Country of China on model of Earth. 3D illustration. Elements of this image furnished by NASA.

Every day seems to bring another regulatory presence in cybersecurity, from the New York Department of Financial Services (NYDFS) to the EU's General Data Protection Regulation (GDPR). But with so much focus on these new U.S. and EU challenges, many companies may be missing the increasing global importance of the Cybersecurity Law of the People's Republic of China (the Chinese cybersecurity law), which is already in effect. The Chinese cybersecurity law may pose particular compliance challenges because it approaches cybersecurity with a focus on the protection of the Chinese state in a way that may make supplying information technology to China or merely running a business in China much more complicated for global businesses.

At first glance, the Chinese cybersecurity law may look like an extension of European data protection law. Indeed, it protects “personal data” which it defines broadly to include all information, whether in electronic or other form, which individually or in combination with other information allows the identification of a natural person's individual identity, including but not limited to the natural person's name, date of birth, identity card number, personally distinctive biological information, address, telephone number, etc.

But central to the Chinese cybersecurity law is its distinct notion of “cybersovereignty,” which draws heavily from President Xi's famous dictum that “without cybersecurity there is no national security.” Although some Europeans use the concept of “data sovereignty” to refer to the power of individuals to control personal data about themselves, the Chinese conception of cyber sovereignty refers to the power of the Chinese state to control the data inside of its country and crossing its borders; indeed, the Chinese cybersecurity law appears primarily designed to protect the security interests of China. The “important data” covered by the law thus includes not only personally identifiable information but also trade secrets and state secrets (often overlapping), and other information that the state considers sensitive, such as information on sensitive cultural and political issues.

The law covers both “key information infrastructures” as well as “network operators.” The key information infrastructures are those industries that support Chinese national security, such as communication and information services, energy, transportation, water resources utilization, finance, public service and e-government affairs. For these industries, procurement of information technology can trigger national security reviews and data localization requirements.

A much larger group of covered companies may be “network operators,” which is broadly defined to include owners and administrators of an information network and network service providers. Under the Chinese cybersecurity law, these network operators must have cybersecurity protocols in place; preserve web logs for at least six months; strictly protect users' personal data; and verify the identity of users for phone and internet services. Together, these requirements will significantly enhance the power of China to govern its cyberspace. The required cybersecurity protocols call for a “hierarchical protection system of network security,” which refers to a separate five-tier information security protection system supported by a series of implementing rules, guidelines, and national standards.

In a further requirement that echoes EU cross-border transfer restrictions, the Chinese cybersecurity law requires “network operators” to obtain the prior consent of the data subjects for cross-border transfer of personal information (including the purpose, scope, recipients and country of destination), to conduct security assessment for cross-border transfer of data, and to retain the assessment and report its results if they meet regulatory thresholds. That is, covered global companies may need to report their cybersecurity measures to the Chinese government.

Moreover, a cross-border data transfer (even a one-time transfer) must be lawful, legitimate, and necessary for performing the ordinary business activities or the contractual obligations of the network operators. The net effect is that cross-border data transfers may be prohibited if the transfer does not comply with laws or regulations, poses risks to China's national security or public interests, or has the potential of endangering the security China's of national politics, territory, military, economy, culture, society, technology, information, ecological environment, resources, nuclear facilities, etc. This listing, however, may not be complete; as much of the detail regarding the Chinese law remains to be provided in further regulation and guidance.

Although the Standing Committee of the National People's Congress of China promulgated the law after three rounds of readings starting in June 2015, many details are still being elucidated. Further guidance already includes “Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Critical Data and Information Security Technology—Guidelines for Cross-Border Data Transfer Security Assessment.” Some of these guidelines are national standards, not formally binding laws or regulations, and regulators will retain substantial discretion to interpret and enforce within the broad terms of the law. In this regard, considerable interest is focusing on a “Catalog of Critical Network Equipment and Specialized Cyber Security Product,” which will supplement security requirements for certain cybersecurity products and may end up allowing only tightly specified technologies. All in all, the possible effect of this long implementation period may be to create a slow but steady increase in restrictions.

As its precise requirements continue to unfold, the Chinese cybersecurity law may well become one of the most prescriptive variants of global cybersecurity regulation. At present, most cybersecurity laws in United States allow companies significant latitude in the design of reasonable and appropriate cybersecurity controls. And although the EU's GDPR—like the New York DFS—requires 72-hour data breach notification, they also allows companies considerable flexibility and mandates risk-based, “appropriate security … using appropriate technical or organizational measures.” Global companies operating in China will be well-advised to watch whether they will continue to have such flexibility and may need reassess the architecture of their data systems, their technologies, and even their operations as well as ensuring that they have appropriate documentation around the implementation of compliant security protocols. The Chinese cybersecurity law may in the end have very significant impacts on a variety of sectors—a prospect that makes many private companies feel anything but secure.

Edward McNicholas is a global leader of Sidley Austin's privacy and cybersecurity practice. He is the lead editor of the PLI Treatise Cybersecurity: A Practical Guide to the Law of Cyber Risk and a frequent contributor to Sidley's Data Matters blog.

Yuet Ming Tham leads Sidley's privacy and cybersecurity practice in Asia Pacific. She has co-authored the Hong Kong and Singapore chapters of The Privacy, Data Protection and Cybersecurity Law Review published by Law Business Research and also heads Sidley's Asia Pacific compliance and investigations group.