Cybersecurity Law broadens scope, restricts outflows
数据法网
By Katherine Jo
Despite strong opposition from foreign governments and business groups, China has passed the PRC Cybersecurity Law that applies to all data transmitted and stored in the nation’s networks.
Approved by the Standing Committee of the National People’s Congress on November 7 and coming into effect on June 1 next year, the law sets broad restrictions for cross-border data transfers, enhances individual and criminal liability, and threatens to punish foreign hackers.
The most significant provision—and the thrust of this law—is the redefined scope of network operators of “critical information infrastructure” (CII). This sweeping section requires CII operators to store all data of significance within the PRC. This virtually gives the government the mandate to apply the law to any industry and business, local or foreign.
“China is essentially adopting a fortress approach to all data,” said Peter Bullock, a partner at King & Wood Mallesons in Hong Kong. “Data concerns were mainly related to key industries such as financial services before, but now they encompass anything the state regards as important.”
The first Cybersecurity Law draft from 2015 provided a list of industries subject to the law, including telecommunications, finance, healthcare, transportation, energy and utilities (along with a catchall: networks “with a very large number of users”).
The second draft issued in July 2016, however, replaced these itemized examples with an extremely broad definition of CII operators encompassing those that run any networks that can seriously harm national security or public interest if destroyed or tampered with or if their data is lost or leaked.
The official version, the approved third draft, released last week includes the enumeration of targeted industries from the first reading and adds “and other important industries and fields”. It also retains the definition from the second, and introduces an additional instrument of government discretion by stating that the exact scope of, and safeguarding measures for, CII will be determined by the State Council separately. This is in Article 31.
“This allows the government to have great leeway in determining which companies are captured by the definition of CII operators,” said Xiaoyan Zhang, a data privacy counsel at Mayer Brown JSM.
The very first provision about networks with a large number of users has been left out, which could be significant because e-commerce platform operators and internet retailers, despite having large businesses and customer databases, may not technically fit the definition put forward for CII.
“But this doesn’t rule out the possibility of their becoming subject to these local storage rules as well, since the State Council can ultimately decide what data is important and exercise discretion over the specific scope,” Zhang said.
In a letter to China on November 11, more than 40 international business and technology organizations expressed “deep concerns,” warning that the PRC government’s efforts to control more of the internet and technology would effectively erect trade barriers along national boundaries.
Data storage and outflows
Another concern surrounding the potentially overarching definition of what the state deems “important” lies in Article 37, which brings into question what constitutes the “important data” that CII operators are obligated to store in China along with any personal information.
This is a simplified amendment from the second draft, which introduced the concept of “important business data.” Lawyers commented at the time that the term had no legal precedent and required further clarification through implementing rules, guidelines or enforcement.
“Now they have just left it at ‘important data,’ making it even broader than the second reading,” said Ben Qi, a Beijing-based partner at Jin Mao Partners. “All personal and ‘important’ data collected and stored by network operators of CII are subject to PRC localization requirements and restricted from overseas transfers without proper clearance.”
This may not be just a problem for international companies, but also for Chinese domestic enterprises that are looking at competing on a global scale by offshoring, acquiring and joining up with external businesses and subsequently having to transfer key data, said King & Wood Mallesons’ Bullock.
China could potentially look to other jurisdictions like the EU, which also sets strict cross-border personal data transfer restrictions but offers exemptions in instances where users give express consent or a company applies for intra-group transfers.
“The EU Data Protection Directive’s exceptions exist with the view to safeguard citizens’ data while still upholding the values of free trade. Such principles are arguably less evident in the PRC Cybersecurity Law, though it isn’t to say the Chinese government couldn’t grant waivers in the future,” said Zhang.
Another example is Russia, which has clarified that its data rules specifically capture companies with either a physical presence in the country or businesses aimed at its citizens through online platforms, she explained.
“Again, it’s quite different in China, where things are less clear in terms of which industry a CII operator falls under or whether a foreign company needs to comply with the law if it is serving Chinese customers without a PRC entity,” Zhang said.
Russian regulations also require companies to keep copies of domestic data but don’t restrict them from taking the information outside its borders. China doesn’t allow this—any extra-territorial transfers must go through security assessments.
This could be an issue for a multinational company with a production data center—one that generates day-to-day data—in China that needs to execute a disaster recovery plan or move and store backups out of the country, said Jin Mao Partners’ Qi.
How cloud-based service providers are expected to work with these critical information outflow restrictions is a real concern for global enterprises that require more flexibility for backup or remote management purposes, he said. “It may be prudent for China to consider the direction of granting safe harbors like the EU for consolidation purposes.”
National security product reviews
The law also sets strict security obligations for CII network operators, by requiring any cybersecurity products and services they purchase to be state-approved and undergo national security reviews. They also need to be in compliance with the mandatory requirements published in the national security-specific catalogue, which is expected to list the detailed qualifications and certification processes for CII equipment providers, and be released by the time the law enters into force in June.
“Anybody who is procuring these products must go through the approved vendors, which can be a problem for international suppliers that won’t risk disclosing their intellectual property or negotiating a backdoor,” said Bullock.
Hot seat
The law also requires enterprises to assign a legal representative to do data security interviews with the authorities, and overall be held accountable for all cybersecurity-related matters.
“It details expectations of putting forward a named individual responsible for maintaining security standards and crisis management, and is backed up by the last quarter of the law which lists out all the penalties,” said Bullock.
For instance, in the section on national security assessments for CII equipment, any network operators that fail to pass their products for review will not only be ordered to cease using the service and be imposed a fine of one to 10 times its value, but also have the named individual held personally liable.
The representative’s tasks include conducting background checks, establishing database recovery systems, developing emergency response plans and conducting regular exercises.
Foreign hackers
The Cybersecurity Law also adds a new provision imposing penalties to foreign individuals or organizations attacking Chinese CII. Previously, penalties, fines and shutdowns did not apply to foreign entities without a presence in the PRC. Article 75 states that whoever attacks CII in China will be subject to sanctions including asset freezes.
Online fraud, investigations, minors
There is also a greater emphasis placed on online fraud—the law put forward a provision specifically prohibiting individuals and organizations from establishing websites or communication groups and using any form of network infrastructure to carry out fraudulent or illegal activities, spread criminal messages or sell contraband.
Article 28 has been expanded to require network operators to assist the authorities in not only national security but also criminal investigations. This is in parallel with the Supreme People’s Court’s Provisions on Several Issues Concerning the Gathering, Accessing, Review and Determination of Electronic Data in the Handling of Criminal Cases issued on September 9, which for the first time explicitly requires internet service providers to comply with law enforcement in criminal investigations, such as by supplying raw server data to prosecutors and freezing electronic accounts.
There is also a new provision in the Cybersecurity Law for the protection of minors—a focus also introduced in the latest PRC Criminal Law amendment released last year.
Progress
“The law comes on quite strong by increasing individual liability and penalties for violations, and presents progress in terms of protecting people’s privacy in a world fueled by mass data,” said Mayer Brown JSM’s Zhang.
Companies should conduct a full compliance risk analysis and cybersecurity audit with privacy professionals in preparation for the new law, she added.
The State Council will have to come up with supplementary provisions and guidelines for implementation.
“Without these policies to follow, the law will have no teeth,” Qi said.
(作者:赵修敏)
所有个人和“重要”信息、网络犯罪和网络攻击都涵盖在新法的适用范围内
尽管受到外国政府和企业集团的强烈反对,中国已正式通过《中华人民共和国网络安全法》,该新法适用于通过中国网络传输和存储的所有数据。
该法于 11 月 7 日获得全国人民代表大会常务委员会批准,将于明年 6 月 1 日生效,针对跨境数据传输设立了范围更广泛的限制、加重个人和刑事责任,并明确对外国黑客的处罚措施。
该法最重要、最主要的是重新界定了网络运营商的“关键信息基础设施”(CII) 范围。此部分范围广泛,要求 CII 运营商在中国境内存储所有重要数据。这实质上授权政府针对任何行业和企业(无论国内还是外国)施行该法。
“中国基本上对所有数据都采取防御措施,金杜律师事务所香港合伙人 Peter Bullock 说道,“对数据的关注以w前主要涉及金融服务等关键行业,但如今涵盖了国家视为重要的所有内容。”
2015 年发布的首版《网络安全法》草案列出了适用该法的所有行业,包括电信、金融、医疗、运输、能源和公用事业(以及一个笼统概念:“用户数量众多”的网络)。
不过,2016 年 7 月发布的第二版草案将这些逐项列出的示例替换为极为广泛的 CII 运营商定义,其中包括运营可严重损害国家安全或公共利益(如果受到破坏或干扰,或者数据丢失或泄露)的任何网络的运营商。
获批的第三版为正式版本,于本周发布,其中列举了初审稿中所述的目标行业,还增添了“等重要行业和领域”。而且还保留了第二版中的定义,并指明 CII 的具体范围和安全保护办法由国务院制定,这额外增加了一项政府自由裁量权。此部分载于第 31 条。
“这使政府具有极大自由来决定哪些公司符合 CII 运营商定义,”孖士打律师行的数据隐私法律顾问张晓燕表示。
有关具有海量用户的网络的最早规定已排除,这可能非常重要,因为电子商务平台运营商和互联网零售商虽然具有大量企业和客户数据库,但可能在技术上并不符合 CII 定义。
“但这并不表示这些公司不受本地存储法规约束,因为国务院可最终决定哪些数据属于重要数据,并自由决定特定范围,”张晓燕说道。
在 11 月 11 日提交给中国政府的函件中,40 多家国际企业和技术组织表示“深切忧虑”,指出中国政府加强互联网和技术控制的举措实质上设立了跨国贸易壁垒。
数据存储和外流
另一项忧虑有关对中国所视为“重要”内容的潜在总体定义(第 37 条),这造成对于哪些内容属于 CII 运营商有义务在中国存储的“重要数据”和任何个人信息的界定不明确。
这是第二版草案中的简化修订,其中加入了“重要商业数据”概念。律师们当时认为,此术语没有法律案例,需要在实施法规、准则或具体执行的过程中进一步阐明。
“现在笼统称为重要数据,比二审稿中的范围更广,”金茂凯德律师事务所合伙人齐斌表示,“CII 网络运营商收集和存储的所有个人和重要数据都受中国本地化要求规范,并且不得在未经适当审查批准的情况下向海外传输。”
金杜律师事务所的 Bullock 表示,这可能不仅对国际公司造成问题,而对想要通过开展、收购和联合海外业务来参与国际竞争(进而需要传输关键数据)的中国企业同样如此。
中国可能会借鉴欧盟等其他司法辖区的做法,例如欧盟也规定了严格的个人数据跨境传输限制,但在用户明确表示同意或公司申请集团内部传输的情况下特例许可。
“欧盟数据保护指令提供特例许可是为了在保障居民数据安全的同时坚持自由贸易价值。此类准则在《中华人民共和国网络安全法》中可能较不明显,但也不能确定中国政府不会在未来授予类似豁免,” 说道。
她表示,另一个参照示例是俄罗斯,俄罗斯明确规定其数据法规适用于在俄罗斯设有设立实物机构的公司,或者通过在线平台向俄罗斯居民开展业务的企业。
“在中国则不同,CII 运营商属于哪些行业,或者不经中国实体而直接服务于中国客户的外国公司是否需要遵循该法都不太明确,”张晓燕表示。
俄罗斯法规还要求公司保留国内数据的副本,但不限制其在境外提取这些信息。中国无此许可,任何出境传输都必须经过详细的审查评估。
“对于在中国具有生产数据中心来生成日常数据的跨国公司而言,这可能是个问题,他们需要执行灾难恢复计划,或者将备份数据迁移并存储至国外,”金茂凯德律师事务所的齐斌说道,
“对于需要提升灵活性来进行备份或远程管理的跨国企业而言,真正的忧虑是依靠云的服务提供商应如何应对这些关键信息外流限制。中国的审慎做法可能是考虑像欧盟一样授予安全港许可,以进行整合,”齐斌指出。
国家安全产品审核
该法还规定了 CII 网络运营商的严格安全义务,要求其采购的任何网络安全产品和服务都需获得国家批准,并经过国家安全审核。他们还需要遵循特定中国国家安全目录中规定的强制要求,该目录将在该法 6 月生效时发布,预期将列出针对 CII 设备提供商的详细资质要求和认证流程。
“采购此类产品的任何人都必须通过获批供应商购买,对不愿意冒险披露知识产权或要在背后处理问题的国际提供商就造成了阻碍,”Bullock 说道。
烫手山芋
该法还要求企业指定法定代表来与相关机构进行数据安全约谈,并对任何网络安全相关事项承担总体责任。
“其中详细说明了要求指定个人来负责维护安全标准和进行危机管理,并在最后四分之一部分列出了所有处罚措施,”Bullock 表示。
例如,有关针对 CII 设备进行国家安全评估的部分中规定,如果任何网络运营商未提交产品进行审核,不仅必须停止使用该服务,并处以其价值1 到 10 倍的罚金,而且相关负责人还须承担个人责任。
该个人代表的任务包括执行背景审查、建立数据库恢复系统、制定应急预案,以及执行定期演练。
外国黑客
网络安全法还新增一项规定,对攻击中国 CII 的外国个人或组织施加处罚。以前,处罚、罚金和停业措施都不适用于不在中国的外国实体。第 75 条规定,任何攻击中国境内 CII 的个人或组织都将受到包括资产冻结在内的制裁措施。
在线诈骗、调查、未成年人
该法还重点关注在线诈骗,其中明确规定禁止个人和组织创建网站或通讯群组以及使用任何形式的网络基础设施,来执行诈骗或违法活动、传播犯罪讯息,或者销售违禁物品。
第 28 条更进一步,不仅要求网络运营商协助相关机构开展国家安全审核还要配合刑事调查。最高人民法院 9 月 9 日发布的《关于办理刑事案件收集提取和审查判断电子数据若干问题的规定》同样聚焦于此,其中首次明确要求互联网服务提供商配合刑事调查执法行动,例如向检察官提供原始服务器数据,以及冻结电子账户。
《网络安全法》中的另一项新规定旨在保护未成年人,这也是去年颁发的《中华人民共和国刑法》修订案中的新焦点。
进步
“这部新法是一次重拳出击,不仅加强对违规个人的问责和处罚,而且在随数据时代发展保护公民隐私权方面有所进步,”张晓燕说道,
“公司应委派隐私权专家来执行全面的合规风险分析和网络安全审计,以应对新法要求。”
国务院将需要发布一些实施补充规定和指引。
“如果没有此类指导政策,这一新法便不能发挥功效,”齐斌说道。
Email the writer at [email protected].
