China Passes Long-Awaited Cyber Security Law

November 14, 2016

On November 7, the Standing Committee of China’s legislature, the National People’s Congress (NPC), adopted the Cyber Security Law of 2016 (unofficial English translation on China Law Translate). The NPC released a first draft in July 2015, which elicited substantial comment from the Western business community. In June 2016, the NPC released a second draft with some changes, but relatively the same on the main issues identified in the comments. The final law adopted is substantially the same.

Effective on June 1 Next Year

The law is effective June 1, 2017. The law describes the government authorities responsible for enforcing the law as the “state network information departments” and the State Council’s departments for telecommunications, public security, and a catch-all for “other relevant organs” (Art. 8). The term “state network information departments” appears to refer to the Cyberspace Administration of China, which is also known as the Office of the Central Leading Group for Cyberspace Affairs (that is, the Communist Party alter ego) (website in Chinese).

The law primarily creates security obligations for so-called “network operators” and “critical information infrastructure operators.” With general definitions as described below, this law could theoretically cover every organization or business with a linked computer system. There is also an obligation on “electronic information distribution service providers” and “application software download service providers” (neither of which is defined) to terminate service, employ removal measures, preserve data, and report, if they know their users install malicious programs in the information or software transmitted or transmit prohibited content (under unspecified “laws and administrative regulations”); otherwise, there is no further mention of duties for these types of service providers. (Art. 48).

Obligations of Network Operators

The definition of network operators is broad, as it encompasses owners, managers, and service providers of computer systems, terminals, or related equipment that follow certain rules or processes for information gathering, storage, transmission, exchange, and processing. (Art. 76). Could this apply to small businesses? Theoretically yes, although it is unclear that regulators will want information or demand compliance from every small business in China, much less be able to handle that workload.

For network operators, the law implements a “tiered system for network protection.” Although not defined, the system will require network operators to do things that include creation of internal security management systems and assignment of responsibility for network security, as well as adoption of various measures to protect network security and monitor security status (with logs to be preserved at least six months). (Art. 21).

The first draft elicited strong debate over the requirement that “critical network equipment and specialized network security products” (again, not defined) be subject to safety certification or a safety inspection. That provision remains (Art. 23), and Chinese regulators will be required to issue a catalog or index of covered equipment and products. Ideally this index will be released before the certification or safety inspection regime begins, although that is not likely.

Network operators are required to create emergency plans for network security incidents and, when incidents occur, not only to implement the plan and take corrective action, but to report to regulators. (Art. 25). Of course, in most businesses, security incidents (whether resulting in compromised data or not) can occur on a continual basis. Again, if network operators are to construe this requirement literally, the amount of data generated will present a significant challenge to the regulators to receive and process.

Data Localization: Critical Information Infrastructure Operators

One of the most contested aspects of the law is the requirement of data localization within China, which applies to “critical information infrastructure operators.” (Art. 37). While the detailed scope of “critical information infrastructure” is left to the State Council to define, these infrastructures broadly include various public utility, information, and governance structures (Art. 31), and also those that, upon the incidence of damage, loss of function, or breach of data, would implicate “national security, the national economy or people’s livelihood, or the public interest.” Those operators must maintain “personal information” and undefined “important data” gathered during operations in mainland China within mainland China and follow measures (not yet promulgated) when it is necessary for the information to be maintained overseas. One significant change from the prior drafts is that “personal information” covers not only information of Chinese citizens, but natural persons.

Handling Personal Information

Network operators may only collect, use and store personal information that is necessary for business purposes, and with consent of the user (Art. 41). Operators must obtain consent before transmitting that information to others, except in anonymized form (Art. 42). Individuals have the right to demand deletion upon discovery of improper collection or use and can demand correction of data if the collected information contains errors. (Art. 43).

There are a number of provisions articulating the power of the state to control the Internet, including the power to limit network communications in certain “designated” regions (Art. 58), and the power to ask network operators for technical support and assistance in investigations (Art. 28).

As noted earlier, a number of government agencies have already sought to regulate online industries in a variety of areas; most recently, the Cyberspace Administration of China issued regulations (link in Chinese) for live streaming (including online games and videos) and the State Administration for Industry and Commerce has issued temporary regulations (in Chinese) regulating online advertising. How these and prior regulations interact with the new law continues to be a subject that businesses, both in and out of China will monitor, along with how China will implement the new Cyber Security Law.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Ronald Cheng, an O’Melveny partner licensed to practice law in California, and Bo Li, an O'Melveny associate licensed to practice law in New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York's Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, Phone:+1-212-326-2000. © 2016 O'Melveny & Myers LLP. All Rights Reserved.