May 20, 2016

China’s Legislature Gears Up to Pass a Sweepingly Vague Cybersecurity Law

Drew Foerster

While businesses in the United States may feel they suffer from a multitude of sometimes contradictory laws, regulations, and standards governing their information governance and security practices, in the People’s Republic of China businesses face a different problem with few laws and regulations that are both vague and grant law enforcement and judicial authorities a large degree of discretion when interpreting them. In response to a lack of unified information governance and security standards, in July 2015, the Legislative Affairs Commission of the Standing Committee of the National People’s Congress (NPC) in China publicly released a draft cybersecurity law (also translated as the “Network Security Law”) that, if passed into legislation, will along with the implementing regulations provide more sources of guidance but also of ambiguity. At this point, no one knows when the Standing Committee’s next move on this law will come; however, the fact that the NPC’s Standing Committee has released a draft version strongly suggests that the NPC will not let the law languish like a draft personal information protection law that has not seen any action since representatives from various Chinese ministries submitted it to the State Council in 2009.

The State Council oversees Chinese ministries and departments, and the NPC oversees the State Council. The Standing Committee of the NPC for all intents and purposes wields the authority of the whole NPC; rarely, if ever, have representatives to the NPC attempted to deviate from the Standing Committee’s actions and recommendations. The NPC as the national legislative body of China ultimately of course carries out the task of officially promulgating laws. The draft cybersecurity law identifies one administrative body in particular, the Cyber Administration of China (CAC), as the main agency responsible for implementing most of its provisions. The text of the draft law, though, refers to the CAC as the “National Network Information Department,” which could also be translated as the “State Cyber Information Department.”

Why Businesses Should Care

Businesses operating in China should care a great deal about this draft cybersecurity law because it contains several provisions that could greatly impact their information security practices and liabilities. To give one initial example, businesses could face the confiscation of between one and ten times their “illegal gains” that result from misusing or failing to protect personal information. Another provision in the law, article 10, gives any individual or organization the “right” to report practices that “threaten” information security to various Chinese authorities to include the ministry of industry and information technology or the ministry of public security. There are no indications yet whether businesses in China can contract away this right, or require initial reporting internally within the company, with a well-drafted nondisclosure agreement or some other contract. These are two examples of the many provisions in this draft law that businesses operating in China will need to shape their operations around in order to minimize their legal liability risks.

Not only does anyone have the right to report insecure information governance practices to authorities, but any individual who has suffered undefined “damage” resulting from “network operators” violating any of the draft cybersecurity law provisions has the right to bring a civil suit against those network operators. The draft law, however, does not provide any guidance concerning what sorts of damage may give rise to such civil claims. In addition, the draft law’s definition of network operators is so vague and generalized as to potentially apply to all businesses operating in China since nearly all businesses administer computer networks at least for internal use.

Mandatory Reporting Requirements and Providing Assistance to Chinese Law Enforcement

While anyone generally has the right to report insecure information governance practices to the government, according to the draft cyberspace law network operators have the duty to report security defects, loopholes, or other network security risks to both users and to the government, and to remediate those problems. When network operators discover data breaches, or data destruction or loss, then they must immediately notify users and authorities, and immediately remediate the issue. The law, however, does not define “immediately” with any specific deadlines, nor does it provide any guidance to help network operators discern when their knowledge about an actual or potential data breach has crossed into territory creating the duty for them to carry out the above measures.

Article 23 of the draft cybersecurity law also requires network operators to provide assistance and support to Chinese law enforcement authorities for the purposes of national security and criminal investigations. The draft law does not further elaborate what specific duties this provision may impose on network operators, though such information may come in the implementing regulations.

Enforcement

Article 59 of the draft cybersecurity law actually imposes fines on network operators who fail to cooperate with law enforcement, or who fail to report “network security risks or network security incidents to relevant competent authorities.” These fines range up to 500,000 RMB (around $77,100) for network operators, and up to 100,000 RMB (around $15,400) for individuals responsible for failures to report or cooperate. Notably, though, article 59 does not specify that violation of this duty could result in businesses losing any permits or licenses as other articles in the legal liability chapter of the draft cybersecurity law do.

At least within the terms of the draft cybersecurity law, refusing to provide assistance to Chinese authorities may result only in relatively modest financial fines. In any case, though, Chinese law enforcement can leverage other laws and regulations to impose harsher penalties for failing to cooperate with them. For example, article 84 of China’s new December 2015 antiterrorism law allows 5 to 15 days of imprisonment for, under undefined “grave circumstances,” failing to provide network security sufficient to prevent the dissemination of materials containing terrorist content.

General Network Operator Cybersecurity Mandates

In December 2005, the ministry of public security promulgated a set of regulations titled “Provisions on Technical Measures for Internet Security Protection” that imposed a number of duties on Internet service providers, Internet information service providers, Internet data service center providers, and “organizations that use networks.” It defines this last category as “organizations that need to connect with and use the Internet for their applications.” That definition would seem to encompass all modern businesses operating in China. It does not define Internet information services providers, but the plain meaning of this term would seem to encompass the vast majority of business enterprises in a modern economy.

These Internet security protection regulations reference the enforcement mechanisms in an earlier set of ministry of public security regulations, the December 1997 “Administrative Measures for Protection of the Security of International Internetworking of Computer Information Networks.” These regulations impose very modest fines on the individuals responsible for the violation of a specific set of information security practices listed in the 1997 and the 2005 ministry of public security regulations. However, if “the circumstances are serious,” with “serious” left undefined, then law enforcement may shut of network connections, shut down devices, and even recommend that other administrative units revoke business licenses.

The following presents some of the more important duties imposed by these two ministry of public security regulations:

  • provide information, materials, and other data to law enforcement
  • comply with law enforcement orders to delete accounts, network directories, or servers
  • register organizations and individuals entrusted with publishing content online
  • establish procedures to review that content
  • register users
  • record the login and logout times of users, noting their telephone numbers, network addresses, or other identifiers, and recording correlations between private and public identifiers
  • prevent the lease or transfer of user account identifiers
  • establish rules for the administration of information security practices
  • adopt technical security protections, including any required for network security
  • conduct security education and training of network users
  • put in place backup and disaster recovery measures and equipment
  • censor content in compliance with Chinese censorship laws and regulations
  • prevent website alteration and defacement

The draft cybersecurity law would similarly mandate that network operators

  • obtain consent from users to collect their data;
  • inform users about the purpose of collecting their data, and inform the public about the network operator’s rules for collecting the data;
  • collect data only if necessary and relevant to the services and/or products that the business provides;
  • implement data classification schemes;
  • encrypt important data, with “important” left undefined;
  • monitor, record, and log network activity;
  • adopt technical measures to prevent network attacks, network intrusions, and other problems such as computer viruses;
  • adopt network management procedures, and appoint a network security administrator.
  • authenticate network users using their true, legal identities;
  • provide security maintenance for networking services for as long as contractual obligations or unspecified rules require (these rules may come in the form of regulations under the draft cybersecurity law);
  • when purchasing “key” network equipment or services, only purchase those that have obtained certification from a government authority such as the CAC, or that has obtained certification from “qualified” private sector organizations.

Unlike U.S. business entities, which may state in their founding and governance documents that they may engage in any lawful business, China does not permit such a universal catch-all; all businesses in China must specifically list the domains of their business activities in their formation and governance documents, so enforcement of this data collection restriction likely will reference those business scope statements.

The law does not further define what makes a network equipment or service “key,” nor does it specify how nongovernmental organizations might obtain the qualification to issue such certifications except to note that the CAC will provide further guidance.

Enforcement

Violating these general compliance requirements for network operators carries fines of up to 500,000 RMB (around $77,100) for the responsible organization, and of up to 100,000 RMB (around $15,400) for responsible individuals. Refusing to authenticate users’ true identities after receiving warnings from authorities to do so, or creating “serious circumstances” by failing to authenticate users using their true identities, can result in businesses losing their licenses or permits, having some or all of their business operations shut down, or having their websites closed. These additional penalties could also result from failing to prevent the transmission of prohibited (potentially politically sensitive) information or failing to dispose of data when ordered to do so.

Strict Compliance Requirements for “Key Information Infrastructure” Administrators

In addition to the general requirements for all network operators, the draft cybersecurity law imposes a large number of additional requirements on administrators of “key information infrastructure.” Although the law does identify some specific industries that fall in this category, it introduces an undefined category of “network service providers with a large number of users” as well. So far, the Chinese government has not revealed how broadly it intends to define this category. What sorts of services qualify? How many users will be considered a large number of users? Hopefully the Standing Committee of the NPC will answer such questions as it crafts a final version of the law.

In addition to “network service providers with a large number of users,” the draft cybersecurity law provides a non-exhaustive list of examples of facilities that will be considered key information infrastructure. These facilities are: communications, energy, transport, water, finance, medical care and public health, social security, and of course military and government facilities. Because the draft law only provides these industries as examples, it implicitly leaves open the possibility that other industries could also be considered key information infrastructure based upon other sources of authority such as the CAC.

Key information infrastructure administrators must implement the following measures in addition to the previous list of measures that all network operators would need to implement:

  • localize personal information and operational data storage in China, or obtain approval from the CAC to store such information abroad
  • obtain approval from the CAC to purchase certified network products or services
  • conduct background checks for security personnel
  • commission either in-house or outside professionals to test security at least once a year, and submit the results to all government departments responsible for overseeing key information infrastructure.
  • conduct “regular” emergency response and network security incident response drills.

The draft law does not specify which exact departments these will be, or whether a new one will be created. In addition to network operators organizing security testing on their own, the draft law authorizes the Chinese government to conduct random security testing, or to entrust such testing to third party professionals.

Considering that the law would require security testing at least once a year, these “regular” incident response drills probably should occur with at least the same frequency. The draft cybersecurity law also tasks the CAC and any other relevant government departments with conducting “regular” industry-wide incident response drills.

Enforcement

In general, key network infrastructure administrators that violate any of these provisions could face fines of up to one million RMB (around $154,700), and the individuals responsible for such violations could face fines of up to 100,000 RMB (around $15,400). If businesses use network equipment or services that have not received required security certifications, or passed security reviews, then authorities could shut down use of such equipment or services and fine the responsible entity either specific sums of no more than 100,000 RMB (around $15,400), or fine the responsible entity a sum of money totaling to no more than ten times the purchase price of the equipment or service.

If an entity operating a piece of key network infrastructure stores data abroad or provides it to entities abroad with government permission, then the organization could face fines of up to 500,000 RMB (around $77,100), the responsible individual could face fines of up to 100,000 RMB (around $15,400), and, like the penalty for failing to authorize users, businesses could face losing their licenses or permits, having some or all of their business operations shut down, or having their websites closed. In addition to the fines, the government could also confiscate the “illegal gains” of businesses that commit such violations. The draft cybersecurity law, though, does not provide any guidance for defining “illegal gains” in this context.

Protecting Personally Identifiable Information

Potentially one of the most useful aspects of the draft cybersecurity law is that it provides a more specific list of personal information than any previous Chinese law or regulation. Its definition of personal information also explicitly encompasses situations in which multiple types of data when considered in isolation may not enable identification, but when considered together do enable the identification of specific persons. This list, however, is non-exhaustive, so other sources of authority such as implementing regulations could add to it.

  • name
  • date of birth
  • identity numbers
  • personal biological information
  • address
  • telephone numbers
  • occupation

Article 38 of the draft cybersecurity law forbids businesses to sell the personal information of citizens to others. Although the other prohibitions expressed in this article prohibit only illegal means, this prohibition contains no such qualification.

Enforcement

Misusing or leaking personal information carries the same penalties as storing data abroad without permission, except that in the case of violations of personal information violations, businesses could be fined up to 10 times their “illegal gains.” The draft law also grants individuals the authority to demand that network operators delete personal information collected in violation of the law’s provisions, and to demand the correction of erroneous information. Perhaps more significantly for businesses, the catch-all allowance of civil claims for violating provisions in this draft law will likely make it easier for citizens to sue businesses for violating their privacy than the much less enforceable cause of action for privacy violations in the general tort liability law. However, China still does not permit true class action lawsuits, so that barrier to large legal liabilities still remains.

Anti–Black Hat Hacking Enforcement

The draft cybersecurity law imposes a number of financial penalties for black hat hacking activities such as writing and deploying malware, none of which approach the seriousness of criminal penalties under China’s criminal law. The catch-all allowance of civil claims against violators of the cybersecurity law does reinforce, though, the ability of black hat hacking victims to directly sue their attackers to recover civil damages. If Chinese authorities do not feel they have amassed enough evidence of criminal acts, though, then article 60 does still permit Chinese authorities to punish any behavior that jeopardizes public security such as, in particular, black hat hacking activities identified in article 22. All individuals in China, though, should be aware that this same provision permits Chinese authorities to punish anyone whom they judge has violated any of the provisions in the cybersecurity law even if there is insufficient evidence of criminal conduct. Unfortunately, the draft law does not provide any more details about this very expansive grant of authority.

Looking Ahead

In the explanation portion at the end of its draft cybersecurity law, the Standing Committee announces that it will consider “. . . whether the experiences of relevant countries, main systems, and foreign practices and methods take a unified approach, and also will consider domestic and foreign financial enterprises without distinction or special treatment.” While the official period for taking comments about the proposed law closed in August 2015, a month after the Standing Committee of the NPC released it, no doubt the Chinese government is paying attention to international discussions about information security issues in the news where debates such as those between the FBI and Apple, and between the United States and the European Union over the Safe Harbor-now-Privacy Shield. When the Standing Committee next moves on its draft cybersecurity law, it could do so by releasing a second draft, or it could promulgate a final version of the law. There is no way to predict what future differences there may be between the future final version or second draft and this first draft.

Drew Foerster

Drew Foerster is an attorney in Seattle, Washington, with a practice focused on information technology, intellectual property, and business law. In his free time, he enjoys spending time with his family and friends, and also providing pro bono legal services to non-profits with a focus on governance based upon the principles of sociocracy.