On February 4, 2017, the Cyberspace Administration of China (“CAC”) issued its consultation draft measures for the security review of online products and services (“draft measures”), among the anxieties caused by the vagueness of multiple provisions in China’s Cyber Security Law (“Cyber Security Law”).  Cyber Security Law was promulgated by the Standing Committee of the National People’s Congress of China (“NPC”) on November 7, 2016, which will take effect on June 1, 2017. CAC’s February move, immediately following the Chinese New Year holidays, marks the first top-level administrative efforts to clarify the Cyber Security Law.  CAC, also known as the Office of the Central Leading Group for Cyberspace Affairs, was founded in 2014 and operates under a special group headed by the Communist Party General Secretary and President of China, Mr. XI Jinping and imposes an “imperial envoy” type of influence on the enforcement of the Cyber Security Law.   

The draft measures provides for an establishment of a cyber security review committee to handle cyber security review of online services and products. The draft measures reiterated that key information infrastructure operators must procure online services and products that have passed such review. The Cyber Security Law introduced a new concept of key information infrastructure operators, which are defined to include operators of (i) any information infrastructure used for public communication and information service, energy, transport, water conservancy, finance, public services, e-government affairs, or other important industries and fields; and (ii) other key information infrastructure, the destruction, function loss or data leakage of which will possibly result in serious damages to the national security, national economy, people’s livelihood or public interests. A key information infrastructure operator is subject to higher obligation which include keeping in China all identifiable personal data and important data collected and generated during their operation in China under the Cyber Security Law. Even if a company does not fall within the definition of key information infrastructure operator, if it provides online services and goods to customers that fall into one of the identified sectors of a key information infrastructure operator, then the supplier needs to go through a cyber security review for its online products and services before it can continue to supply to a key information infrastructure operator.

The draft measures still leave many questions unanswered, for example the composition of the cyber security review committee, whether disclosure of proprietary source code will be required, the timing for the review, whether appeal is available against decision of the committee.  We expect to see more guidance on the implementations of the Cyber Security Law around the time the law takes effect in June 2017.

By way of background information, Cyber Security Law was promulgated by the Standing Committee of the National People’s Congress of China (“NPC”) on November 7, 2016, which will take effect on June 1, 2017.  Fundamental concepts introduced by Cyber Security Law are broadly and vaguely defined, which result in the scope of the law’s application largely subject to the formidable discretionary power by the regulators. Cyber Security Law, in its multiple sections, calls upon the State Council (China’s highest administrative authority) to issue detailed rules for the implementation of the law.  CAC’s draft measures send a signal from China’s ruling Communist Party that clarifications on the law are on the way.