Chinese Cybersecurity Law: A Rising Threat
Every day seems to bring another regulatory presence in cybersecurity, from the New York Department of Financial Services (NYDFS) to the EU's General Data Protection Regulation (GDPR).
March 29, 2018 at 12:10 PM
6 minute read
Every day seems to bring another regulatory presence in cybersecurity, from the New York Department of Financial Services (NYDFS) to the EU's General Data Protection Regulation (GDPR). But with so much focus on these new U.S. and EU challenges, many companies may be missing the increasing global importance of the Cybersecurity Law of the People's Republic of China (the Chinese cybersecurity law), which is already in effect. The Chinese cybersecurity law may pose particular compliance challenges because it approaches cybersecurity with a focus on the protection of the Chinese state in a way that may make supplying information technology to China or merely running a business in China much more complicated for global businesses.
At first glance, the Chinese cybersecurity law may look like an extension of European data protection law. Indeed, it protects “personal data” which it defines broadly to include all information, whether in electronic or other form, which individually or in combination with other information allows the identification of a natural person's individual identity, including but not limited to the natural person's name, date of birth, identity card number, personally distinctive biological information, address, telephone number, etc.
But central to the Chinese cybersecurity law is its distinct notion of “cybersovereignty,” which draws heavily from President Xi's famous dictum that “without cybersecurity there is no national security.” Although some Europeans use the concept of “data sovereignty” to refer to the power of individuals to control personal data about themselves, the Chinese conception of cyber sovereignty refers to the power of the Chinese state to control the data inside of its country and crossing its borders; indeed, the Chinese cybersecurity law appears primarily designed to protect the security interests of China. The “important data” covered by the law thus includes not only personally identifiable information but also trade secrets and state secrets (often overlapping), and other information that the state considers sensitive, such as information on sensitive cultural and political issues.
The law covers both “key information infrastructures” as well as “network operators.” The key information infrastructures are those industries that support Chinese national security, such as communication and information services, energy, transportation, water resources utilization, finance, public service and e-government affairs. For these industries, procurement of information technology can trigger national security reviews and data localization requirements.
A much larger group of covered companies may be “network operators,” which is broadly defined to include owners and administrators of an information network and network service providers. Under the Chinese cybersecurity law, these network operators must have cybersecurity protocols in place; preserve web logs for at least six months; strictly protect users' personal data; and verify the identity of users for phone and internet services. Together, these requirements will significantly enhance the power of China to govern its cyberspace. The required cybersecurity protocols call for a “hierarchical protection system of network security,” which refers to a separate five-tier information security protection system supported by a series of implementing rules, guidelines, and national standards.
In a further requirement that echoes EU cross-border transfer restrictions, the Chinese cybersecurity law requires “network operators” to obtain the prior consent of the data subjects for cross-border transfer of personal information (including the purpose, scope, recipients and country of destination), to conduct security assessment for cross-border transfer of data, and to retain the assessment and report its results if they meet regulatory thresholds. That is, covered global companies may need to report their cybersecurity measures to the Chinese government.
Moreover, a cross-border data transfer (even a one-time transfer) must be lawful, legitimate, and necessary for performing the ordinary business activities or the contractual obligations of the network operators. The net effect is that cross-border data transfers may be prohibited if the transfer does not comply with laws or regulations, poses risks to China's national security or public interests, or has the potential of endangering the security China's of national politics, territory, military, economy, culture, society, technology, information, ecological environment, resources, nuclear facilities, etc. This listing, however, may not be complete; as much of the detail regarding the Chinese law remains to be provided in further regulation and guidance.
Although the Standing Committee of the National People's Congress of China promulgated the law after three rounds of readings starting in June 2015, many details are still being elucidated. Further guidance already includes “Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Critical Data and Information Security Technology—Guidelines for Cross-Border Data Transfer Security Assessment.” Some of these guidelines are national standards, not formally binding laws or regulations, and regulators will retain substantial discretion to interpret and enforce within the broad terms of the law. In this regard, considerable interest is focusing on a “Catalog of Critical Network Equipment and Specialized Cyber Security Product,” which will supplement security requirements for certain cybersecurity products and may end up allowing only tightly specified technologies. All in all, the possible effect of this long implementation period may be to create a slow but steady increase in restrictions.
As its precise requirements continue to unfold, the Chinese cybersecurity law may well become one of the most prescriptive variants of global cybersecurity regulation. At present, most cybersecurity laws in United States allow companies significant latitude in the design of reasonable and appropriate cybersecurity controls. And although the EU's GDPR—like the New York DFS—requires 72-hour data breach notification, they also allows companies considerable flexibility and mandates risk-based, “appropriate security … using appropriate technical or organizational measures.” Global companies operating in China will be well-advised to watch whether they will continue to have such flexibility and may need reassess the architecture of their data systems, their technologies, and even their operations as well as ensuring that they have appropriate documentation around the implementation of compliant security protocols. The Chinese cybersecurity law may in the end have very significant impacts on a variety of sectors—a prospect that makes many private companies feel anything but secure.
Edward McNicholas is a global leader of Sidley Austin's privacy and cybersecurity practice. He is the lead editor of the PLI Treatise Cybersecurity: A Practical Guide to the Law of Cyber Risk and a frequent contributor to Sidley's Data Matters blog.
Yuet Ming Tham leads Sidley's privacy and cybersecurity practice in Asia Pacific. She has co-authored the Hong Kong and Singapore chapters of The Privacy, Data Protection and Cybersecurity Law Review published by Law Business Research and also heads Sidley's Asia Pacific compliance and investigations group.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllA Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute readThree Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readTrending Stories
- 1The Tech Built by Law Firms in 2024
- 2Distressed M&A: Mass Torts, Bankruptcy and Furthering the Search for Consensus: Another Purdue Decision
- 3For Safer Traffic Stops, Replace Paper Documents With ‘Contactless’ Tech
- 4As Second Trump Administration Approaches, Businesses Brace for Sweeping Changes to Immigration Policy
- 5General Warrants and ESI
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250