for Trial Implementation) CAC

Issued on May 2, 2017

 

Effective on June 1, 2017
Catalog of Key Network Equipment and Specific Network Safety Products (Batch One)

CAC, Ministry of Industry and

 

Issued and effective on June 1, 2017
Information Technology, Ministry of Public Security, Certification and Accreditation Administration
4.     National and industrial standards
Specification for PI Security National Information Security Standardization Technical Committee

Issued on January 2, 2018

Effective May 1, 2018

Guidance on De-identification of PI (Draft for Comment) National Information Security Standardization Technical Committee Draft on August 25, 2017
Guidance on Examination and Assessment of the Security of CII (Draft for Comment) National Information Security Standardization Technical Committee Draft on August 30, 2017
Evaluation Index System for Security of CII (Draft for Comment) National Information Security Standardization Technical Committee Draft on August 30, 2017
General Requirements for the Security of Network Products and Services (Draft for Comment) National Information Security Standardization Technical Committee Draft on August 30, 2017
Guidance on Examination and Assessment Process of Graded Protection of Cybersecurity (Draft for Comment) National Information Security Standardization Technical Committee Draft on November 3, 2016
Requirements for Examination and Assessment of Graded Protection of Cybersecurity (for each part) (Draft for Comment) National Information Security Standardization Technical Committee

Part 1: Draft on November 3, 2016;

 

Part 2: Draft on January 11, 2017;

 

Part 3: Draft on November 3, 2016;

 

Part 4: Draft on January 11, 2017;

 

Part 5: Draft on January 11, 2017.
Guidance on Security Assessment of Data to be Transmitted Abroad (Draft for Comment) National Information Security Standardization Technical Committee Draft on August 30, 2017
Guidance on Identification of CII (under formulation)

The current legislative progress indicates the comprehensive, innovative, and multi-tiered legislation in China’s cybersecurity laws.

First, China’s cybersecurity legislation covers a broad range of content. In regard to both “security of network operation” and “security of network information”, the Cybersecurity Law provides rights, obligations and duties of network operators, as well as monitoring, early warning, emergency response, and other mechanisms required for safeguarding cybersecurity. For network operation security, the Cybersecurity Law provides network operators and CII operators their respective internal systems duties and obligations for technical measures, source of purchase, data storage, and cross-border transmission. In addition to the general provisions on network operation security, the Cybersecurity Law summarizes fragmented provisions on PI protections: Chapter Four of the Cybersecurity Law focuses on network operators’ obligations to protect PI, and individuals’ right to their PI, while Chapter Six provides liabilities for infringing upon individuals’ PI. Moreover, the Cybersecurity Law also provides the requirements for management of network information content. CAC issued subsequent departmental rules and normative documents governing the management of network information content, which gave further detail and comprehensive provisions on the management of network information content with respect to industry, law enforcement procedures, application, and other aspects. These provisions included the Administrative Provisions on Internet News Information Services, the Provisions on the Administrative Law Enforcement Procedures for Internet Information Content Management, the Administrative Provisions on Evaluating the Safety of New Technologies and Applications for Internet News Information Services, and the Administrative Provisions on Internet Forum and Community Services.

Second, the Cybersecurity Law and its supporting measures clearly depict the innovation of CAC’s legislative technique. From the perspective of legislative technique, the Cybersecurity Law, on the one hand, sorted out and summarized existing provisions of the industry. In addition to provisions on PI protection, the “graded system for cybersecurity protection” provided in the Cybersecurity Law is derived from the graded protection for computer information systems defined in the Regulations on the Security Protection of Computer Information System formulated by the State Council in 1994, further detailed in the Administrative Measures for the Graded Protection of Information Security formulated by the Ministry of Public Security and other authorities in 2007. Therefore, the “graded system for cybersecurity protection” is summarized and refined from existing provisions. On the other hand, the Cybersecurity Law and its supporting measures are also innovatively coordinated with other existing legal provisions and administrations. For example, under the Cybersecurity Laws the catalog of key network equipment and specific network safety products increases administrative efficiency by reducing their repetitive certification and testing of network equipment and products by multiple administrations. This also helps reduce the waste of resources and eases the burdens on enterprises.

In terms of its content, the Cybersecurity Law is the first to introduce a number of new concepts and legislative mechanisms, including network operators, CII, and emergency plans for cybersecurity incidents. In regards to CII, a new regulatory system will be established, focusing on “CII protection” by introducing a number of new rules, including the Regulations on Security Protection of CII, the Guidance on Examination and Assessment of the Security of CII, the Guidance on Identification of CII, and the Evaluation Index System for Security of CII.

Third, the introduction of rules in cybersecurity is achieved through the hierarchy of “strategy – law – regulation – national and industrial standards”. Although the two national strategies, the National Strategy for Cyberspace Security and the Strategy for International Cooperation in Cyberspace, do not provide specific implementation rules for rights and obligations of network operators, they have served as an important part of cyberspace security in China and have provided programmatic guidance for the establishment of specific rules. As the fundamental law in cybersecurity, the Cybersecurity Law elaborates on the basic content of network operation security and network information security. More importantly, departmental regulations and related supporting measures provide significant provisions for the implementation of the Cybersecurity Law. These regulatory documents, usually based on the specific articles of the Cybersecurity Law, materialize the rights and obligations of the legal entities involved to provide legally binding rules and guidelines. In addition, the national and industrial standards are also helpful supplements to the legislative work in the field of cybersecurity. Even though industrial standards may not have legally binding force, they could aid interpretation and supplement the Cybersecurity Law for specific issues, and provide more practical guidelines for law enforcement, judicial action, and compliance practices.

In conclusion, the Cybersecurity Laws of China is progressing. Under the leadership of the State Council, coordinating with the CAC, various ministries, and committees, the Cybersecurity Law and its supporting measures cover a wide range of content in diversified formalities which developed very rapidly. We appeal to all sectors of society to treat the cybersecurity legislation from a strategic perspective of securing national cybersecurity. Therefore, we should fully participate in legislative activities, and voice opinions so as to ensure the validity and practicality of the rules. But also pay extensive attention to the implementation of the Cybersecurity Law and its supporting measures, and work together to promote the development of China’s cybersecurity system.

Law Enforcement Status

The implementation of the Cybersecurity Law and successive promulgations of related supporting measures, the CAC, local cybersecurity administration, and other law enforcement authorities are also advancing law enforcement in cybersecurity. Given various concerning compliance obligations, each law enforcement authority is performing duties within their respective jurisdiction. This leads to a diversification of law enforcement in regards to both subject and content. Typical law enforcement activities are summarized in the following table:

Date Content of the Case Legal Basis Comment
Network Operation Security
1.     Rules for Graded Protection of Cybersecurity
August 2017 Pursuant to Article 21 of Cybersecurity Law (graded protection of cybersecurity), the law enforcement authorities of cybersecurity in Sichuan Province, Chongqing Municipality, Bengbu in Anhui Province, Harbin in Heilongjiang Province, Guangzhou in Guangdong Province, actively investigated and punished illegal acts such as “failure to file for gradation”, “failure to carry out major duties as cybersecurity subject”, “failure to establish technical measures for cybersecurity”, “failure to implement real-name registration and filing requirements relevant to the site”. Article 21 of Cybersecurity Law: Rules for Graded Protection of Cybersecurity Rules for graded protection of cybersecurity are a basic system that guarantees the network operation security.
2.     Network User Identity Management System – “Network Real-name System”
September 2017 Shenzhen Sanren Network Technology Company failed to require users to provide authentic identity information before supplying network telephone services to them, causing information communication fraud security risk. Guangdong Provincial Communication Administration fined the company RMB 50,000, and asked it to immediately rectify the conduct, suspend its operations, and shut down the related website. Article 24 of Cybersecurity Law: Network User Identity Management System The network user identity management system generally follows the principle of “requirement of real name in the background and voluntary adoption of real name in the foreground”; the network real-name system makes the network service providers undertake the obligation of PI security protection.
3.     Identification and Protection of CII

 

August 8, 2017

PaRR identified 400 to 500 companies that fall into the CII category, with most being state-owned. The CAC has coordinated with other relevant departments to conduct nationwide inspections on CII-designated companies each year, as required by relevant article of the Cybersecurity Law.

Inspection work in 2017 has already commenced.

Article 31 of Cybersecurity Law: Identification and Protection of CII How to identify CII is an important and basic prerequisite for the implementation of CII security protection systems. The construction and practice of CII security protection systems is one of the cores of China’s cybersecurity system.
Network Information Security
1.     Protection of PI
September 2017 A group of officials from the CAC, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Standardization Administration of China conducted a review in July on the privacy policies of ten leading Internet products and services, including WeChat, Sina Weibo, JD.com, Baidu Maps, AutoNavi Maps, Ctrip.com, etc. The review officially ended at the end of September, 2017. All agencies put forward corresponding suggested improvements to each of the ten company’s webservices (applications). The participating enterprises actively cooperated with the agencies and rectified the issues according to their suggestions. Article 40 to 44 of Cybersecurity Law: Protection of PI As the first “gate” to collect users’ PI, privacy policies will be the first step of PI protection. The formulation and revision of the privacy policy should be based on the particularity of the industry so that the balance of PI protection and commercial development can be achieved.
June 2017 Regulators officially started clean-up actions against illegal acts in the market, such as unlawful transmissions of data. It was reported that the Supervision Bureau of Public Information Cybersecurity in the Ministry of Public Security planned a special governance program. The investigation list contained more than 30 companies, which included all well-known big data enterprises. Article 40 to 44 of Cybersecurity Law: Protection of PI With the development of the big data industry, law enforcement authorities will pay further attention to big data enterprises’ compliance issues in regard to data collection and use (especially PI).
2.     Content Management of Internet Information
August 2017 The law enforcement authorities of cybersecurity in Beijing, Guangdong, Zhejiang and Jiangsu launched law enforcement actions to investigate and punish “any information release or transmission prohibited by any law or administrative regulation”, “spread of violent, pornographic, or false information that endangers national security, public safety and social order”, or “harmful information that contains misconduct, vulgarity or spoof,”  to eliminate adverse factors that may affect the network information security. Article 47 of Cybersecurity Law: Internet Information Management The content management of internet information is an integral part of national cybersecurity. In the future, Internet platforms will assume greater duties and obligations in regard to information content management.

From the above mentioned law enforcement cases, it is not difficult to see that the focus of recent cybersecurity law enforcement regards certain core issues, such as the graded protection of cybersecurity, PI protection, and security of CII. Nevertheless, the CAC has taken cybersecurity law enforcement actions encompassing a very diverse and comprehensive rules for specific sectors. In fact, enforcement against obvious violation of the Cybersecurity Law is not substantially affected by the fact that certain corresponding supporting measures have not yet been adopted.

In addition, apart from the normal administrative investigations, new methods of law enforcement in cybersecurity, such as joint special inspection, has been adopted. For example, in July 2017, the CAC, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the Standardization Administration of China launched a special review on privacy policies. Therefore, it is foreseeable that the joint review and inspection of major enterprises will continue to be one of major methods of cybersecurity law enforcement in the future. This supervision and inspection on mainstream network products and services will not only actively promote the awareness of cybersecurity compliance across the industry, but it will also popularize the importance of cybersecurity in all sectors.

Outlook and proposals

1.Supporting measures to be further materialized; national and industrial standards worth more attention. 

With the establishment of a framework of cybersecurity rules, new supporting measures of Cybersecurity Law will provide law enforcement authorities and enterprises a more detailed implementation of rules, practical guidance, and compliance. For instance, the Regulations for the Security Protection of CII and the Guideline on Identification of CII are expected to be officially promulgated to fully address corresponding CII security protection obligations, to provide more security support, and to assist in safeguarding CII. In addition, the Measures for the Security Assessment of PI and Important Data to be Transmitted Abroad and the Guidelines for the Security Assessment of Data to be Transmitted Abroad may be finalized and published in 2018. This will raise and clarify some eye-catching issues (such as the subject, application, scope, and regulatory approach of security assessment in cross-border data transfer). Furthermore, in relation to the graded protection for cybersecurity, the national guideline will further clarify its relationship with the traditional graded protection for computer information system, and in practice provide more specific guidance.

It is worth noting that, due to the strong technical characters of cybersecurity compliance, irrespective of the controlling laws, departmental rule, regulatory document under Cybersecurity Law, departmental regulations, or regulatory rules, makes it impossible to provide detailed technical requirements for cybersecurity compliance. Therefore, “guidelines”, represented by national and industrial standards, will become significant reference for cybersecurity law enforcement and enterprises’ compliance. The national and industrial standards, like the Specification for PI Security, can not only provide guidance to enforcement and compliance through its elaborated technical provisions and requirements, but also flexibly minimize the impact on the stability of the laws and regulations engendered by the fast-developing technology.

2. “Key Breakthrough” in cybersecurity law enforcement; law enforcement expected to become normalized. 

Provided that the cybersecurity law enforcement is still in its preliminary stage, key issues under the Cybersecurity Law, such as the graded protection of cybersecurity, the protection of CII and PI, will predictably remain the focus of future enforcement. However, with the issuance of the Cybersecurity Law’s supporting measures, enforcement, such as the security assessment of cross-border transfer and the national security review on network products and services, will continue to increase. Meanwhile, internet information and content management enforcement, which has a sufficient substantial basis for law enforcement, may also be fully assessed in accordance with the Administrative Enforcement Procedures for the Administration of Internet-based Information Contents.

To the contrary, considering the wide range of network operators, the subject of network operators’ duties and obligations are not limited to Internet enterprises, foreign and domestic-funded enterprises in traditional industries may also be included. In addition, further clarification of law enforcement authorities’, law enforcement systems’, the CAC, and competent industrial departments’ coordination and functionality will lead to constant improvement. Since there is a variety of cybersecurity issues, as well as sufficient law enforcement power, it is foreseeable that law enforcement in cybersecurity may become normalized in the near future.

3. Suggestions 

Different from traditional industries, cybersecurity features high technicality and rapid renewal. Under the background of cyberspace sovereignty, legislation and law enforcement in cybersecurity will serve to safeguard national security and cybersecurity, enhance the comprehensive national strength, and improve the market competitiveness of enterprises. In addition to the full respect for laws of industrial development, striving to maintain cybersecurity and enhance industrial competitiveness, we suggest that the legislation and law enforcement authorities seek opinions from enterprises and technical experts when formulating rules and implementing regulatory practice.

As for enterprises, the urgency of cybersecurity compliance, as well as the positive feedback upon the competitiveness of specific enterprises, shall be recognized. In addition, enterprises shall established the “technology + compliance” conception, and assess their internal cybersecurity measures and data compliance as soon as possible. Therefore, an elaborated internal compliance system should be implemented to ensure the smooth development of both technology and compliance.

Currently, China has become the world’s largest Internet market. According to the Internet Security Report in the First Half of 2017, released by Tencent Security, stating that as of December 2016, the scale of China’s Internet users has reached 731 million, equivalent to the total population in Europe. However, the concern arises that despite the rapid development in China’s network economy, there are other countries holding a skeptical attitude on China’s current cybersecurity situation due to the lack of cybersecurity supervision resulting in China’s network economy being in a high-speed but unstable situation. Although China has never underestimated the significance of cybersecurity, the lack of a clear regulatory system has exacerbated other countries’ distrust of China’s cybersecurity. With the continued development of big data technology and the economy, in the future, the globalization trend of the digital economy will emerge, and cross-border flows of data will be inevitable. Currently, many countries and regions, including China, have required the cybersecurity assessment of the data-receiving country during cross-border data transfer, but usually China is not in the “White List” of who would be deemed to have the same degree of cybersecurity protection. In order to safeguard China’s cybersecurity, network sovereignty, national security, and its future status in the global digital economy, there is no better time to promulgate and implement the Cybersecurity Law and its supporting measures. Facing the doubt of lack of cybersecurity supervision in China, we can refute that, “羌笛何须怨杨柳,春风已度玉门关” In the meantime, we expect, through the wind stirred up be the Cybersecurity Law, China’s cybersecurity development can be prosperity abundant.