The first draft of the Cybersecurity Law was released in July 2015. On July 5, 2016, China’s National People’s Congress (“NPC”) released a revision of the Cybersecurity Law for public comment. The revised draft contains several significant changes, but many of the provisions from the first draft that raised concerns among multinational companies, especially those in the tech sector, remain. The new Cybersecurity Law means strict new rules for foreign companies doing business in China and has the potential to discriminate against foreign technologies in favor of domestic industry.
What and who it effects:
- Network product and service providers, operators*: These companies are now required to censor any information deemed ‘critical’ or ‘banned’ and demand real name registration for any user of services like instant messaging.
- All personal information for citizens in China and any business data deemed ‘important’ must be stored on storage devices inside mainland China. The terms are vague enough to apply to a wide variety industries and a wide variety of data. Any data transmitted outside of China by any entity must first be reviewed and approved.
- All network transmissions must be monitored and “network security incidents” are required to be reported. The company, service provider, or operator is then required to give “technical support” to help in an investigation. This might result in authorities access to internal or external communications, etc.
- The new law also states that no individual will be allowed to use the internet to endanger national security, promote terrorism, spread false information to disturb the economic order, etc. This is a very open-ended regulation and may be interrupted to fit a multitude of situations.
Summary: Regulations most impactful to foreign companies
The 6 primary directives:
- Clarify the cyberspace sovereignty principle;
- Clarify the security obligation of network product and service providers;
- Clarify the security obligation of network product and service operators*;
- Further improve personal information protection rule;
- Establish the Critical Information Infrastructure security protection system;
- Establish the cross-border data transmission rules of important data on Critical Information Infrastructure.
Click here for an overview of the pertinent Articles and the Critical Information Infrastructure
Click here for a complete translation of China’s new Cybersecurity Law by the American Chamber of Commerce – China
One of the main challenges the new Cybersecurity Law brings is the requirement that data be stored in mainland China. That coupled with the common practice of multinational companies to centralize their IT infrastructure outside of China. Rebuilding an IT infrastructure in China from scratch is not practical, nor is it feasible to “move everything to China”.
If this is your dilemma, CDS has the solution. We can provide an easy to deploy, low impact, and fully legitimate solution. Contact us for details.