While Americans enjoyed BBQ and apple pie over the Independence Day holiday, China continued to release policy, rules and regulations surrounding its new China Cybersecurity Law (CSL).
China’s goal is to establish its Cyber Sovereignty, which includes cybersecurity and data information governance. As seen with the release of the Data Transfer Draft in April of 2017, China will continue to fill in gaps in the CSL framework over the next few months (some say years). Many of the CSL updates apply to all organizations while others will be more industry specific in scope.
Unlike the West, the legal system in China is such that regulations for laws can sometimes take months to fully materialize, a lengthy process that can create confusion, risk and obviously, uncertainty. In light of this, some good news was released in June: the government of the Republic of China has agreed to an 18-month grace period before the CSL is fully enforced. Now instead of June 1, 2017, the new enforcement start date is January 1, 2019. Although, be advised: it would be wise to strive to comply before that date.
It is anticipated the government will release updates regarding the CSL on a monthly basis for the next 12 months or so and it’s crucial to stay informed about these revisions.
Below is a summary of 5 events that have happened late in May up to July 4:
1. Provisions on Examination of Network Products and Services were established
On June 1, 2017, the Provisions on Examination of Network Products and Services (NPS Provisions) came into effect. These are a foundational set of CSL hardware standards that will ultimately consolidate various other rules and regulations into a unified set.
Article 23 of China’s Cybersecurity Law says “key network equipment and special security products should meet the mandated national standards and can be sold or supplied to the market upon receiving the relevant security certification or passing safety compliance inspections. The national cyberspace authority will formulate and make public key network equipment and special security product categories, and promote cross-recognition of certification and compliance check outcomes to avoid any repetition in certification or inspections”.
Essentially the NPS Provisions establishes the minimum hardware and software standards for network equipment that can be used by the Critical Information Infrastructure Operators. This includes items such as routers, firewalls, switches, intrusion detection systems and other backbone servers and hardware.
2. China CAC published National Cyber Threat Response Plan
On June 27th the Cyberspace Administration of China (CAC) published a new nationwide cyber-attack response plan on its website. The document requires provinces to upgrade networks and immediately implement expert response teams as part of a new centralized reporting system established specifically for the plan. The National Cyber Threat Response Plan includes a four-color warning system that ranks cyber-attacks as red, orange, yellow, or blue depending on severity, with red signaling the highest level of alert.
The plan also requires relevant departments to establish international channels of communication during the sudden onset of international security threats. The regulations also criminalize any failure by government departments or its employees to carry out the plan.
3. China decided to include media and online platforms as Critical Information Infrastructure operators
A consensus has been reached among government agencies to include key news outlets, search engines and major online platforms for shopping, payments and mapping as Critical Information Infrastructure (CII) under the Cybersecurity Law. China is set to announce new rules to bring more clarity to the Cybersecurity Law – especially with regard to the definition of Critical Information Infrastructure companies. While e-commerce leviathan Alibaba will undoubtedly qualify as CII, deciding which of its many units would be subject to the stricter reviews that are part and parcel of the CII designation remains undetermined.
4. Supplemental guidelines were released for Data Export and Transfer regulations
On May 27, 2017 the National Information Security Standardization Technical Committee of China (NISSTCC) published their set of guidelines for cross-border transfers pursuant to the new Cybersecurity Law, entitled Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (the “Draft Guidelines”). These guidelines supplement the Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data (the “Draft Measures”) which were published May 1, 2017.
CII and Network Operators are to annually conduct “security assessments” when they propose to transfer personal information and “important information” to places outside of China. These “security assessments” are essentially audits of the cybersecurity circumstances surrounding the proposed transfer that are intended to provide an assessment of the risk involved. If the assessment indicates that the risk is too high, the transfer must be terminated.
The NISSTCC Draft Guidelines are intended to establish norms for working requirements, methodology, content and the determination of conclusions for these “security assessments.” They recommend particular content to consider during “security assessments,” such as the volume of information to be transferred, the political and legal environment in the place where the data recipient is located, and the security safeguard capabilities of both the transferor and the data recipient. At this time, the following observations regarding the draft guidelines and draft measure for data transfer can be made:
- The draft guidelines provide some possible examples of what might constitute “important information”. The Draft Measures impose restrictions on the cross-border transfer of “important information”.
- The draft guidelines introduce into the CSL framework the concept of “sensitive personal information,” as well as the possibility of desensitizing this information using processing that removes or reduces the sensitive elements in the data.
- The draft guidelines appear to be a voluntary rather than compulsory document.
- The draft guidelines appear to take a holistic risk-based rather than a compliance-based approach to determine whether a transfer should proceed.
- The “security assessments” would focus on two overall inquiries:
- the legality and appropriateness of the proposed cross-border transfer, and
- the ability to control the risks involved
The Draft Guidelines were open to comment from the general public through June 26, 2017, and the content and approach could change by the time it is finalized.
5. CAC held briefing with AmCham Shanghai
On June 29, Zhao Zeliang, Head of Cybersecurity Liaison Office of Cyberspace Administration of China (CAC), had a closed-door, round-table discussion with 30 US business representatives on China’s Cybersecurity Law. Mr. Zhao took questions from company representatives on the compliance and implementation aspects of the law. Questions raised during the discussion included the definition of critical information infrastructure (CII), data localization requirements, cross-border data transfer assessment measures and the definition of network operator.
According to Mr. Zhao the government is still working on how to define CII. The government is now accepting comments on assessment measures for cross-border data transfers and the measures will hopefully be finalized and published soon. He assured participants that there will be further implementing regulations for different industries and that the CAC welcomes input and constructive feedback from the business community.
Be sure to check back often for more updates as China forges ahead in its quest for complete Cyber Sovereignty and attempts to establish its Cyber Information Governance.