Close on the heels of a sweeping new National Security Law, the Standing Committee of the National People’s Congress released last month for public comment a very significant draft Network Security Law (“Draft Law”), also referred to as the draft Cybersecurity Law.
Since it came into power in 2012, China’s current leadership has attached an unprecedented level of attention to network security, which it sees as a core aspect of national security. Marking the establishment of a new Central Leading Group for Cyberspace Affairs in 2014 that he himself would lead, President Xi Jinping declared that “network security and informatization are key strategic issues related to national security and development,” and that “national security no longer exists without network security.” President Xi went on, in those remarks, to call for the development of a legal infrastructure for the administration of cyberspace, with particular emphasis on the protection of “critical information infrastructure”. The resolution of the Fourth Plenum of the Central Committee of the Chinese Communist Party in October 2014 echoed this theme.
The focus on network security appears to stem from the explosive development and extensive usage of network and information technologies, made more pressing by Edward Snowden’s disclosures in 2013 regarding activities of the US National Security Agency (NSA). Since the Snowden leaks, it has been repeatedly reported that the Chinese government is working actively to wean government networks and financial systems off of IT products and services from foreign companies. The Draft Law is the government’s latest effort to consolidate existing security-related requirements and grant government agencies more security-related powers. On its face, the Draft Law does not discriminate against foreign products and services. However, designed to “safeguard cyberspace sovereignty and national security,” it could be implemented to become an additional hurdle for foreign companies seeking to access China’s vast market if and when it comes into effect.
The draft Network Security Law is a major, high-level step in implementing the government’s priorities in cyberspace and on information networks more broadly. The Draft Law is engineered to govern most activities that take place over “computer networks,” defined broadly in Article 65(1) to encompass essentially any “network or system, composed of computers or other terminals together with relevant devices, that serves to collect, store, transmit, exchange, or process information following predefined rules and procedures.” Compared to the much more general terms in the National Security Law, the seven chapters and 68 articles of the Draft Law provide more details on, among other things, security requirements for network-related products and services; data privacy; and monitoring and emergency response systems. The Draft Law attempts to (1) sort out and develop, in a more systematic way, existing but scattered legal requirements (e.g., obligations of network users to provide real identities and obligations of network operators to protect personal information of users), and (2) implement new, high-priority mandates such as provisions on the protection of critical information infrastructure.
Foreign investors should pay particular attention to the following proposals in the draft Network Security Law:
- Procurement-Related Security Reviews for Network Products and Services. The Draft Law proposes that network products and services that operators of “critical information infrastructure” procure must pass a security review if they “may affect national security.” “Critical information infrastructure” is a new term that is defined broadly by the draft to include networks and systems in sensitive areas such as public communications, radio and television, energy, transportation, water, finance, utilities, healthcare, social security, military, and government administration. Furthermore, the definition also contains a loose catch-all for networks and systems that “have a large number of users.” The draft does not explain what would constitute a “large number,” but one could imagine it being interpreted broadly to cover, for instance, websites run by online service providers. This new security review requirement could have a significant impact on information technology companies that supply products or services to operators of “critical information infrastructure,” such as banks, utility companies, transport companies, and major websites.
- Data Localization Requirements. Operators of what is deemed to be critical information infrastructure must store “important data” such as users’ personal information collected and generated during operations within PRC territory. If they seek to store or transfer such data overseas for business reasons, their request must pass a new government security assessment. The draft is unclear as to what, beyond personal information, would be considered to be “important data” for these purposes.
- Government National Security Standards. The Draft Law proposes to formulate and revise national and industry standards on network safety management and on network products, services, and operations; grant government support to key industries and innovation projects related to network security technology; adopt a multi-level protection system on network security; and publish a catalogue on key network equipment and network security products. Given past experience, it is possible, if not likely, that such standards and policies may be formulated in a way that favors homegrown technologies, products, and services, particularly given the emphasis on national security.
- Data Privacy Requirements. The Draft Law also consolidates a number of rules on data privacy and protection that are currently scattered across a range of laws and regulations, and adds some new ones – e.g., an expanded definition of personal information and notification requirements for data breaches. A discussion of the data privacy implications of the draft can be found on Covington’s privacy blog, Inside Privacy, here.
Companies, industry associations, and governments – both foreign and domestic – are advised to pay close attention to the development of this Draft Law as it may have important implications for the business environment in China. Those with more significant interests in the country may seek to further engage with Chinese policymakers to ensure that their interests are taken into consideration.
These materials are not intended and should not be used as legal advice or other recommendation. If you need a legal opinion on a specific issue or factual situation, please contact a lawyer. Anyone using these materials should not rely on them as a substitute for legal advice.
Remember, no problem has a quick fix solution. Thus, always ensure to consult highly knowledgeable group of professionals whom would provide you with a collective advice, never individual advice. This group advice and approach is unique with CWIIL Group and is based on the overall Management Philosophy of all CWIIL Group Companies.
Consulting CWIIL Group of Companies, for any / all legal matters, ensures advice based on highest level of knowledge which are given to you by a team of select research-oriented experts whom each will do their own assessment of your matter, and also assess it together, thus ensuring that in case a mistake has been made by one, it will be noticed and corrected even before it is being passed on to you. Receiving incorrect and un-knowledgeable business advise can be disastrous and thus should be avoided.
CWIIL Group of Companies is a global group of multi-specialized units with diversified interests and activities, wherein each company is a separate legal entity registered under prevailing laws in different parts of the world. CWIIL Group of Companies Products, Services, Project and Solutions are in a multitude of Verticals including, but not limited to, Infrastructure, Power, Oil & Gas, Legal, Media, Technology, ITES, HR, Shipping, Aviation, Real Estate, Hospitals, Health and Medicine, Education, Funding & Investment, Business and Legal Consultancy, and Public Private Partnerships, and other CWIIL Group Units, worldwide, to name a few.
For Further Queries Feel Free to Contact :
For Any / All Other Queries :
CWIIL Group Global Regional Headquarters Denmark,
Address : No. 1, Klokkebjergevej, DK6900 Skjern, Denmark
Voice : +45.5148.3608
Fax : +45.7014.1498
Email : firstname.lastname@example.org
Web : www.cwiilgroup.eu
Connect : LinkedIn – Twitter – Facebook – Quora
Office Hours :
Monday to Friday : 10.00 – 17.00 CET.
Saturday : 10.00 – 14.00 CET.
Sunday : Closed.
The Corporate Communications Team would require minimum a fortnight for Reviewing & Responding to Queries, which please note.
Tagged: China, CWIIL Group Companies, cyber crime, Cybersecurity Law, Draft Law, information, information infrastructure, information technologies, national security, National Security Law, network, network security, Network Security Law, technologies