The Foreign Company’s Guide
to Navigating China’s New Cybersecurity Law
The new Cybersecurity Law of China (CSL) took effect June 1 although implementation of some provisions has been delayed. Many foreign companies are concerned about the effects the CSL will have on their ability to do business in Hong Kong and mainland China.
The first draft of the CSL was the 2015 National Security Law, in which the government outlined goals for protecting its “cyber sovereignty” and cyber security. The law was deliberately vague allowing room for the development of more specific regulations as needed. This leaves many businesses and analysts trying to understand the actual implications of the CSL. The main points of concern are:
- Privacy and Intellectual Property
The CSL requires certain businesses (primarily tech companies) operating in China provide information about their cybersecurity networks, equipment, and software to the government.
- Citizen Data Rights and Protections
The CSL includes measures includes data localization provisions requiring data storage of all Chinese citizens’ personally identifying information (PII) in mainland China, and enacts several sub-rules including a requirement that businesses must obtain the individuals’ consent before collecting, processing, and storing personal data. Citizens must also be able to easily correct or delete the data collected and be afforded the ability with to cancel their accounts or withdraw consent at any time.
- Data Restrictions
Companies are legally responsible for all information collected, regardless of how it was obtained. Data must be collected for a specific purpose and must be deleted upon completion. Information cannot be sold, and the accuracy of all information must be ensured. Any data transmitted outside of China by any entity must first be reviewed and approved.
- Cybersecurity Measures
Rules for securing the data of citizens are outlined as well as risk reporting guidelines around network services and products, incident contingency, network maintenance plans and government certifications or inspections of cyber security services and products to be sold in the country. All network transmissions must be monitored and “network security incidents” are required to be reported, and subsequent “technical support” is required. This support may result in authorities accessing internal or external communications, etc.
- Individual Responsibilities
Individuals using mobile phone SIM cards and online gamers must register under a real name and provide their true identities to Internet providers before publishing content, using instant messaging or accessing other services. Also, Internet providers are required to censor any information deemed ‘critical’ or ‘banned.’ Non-registered gamers cannot make in-game purchases. Baidu, China’s largest online search engine, now requires users to register their real identities to participate in online forums or purchase storage.
Grace Period for Foreign Businesses
To give foreign businesses time to make adjustments, the government has enacted a 19-month grace period before requiring their compliance.
The interpretation of the new CSL is still under debate. The implications for foreign companies can be far reaching and expensive. For most companies, data collection, storage, and maintenance will require costly restructuring of existing IT infrastructure. Some businesses are considering building new facilities to meet data localization requirements. Others are seeking assistance from companies native to mainland China.
Interpreting the new law should be approached with caution, as penalties may be stiff. Failing to adhere, can incur penalties of up to 10 times a business’s out-of-compliance gains. But the alternative – not doing business in China at all – could be far worse. Experts from AmChamChina, the American Chamber of Commerce in China, suggest the following:
- Use AmCham China and other industry groups to stay current on the issuance of any revisions or the implementation of regulations by the CAC or other governmental bodies
- Review your company’s procedures for the storage and exporting of personal data for compliance with the CSL. Remember to include any third party agencies that have access to the restricted data
- Establish and practice protocols for unexpected visits from government authorities
- Establish a team responsible for assuring the basic network security requirements of the CSL to prevent security breaches and to maintain network logs for a minimum of six months
- Evaluate compliance with existing regulations governing network security
- Consider working with a mainland partner who can offer guidance and advice
For any foreign company doing business in China can be challenging. The assistance of a mainland partner can be invaluable. An insider’s experience and knowledge can help prevent costly and time-consuming mistakes. When navigating the frequently changing rules and regulations, ensuring CSL compliance, or obtaining and ICP Registration Number, the right partner, can make all the difference. CDS fosters a strong working relationship with regulatory officials even providing a dedicated office for their use at our headquarters in Beijing.
CDS Global Cloud is a subsidiary of Capital Online Data Services headquartered in Beijing and the only publically traded network and data center provider in mainland China. Established in 2005 Capital Online Data Services has over 50 data centers in mainland China and peers with all major carriers in China. No one provides better communications coverage in China than CDS.
Globally, CDS has an additional 16 data centers interconnected via Layer 2 fiber-optic cable forming a Global Private Network (GPN). Our GPN provides a significant advantage over all other providers as far as Internet access and connectivity from mainland China to the world. With the CDS GPN, data synchronization through the Great Firewall is fast, reliable, and secure – independent of the public Internet. There is no delay caused by traffic congestion at the GFW and zero packet loss. Data synchronization is seamless.
China is the fastest growing e-commerce market in the world. Don’t miss out on all that China offers. With CDS as a trusted partner, we can help you navigate the regulatory complexities of with no missteps and maximum return. CDS delivers fast, seamless data synchronization, a full range of Cloud services and both SSD and Object storage.