Close on the heels of a sweeping new National Security Law, the Standing Committee of the National People’s Congress released last month for public comment a very significant draft Network Security Law (“Draft Law”), also referred to as the draft Cybersecurity Law.
Since it came into power in 2012, China’s current leadership has attached an unprecedented level of attention to network security, which it sees as a core aspect of national security,. Marking the establishment of a new Central Leading Group for Cyberspace Affairs in 2014 that he himself would lead, President Xi Jinping declared that “network security and informatization are key strategic issues related to national security and development,” and that “national security no longer exists without network security.” President Xi went on, in those remarks, to call for the development of a legal infrastructure for the administration of cyberspace, with particular emphasis on the protection of “critical information infrastructure” (see further discussion below). The resolution of the Fourth Plenum of the Central Committee of the Chinese Communist Party in October 2014 echoed this theme.
The focus on network security appears to stem from the explosive development and extensive usage of network and information technologies, made more pressing by Edward Snowden’s disclosures in 2013 regarding activities of the US National Security Agency (NSA). Since the Snowden leaks, it has been repeatedly reported that the Chinese government is working actively to wean government networks and financial systems off of IT products and services from foreign companies. The Draft Law is the government’s latest effort to consolidate existing security-related requirements and grant government agencies more security-related powers. On its face, the Draft Law does not discriminate against foreign products and services. However, designed to “safeguard cyberspace sovereignty and national security,” it could be implemented to become an additional hurdle for foreign companies seeking to access China’s vast market if and when it comes into effect.
The draft Network Security Law is a major, high-level step in implementing the government’s priorities in cyberspace and on information networks more broadly. The Draft Law is engineered to govern most activities that take place over “computer networks,” defined broadly in Article 65(1) to encompass essentially any “network or system, composed of computers or other terminals together with relevant devices, that serves to collect, store, transmit, exchange, or process information following predefined rules and procedures.” Compared to the much more general terms in the National Security Law, the seven chapters and 68 articles of the Draft Law provide more details on, among other things, security requirements for network-related products and services; data privacy; and monitoring and emergency response systems. The Draft Law attempts to (1) sort out and develop, in a more systematic way, existing but scattered legal requirements (e.g., obligations of network users to provide real identities and obligations of network operators to protect personal information of users), and (2) implement new, high-priority mandates such as provisions on the protection of critical information infrastructure.
Foreign investors should pay particular attention to the following proposals in the draft Network Security Law:
-
Procurement-Related Security Reviews for Network Products and Services. The Draft Law proposes that network products and services that operators of “critical information infrastructure” procure must pass a security review if they “may affect national security.” “Critical information infrastructure” is a new term that is defined broadly by the draft to include networks and systems in sensitive areas such as public communications, radio and television, energy, transportation, water, finance, utilities, healthcare, social security, military, and government administration. Furthermore, the definition also contains a loose catch-all for networks and systems that “have a large number of users.” The draft does not explain what would constitute a “large number,” but one could imagine it being interpreted broadly to cover, for instance, websites run by online service providers. This new security review requirement could have a significant impact on information technology companies that supply products or services to operators of “critical information infrastructure,” such as banks, utility companies, transport companies, and major websites.
-
Data Localization Requirements. Operators of what is deemed to be critical information infrastructure must store “important data” such as users’ personal information collected and generated during operations within PRC territory. If they seek to store or transfer such data overseas for business reasons, their request must pass a new government security assessment. The draft is unclear as to what, beyond personal information, would be considered to be “important data” for these purposes.
-
Government National Security Standards. The Draft Law proposes to formulate and revise national and industry standards on network safety management and on network products, services, and operations; grant government support to key industries and innovation projects related to network security technology; adopt a multi-level protection system on network security; and publish a catalogue on key network equipment and network security products. Given past experience, it is possible, if not likely, that such standards and policies may be formulated in a way that favors homegrown technologies, products, and services, particularly given the emphasis on national security.
-
Data Privacy Requirements. The Draft Law also consolidates a number of rules on data privacy and protection that are currently scattered across a range of laws and regulations, and adds some new ones — e.g., an expanded definition of personal information and notification requirements for data breaches. A discussion of the data privacy implications of the draft can be found on Covington’s privacy blog, Inside Privacy, here.
Companies, industry associations, and governments — both foreign and domestic — are advised to pay close attention to the development of this draft law as it may have important implications for the business environment in China. Those with more significant interests in the country may seek to further engage with Chinese policymakers to ensure that their interests are taken into consideration.