4 Things Corporate Counsel Should Know About China’s Cybersecurity Law
Unlike the slow deployment and growing awareness surrounding the EU’s General Data Protection Regulation, China’s cybersecurity law has…
June 05, 2017 at 10:45 AM
6 minute read
The original version of this story was published on Law.com
Unlike the slow deployment and growing awareness surrounding the EU's General Data Protection Regulation, China's cybersecurity law has created some surprise. The law, which officially came into effect June 1, was crafted and passed at such relatively quick pace that many in the legal tech industry were unfamiliar with its existence in early 2017.
But apprehension over the law's effects has grown as well, as many have begun understand its scope and provisions. Much concern has been expressed, for example, over the severe criminal penalties facing companies that fail to comply.
Dan Whitaker, managing director of Consilio's China operations, told Legaltech News that “public surveillance, imprisonment, and the death penalty are all listed as possibilities for violating the state secrets provision of the Cybersecurity Law.”
Though there are many specifics of the law that still need to be determined by government agencies, there are a few areas corporate counsel should be familiar with in order to best protect and prepare their organizations:
1. The Law May Affect a Broad Range of Organizations
When first drafted, the majority of China's cybersecurity law only affected what it deemed “critical information infrastructure operators” (CIIOs), which the law defines as including telecommunications and broadcasting companies, public service and critical infrastructure industries, military and government agencies, and large network and internet providers.
But the full extent of what else can constitute CIIOs is not yet entirely clear, given that they can refer to any company that handles or collect personally identifiable information and what the law vaguely terms as “important business information.”
“In terms of 'important information,' the thought is trade secrets, intellectual property or national security information, but the law does not make it clear,” said Everett Monroe, a data privacy and IP Attorney at Hanson Bridgett. He added that many are “waiting for additional interpretation by administrative agencies” on this point.
In April 2017, China also released “Draft Measures” to clarify the cybersecurity law, which expanded companies covered by the law to include “network operators” as well as CIIOs. Tiana Zhang, an attorney at Kirkland & Ellis's Shanghai offices, told Legaltech News that this term is “broadly defined as any network owners, administrators, and network service providers.”
Monroe cautioned that the interpretation of what constitutes a network operator “is dependent on the administrative agencies, but the law can be read very broadly. [Network operators] really can be any anybody who is running a local network for their business.”
2. Each Covered Group Has its Specific Cybersecurity Responsibilities
Figuring out whether one is classified as a CIIO or network operator is pivotal given that each group has have different levels of cybersecurity obligations.
Network operators for example, “have to have a data security plan in place and really adopt what we in the U.S. and Europe would call technical organizational and administrative measures to protect the network,” Monroe said.
He added while this is not an unusual requirement for cybersecurity regulations, “what is different [with China's law] is the amount of verbose detail the cybersecurity law goes into. [Network operators] are to adopt measures such as data classification and backup and consider the use of encryption, and things like that.”
In addition, CIIOs have to meet the same cybersecurity standards as well as additional obligations, such as creating an “incident response plan and coordinating with government agencies and other organizations to address issues of business continuity, systematic failure, leak containment and communication” after a cyberattack or breach, Monroe explained.
There is also the requirement for CIIOs that “any sort of device that are on the network, things like routers or switchers, have to be approved by some sort of security certification program or through a government agency,” he added. “The law does not make clear exactly which agencies or groups they are, but we assume that they would be state-certified groups.”
3. Certain Data Must be Kept In-Country, With Caveats
Under the cybersecurity law, Chinese citizens' PII and “important business information” created and collected in the country must be stored on local servers. Such a requirement may force local and multinational companies to revamp their IT infrastructure and depend on local storage providers for assistance.
“China is a fan of the cloud—as long as it's a Chinese cloud,” Whitaker told Legaltech News. “This means increased dependence on providers with a presence in China and experience in working in the market here. For enterprises, this means increased review of the types of data flowing in and out of the country.”
The data localization requirement, however, is not absolute. Companies can transfer data out of the country when necessary for business purposes, but must first conduct a security self-assessment to review if the transfer is in fact needed, if proper protections exist around the transfer, and the risk of data being breached, destroyed or leaked.
When data transfers meet certain criteria, such as those that exceed 1000 GBs, have the PPI of over 500,000 citizens, or contain information relating to national security or the security of a CIIO, a yet-to-be-defined government agency has to conduct its own security assessment before the transfer can proceed.
4. PII is Regulated Similar to Other Global Data Privacy Laws
China's cybersecurity also law follows in the footsteps of the EU's GDPR by mandating that companies must obtain the consent of Chinese citizens before collecting, handling or processing their PII.
“There are several restrictions on how the PII is used, how it is collected and making sure it is not misused,” Monroe said. “According to the law, if a user finds the data has been misused, the user can go back to that company and demand the deletion off their data. And if it's inaccurate, they can demand the correction of that data as well.”
Copyright Legaltech News. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllGC With Deep GM Experience Takes Legal Reins of Power Management Giant
2 minute readLegal Departments Gripe About Outside Counsel but Rarely Talk to Them
4 minute read'Serious Disruptions'?: Federal Courts Brace for Government Shutdown Threat
3 minute readUS Reviewer of Foreign Transactions Sees More Political, Policy Influence, Say Observers
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250