Data Privacy and Security Law Develops Quickly in China

The information and technology security related legislation and practice develops quickly in a fast changing environment for China’s national security challenges.  In April 2014, to respond to the various challenges in the new era, President Xi Jinping for the first time raised the “overall concept of national security”.  Thereafter, a series of legislation relating to national security was put on an accelerated track, including the Counter-terrorism Law (the “CTL”), the National Security Law (the “NSL”), the Cyber Security Law (the “CSL”), the Foreign Non-governmental Organization Administration Law, and the Counter-espionage Law.  The CTL, NSL and CSL all include or are likely to include provisions relating to information and technology security, and have drawn wide attention from foreign companies especially high-tech and internet companies who have operations in China.
 
The draft CTL was released for public comments on 3 November 2014 until 3 December 2014. The provisions in the draft CTL caused broad discussions are articles 15 and 16 which in principle require telecom business operators and internet service providers to set up technical interfaces in the design, construction and operation of telecoms and the internet, and file encryption plans to government for review, and it further requires such operators and service providers who provide service within the territory of the China shall retain within the territory of the China the relevant equipment and data of “users within the territory of the China”.  The provisions are drafted in a comparatively vague and general way and there is no interpretation on how such requirements would be applied especially to foreign companies’ business in China.  Media reported that several foreign trade associations have raised concerns over these articles with Chinese government.  The second deliberation of the draft CTL was held in February but there is no updated information since then on when the third deliberation will be held and CTL will be formally released.
 
Following on, on 1 July 2015, China’s legislature, the National People’s Congress Standing Committee, passed the NSL, and it came into effect on the same date.  The NSL, for the first time, provides for “safeguarding the national cyberspace sovereignty”, and adds cyber and information security as an important part of national security, compared with the former NSL which was primarily focusing on counter-espionage.  NSL further requires the state to establish a national security review system to review matters and activities that influence or may influence national security, including that relating to network information technology products and services.
 
In this connection, a few days later on 6 July the National People’s Congress Standing Committee released the draft Cyber Security Law (the “CSL”) to solicit public comments before 5 August 2015.  The draft CSL further provides for “safeguarding the national cyberspace sovereignty” as a fundamental principle, and, for that purpose, the draft includes provisions on, inter alia, the strategy, plan and promotion of cyber security, network operation security, network information security, and alarm and emergency response systems, especially in the following aspects.
 
The CSL endeavors to strengthen the network operation security obligations, for example, the draft provides various security obligations of network product and service providers, makes classified network security protection a legal obligation of network operators including classifying data as well as backing up key data and encrypting the same.  Network operators are also required to provide necessary assistance and support to investigation authorities where necessary for protecting national security and investigating crimes.
 
In particular, the draft CSL heightened protection for the operation of “key information infrastructure facilities”.  Such requirements include key information infrastructure facility operators should store personal information of citizens and other important data within the PRC territory (unless there is a business imperative to store data overseas they can apply to government who will evaluate the specific situation).  Additionally, security review is required to be conducted on the procurement of network products and services by key information infrastructure operators. 
 
The CSL also includes requirements for network operators on the protection of personal information of users.  Such requirements are primarily based on the requirements of existing laws and regulations, with a few new requirements such as notifying users who may be affected in the event of a data breach.  The draft also requires network operators to record the real identity of users, to cease and prevent the dissemination of unlawful and harmful information, and to make records and report to government.
 
Once adopted and implemented, the CSL may influence the technology and internet industries significantly, and may even impact enterprises in finance, energy, transportation, medical and health services and other public service areas.
 
The new legislative trend reveals that Chinese government’s attention to strengthen the management and operation of national security including network security.  As many may recall, earlier this year, the requirement by Chinese government on establishing a “secure and controllable” system in the banking industry is also part of this effort.  In relation to data privacy area, although China does not have a personal information law at the present and it may still take sometime for a unified legislation on personal information to be promulgated, we expect to see more regulations and rules on the protection of personal information of users in various industries, as a part of the network information security.  

Marissa Dong is a partner in Jun He Law Offices based in Beijing.  She has advised many private and public transactions for multinational companies, private equity firms and Chinese state-owned and private companies and across the wide spectrum of industrial sectors, particularly internet and telecommunication, education and manufacturing business. In addition to her corporation and M&A practice, as an Information Law expert, Marissa Dong has advised many multinationals (including both Chinese and foreign nationals) on data privacy, information security and related regulatory matters in China.