Challenges and Advice for Multinational Companies in Complying With Chinese Cybersecurity Law
Cori Lable, Jodi Wu and Zachary Brez provide an overview of the key requirements imposed by China's Cybersecurity Law and a roadmap for multinational companies seeking to assess their obligations and responsibilities under the law.
February 23, 2018 at 02:35 PM
9 minute read
In June 2017, China's Cybersecurity Law (the CSL) came into effect, bringing China's patchwork of cybersecurity-related regulations under one comprehensive law. Importantly, the CSL also imposes a host of additional requirements on multinational companies operating in China related to data security, the protection of personal information, cross-border data transfers. The full scope and impact of CSL remain unclear, largely because the Chinese government has yet to finalize all of the CSL's implementing regulations. However, we provide here an overview of the key requirements imposed by the CSL and a roadmap for multinational companies seeking to assess their obligations and responsibilities under the law.
|Overview of the CSL
The key legal requirements of the CSL fall under three general categories: (1) data security; (2) protection of personal information; and (3) cross-border data transfers. The law imposes basic requirements related to these three categories on all “network operators” doing business within the territory of mainland China. The CSL broadly defines “network operators” to encompass “network owners, administrators, and network service providers”—which covers virtually any business that operates an internal computer network, or even just a website, in China. Multinational companies with Chinese subsidiaries or China-focused trade should assume that they are at least a network operator for purposes of the CSL.
The CSL then imposes heightened requirements on the subset of network operators that are termed “critical information infrastructure operators” (CIIOs). The definition of critical information infrastructure is vague, including any system that, “if destroyed, disabled, or leaked data, might seriously endanger national security, national welfare and the people's livelihood, or the public interest.” The Chinese government has promised to clarify the CSL's definition of CIIOs in forthcoming regulations, but the Cyberspace Administration of China has identified the energy, transportation, health care, financial, media and telecommunications, and industrials sectors as providing critical infrastructure, suggesting that the definition of CIIOs ultimately may be a broad one.
Data Security Requirements. All network operators must implement baseline security requirements, many of which multinational companies should already have in place, including:
• Developing internal security management policies and protocols;
• Designating a responsible person for cybersecurity protection within the company;
• Adopting measures to prevent viruses, cyberattacks, network intrusions, and other threats to network security;
• Adopting measures to monitor and keep records of network operations and network security incidents, and retaining those network logs for at least six months;
• Identifying important/sensitive data and adopting measures, such as automatic backup and encryption, to protect it;
• Developing an emergency plan for responding to security incidents; and
• Implementing remediation steps after detecting security loopholes or failures.
In addition to these baseline requirements, the CSL also imposes an additional obligation on network operators to “timely” report security incidents to relevant Chinese authorities as required under “applicable rules.” However, the details of just what rules apply to such reports, and how promptly reports must be submitted to be considered “timely,” remain unspecified under the law.
The more stringent data security requirements imposed on CIIOs include:
• Designating an administrative department to be in charge of cybersecurity, and requiring background checks on personnel that fill key positions in the department;
• Providing cybersecurity training, technology training, and skill evaluations to relevant personnel;
• Implementing a disaster recovery backup protocol for important systems and databases;
• Developing response plans for cybersecurity incidents and conducting drills on a regular basis; and
• Conducting, or engaging a network security consultant to conduct, regular inspection and assessment of the company's network security and potential risks.
The CSL also subjects CIIOs to stricter requirements when procuring and using network products and services. For example, if those products and services might affect national security, the procurement may need to undergo a national security review process conducted by the Chinese government. Further, the law requires CIIOs to sign security and confidentiality agreements with network product and services providers. Some global businesses that worry that the CSL could be used improperly to gather sensitive information about private network infrastructure and intellectual property have criticized these requirements. Again, the Chinese government has promised to issue additional clarifying regulations related specifically to CIIOs.
Personal Information Protection. The CSL emphasizes privacy protection and imposes requirements on network operators related to the collection, use, storage, and protection of personal information. The CSL broadly (and somewhat vaguely) defines “personal information” to include any data that identifies an individual either independently or when combined with other information. In some aspects, the key requirements of the CSL mirror the requirements of the European Union's General Data Protection Regulation related to personal information, including:
• Ensuring the legitimacy and necessity of personal data collection and use (including storage, transfer, and handling);
• Providing adequate disclosure and obtaining informed consent regarding collection and use of personal information;
• Adopting adequate technical and compliance measures to protect the security of personal information; and
• Giving individuals the right to correct or delete their own personal data.
Cross-Border Data Transfers. Although drafts of the CSL included strict data localization requirements, the final version of the CSL does not prohibit network operators from transferring any data outside of China. Instead, the CSL allows network operators to transfer data freely unless it includes personal information or “important data,” for which network operators must first conduct a security self-assessment of the risk of overseas transfer.
In addition to the security self-assessments, before transferring personal data overseas, a network operator must disclose the purpose, scope, type of transfer, and the country or region to which the data will be transferred to, and obtain informed consent from, all individuals whose data is included. Further, draft data transfer regulations suggest that network operators may be required to disclose results of their security self-assessments to relevant industry regulators, such as the Chinese Food and Drug Administration or Chinese Banking Regulatory Commission, prior to conducting any large-scale outbound transfers of personal information (comprising more than 500,000 individuals per year).
The CSL's draft implementing regulations also suggest that network operators will be required to disclose the results of security self-assessments to (and potentially be required to receive approval from) relevant industry regulators prior to transferring “important data” outside of China. “Important data” broadly includes information relating to population health, important financial data, and other data affecting national security, economic development, or the public interest. The current draft regulations suggest that network operators may be prohibited from transferring certain “important” data overseas if the transfer could endanger Chinese national security, economic development, or public interests.
|Takeaways for Businesses Operating in China
Companies operating in China should consider the following steps to better comply with the CSL's new and evolving legal requirements, as violations can result in fines, disgorgement, website suspensions, and business license revocations:
• Consider whether your business qualifies as a network operator or CIIO.
If your business qualifies as a network operator (which it likely does), you should consider taking immediate steps to build up your CSL compliance program, including implementing the baseline security measures required by the CSL. Consult counsel to determine if you qualify as a CIIO, in which case you will be subject to heightened compliance requirements.
• Consider conducting a cybersecurity risk assessment to identify potential compliance risks and gaps, and implement remediation measures.
Conducting an effective cybersecurity risk assessment can help your business identify areas of vulnerability and noncompliance and prioritize areas for remediation. Compliance with the cybersecurity requirements has been an enforcement priority of Chinese regulators since the CSL came into force.
• Determine what types of data your business collects and generates in China.
It is important to understand the types of data your business collects and generates in China, especially whether any of it falls into the definition of “personal information” and/or “important data.” Working with your IT departments and business units to map the types of data you collect and store in China will help you to better design or update your privacy protection and data localization/transfer policies and procedures for China business. This is particularly significant for companies collecting personal information in China that is processed by an office outside of China (e.g., health care, insurance, retail finance).
• Review and update existing privacy policies/notices, agreements, employment contracts to comply with the privacy protection requirements imposed by the CSL.
The Chinese government has subjected Internet companies and other consumer-facing enterprises to heightened scrutiny of privacy protection practices. Updating existing policies and contracts is an easy way to ensure compliance with this portion of the CSL's requirements.
• Provide training for Chinese employees to ensure awareness of cyber security and data protection policies and procedures.
A company's cybersecurity system will only work well if employees are trained properly on it. Consider providing data security and privacy protection training for all employees in China, and enhanced security training for specific employees in key positions.
• Closely monitor the legislative developments.
Because many of the CSL's implementing regulations, guidelines, and standards are still in draft form, with additional rules and regulations to be issued throughout 2018, companies should actively monitor legislative developments relating to the CSL.
Cori Lable, a partner in the Hong Kong office, Zach Brez, a partner in the New York office, and Jodi Wu, a partner in the Shanghai office, are all members of Kirkland & Ellis' government and internal investigations group.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'So Many Firms' Have Yet to Announce Associate Bonuses, Underlining Big Law's Uneven Approach
5 minute readTik Tok’s ‘Blackout Challenge’ Confronts the Limits of CDA Section 230 Immunity
6 minute readEnemy of the State: Foreign Sovereign Immunity and Criminal Prosecutions after ‘Halkbank’
10 minute readGovernment Attorneys Are Flooding the Job Market, But Is There Room in Big Law?
4 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250