The Chinese Cybersecurity Law
China’s Cybersecurity Law is a data privacy law that was passed by the Chinese government in 2017. As China is the world’s most populous country and in turn has the largest online presence in the world, protecting the data privacy rights of Chinese citizens is of the utmost importance. Consisting of 79 articles broken up into 7 chapters, China’s Cybersecurity Law is particularly large in scope. The law contains an encompassing framework that targets the regulation of internet security, the protection of personal or sensitive data and information, and the development of safeguards for both cyberspace security and sovereignty. China’s Cybersecurity law is similar in scope and function to the cybersecurity framework that has been adopted by the U.S. National Institute of Standards and Technology or NIST.
To this point, the Chinese Cybersecurity Law also emphasizes specific requirements in regards to network services, products, information and operations security, early detection, monitoring, emergency response, and reporting. In terms of the data privacy aspect of the Chinese Cybersecurity Law, the law is similar to other data protection privacy laws around the world that place requirements and restrictions on the processing of personal data or information. Moreover, the law also offers insights in relation to how the Chinese government plans to handle the flow of personal data and information across international borders?
What are the requirements of network operators under The Chinese Cybersecurity Law?
Under China’s Cybersecurity Law, network operators must follow a list of requirements in order to achieve compliance. These requirements are as follows:
- The establishment of security policy and operation features, the utilization of network protection technologies, designated network security personnel, data classification, encryption, retention of a network operation log for a minimum period of six months, and the monitoring and tracing of both network incidents and activities.
- Both internet service and product providers must obtain authorization from Chinese citizens prior to collecting their personal data or information.
- Internet service and network equipment providers must adhere to specific requirements set forth by the Chinese government, as well as gain certification from an authorized agent prior selling any products or rendering and services to the general public.
- Network operators are required to verify the true identity of a client before providing said client with any form of service.
Network operators are required to develop and maintain a cybersecurity incident response plan that promptly and effectively addresses various cybersecurity risks including network attacks or intrusion, potential virus infection, or system vulnerability.
- Network operators must oversee the execution of risk assessments, cybersecurity authentication, and testing that is compliant with other relevant Chinese legal provisions.
- Though not required by law, network operators are also encouraged to implement enhanced cybersecurity assessments, periodic reporting, and to establish cybersecurity standards that are consistent with industrywide standards.
Conversely, the Chinese Cybersecurity law also lays out various requirements related to operations security for Critical Information Infrastructure or CII for short. Under the Chinese Cybersecurity Law, CIIs must adhere to the following operations security provisions:
- Operation security provisions must place emphasis on cybersecurity protection in the specific areas of information and public communications services, water conservancy, transportation, energy, public services, finance, e-government, and other various pivotal industries and fields.
- Operation security provisions must define clear roles and responsibilities concerning who will be responsible for planning, guiding, and monitoring the security operations of a given CII.
- Operation security provisions must ensure the continuity and stability of operations of a CII.
- Operation security provisions must allow for the setup of a dedicated security management body, as well as a security management leader than can conduct security background checks on individuals in key positions. These provisions must also allow for the periodic testing of network security, as well as skills evaluations for employees in addition to technical training. Moreover, provisions must be made to conduct disaster recovery backups of all pertinent critical systems and data. Emergency response plans must also be formulated in the case of cybersecurity incidents. These response plans must also include the performance of periodic drills.
- Operation security provisions must allow for CIIs to retain key data and private information that is collected or otherwise produced while operating within China. State network information departments and applicable departments of the Chinese State Council must also conduct security assessments if this information needed to be transmitted outside of China.
- CIIs must also conduct annual cybersecurity risk assessments. These assessments can be conducted internally by a CII or externally by a third party vendor. These assessment reports, in addition to remediation plans, must also be provided to all departments that are responsible for the security protection of CIIs.
- State network information departments must also coordinate and carry out concerning cybersecurity and the potential risks associated with CIIs, routinely coordinate CIIs into conducting network safety emergency drills and procedures, promote the sharing of network information security among other relevant departments, and provide both technical assistance and support for the emergency management and recovery for network security.
How is personal information defined under the Chinese Cybersecurity Law?
Under China’s Cybersecurity Law, personal information is defined to mean “information recorded by electronic or other means that can be used alone or in combination with other information to identify a person, including name, date of birth, identity document number, personal biometric information (such as fingerprints, facial recognition and retina scans), address, telephone number and similar personal details”. Under the Chinese Cybersecurity Law, network providers must adhere to the following requirements in relation to protecting the personal information of Chinese citizens:
- Network operators are responsible for creating and maintaining a private information protection system or mechanism that will ensure that user information is kept strictly confidential at all times.
- The collection and use of all private information must be in compliance with applicable laws and regulations such as the Chinese Cybersecurity Law. This private information may not be collected without the user’s consent, and all laws and regulations must be made available to the public. To this end, network operators are not permitted to collect personal information that is unrelated to the services in which they provide.
- The Chinese Cybersecurity Law prohibits the disclosure, damaging, tampering, or sharing of an individual’s personal information without their consent. Security measures must also be taken to ensure the safety of private information at all times. Furthermore, emergency security measures must also be implemented in the event of the loss of private information. In such instances, notifications must be sent to all relevant parties and users.
- In the event that a user discovers that a particular network operator has violated any provisions of the Chinese Cybersecurity Law, said user has the right to request their private information be removed from the network operator’s possession. Users can also request that their information be corrected or updated when errors are discovered.
- Network operators are also responsible for strengthening the management of all information that is published by their users. Immediate security measures must also be implemented that will prohibit the unauthorized transmission or publication of inappropriate information.
What are the penalties for violating the Chinese Cybersecurity Law?
Under China’s Cybersecurity Law, network operators who are found to be in violation of the law can face both monetary and penalties as well as legal liabilities. These penalties can be applied to both individuals as well as business entities and enterprises. Monetary penalties for violation of the Chinese Cybersecurity Law can range anywhere from RMB 5,000 ($773.91) to RMB 1,000,000 ($154,781). To the contrary, potential legal consequences can include the suspension of an organizations or enterprises business license, the revocation of said business license, the removal of liable individuals from their office or job function, and criminal liability.
While the Chinese Cybersecurity Law has drawn some criticism from American media outlets in relation to the somewhat ambiguous nature and scope of the law, the law undoubtedly provides Chinese citizens with another layer of protection in regards to their personal information. As China is the world’s most populous country and by extension boasts the most internet users of any other country in the world, laws such as the Chinese Cybersecurity law are very much needed. With such legislation, Chinese citizens can rest assured that they are afforded an avenue of recourse in regards to the personal information that they share with network operators via the internet.