The word on the street is that corporate counsel and legal departments are burning the midnight oil in preparation for June 1, when the PRC Cybersecurity Law comes into effect.
They have much to do, with the nation’s first comprehensive privacy and security regulation for cyberspace—formally passed on November 7, 2016—setting paradigm-shifting requirements such as onshore data storage applicable to “critical information infrastructure” (CII).
Compliance may demand overhauls ranging from revisions to privacy notices and modifications to privacy practices, to a complete, sweeping change in data architecture or infrastructure. Further muddying the waters are looming uncertainties implicit in the law, including ambiguities in language and several critical terms that may leave many multinational companies (MNCs) questioning whether their businesses fall within the ambit of the new law.
A thorough examination of the global and historical context of data localization is crucial in light of these new obligations specific to China. Companies must prepare for cybersecurity compliance in a world where cross-border data flows involve navigating complex—and strict—territorial and regulatory restrictions.
Article 37 of the Cybersecurity Law, commonly known as the “data localization” provision, mandates:
The personal information and important data collected and generated by an operator of critical information infrastructure in the course of its operations in the People’s Republic of China shall be stored in China. If, for business purposes, the same genuinely needs to be provided to a foreign party, a security assessment shall be conducted in accordance with the measures formulated by the state’s cyberspace administration together with relevant State Council departments. If laws or administrative regulations provide otherwise, such provisions shall prevail.
Businesses in violation of Article 37 will be sanctioned with at least a warning, or worse, confiscation of illegal gains, a fine ranging between Rmb50,000 and Rmb500,000, website shutdown, or license revocation. Individuals directly in charge will be subject to a fine between Rmb10,000 and Rmb100,000.
This requirement has been widely discussed. The majority of the criticisms tends to focus on the benefits of free data flow and discrimination against foreign businesses, which, while compelling, fails to acknowledge the complex regulatory context surrounding data localization.
Data localization commonly encapsulates requirements that data be physically stored within a country’s territory and/or not be transferred abroad. China is neither the first nor the only country to adopt this stance. In fact, data localization laws emerged as early as the 1970s, and have been enacted or contemplated by numerous jurisdictions, including Australia, Brazil, Brunei, Canada, the EU, France, Germany, India, Indonesia, Iran, Kazakhstan, Malaysia, Nigeria, Russia, South Korea, Sweden, Taiwan, Thailand, and Vietnam. In the aftermath of the 2013 Snowden revelation, data localization laws have increasingly been used to combat foreign surveillance.
Data localization regulation takes on various forms, including mandating: a blanket ban on the transfer of all categories of personal data abroad (Vietnam); specific restrictions in select industries (South Korea and Australia); strict user consent requirements and regulatory approvals (Malaysia and the Philippines); copies of information to be stored domestically (Russia); and even a tax on the data export (France). Purported rationales behind such rules can be summarized into four major categories: (1) promoting the domestic economy; (2) avoiding foreign surveillance; (3) protecting users’ security and privacy; and (4) facilitating domestic law enforcement. Scholars argue that governments may also be motivated by policy considerations such as Internet sovereignty, constitution, or privacy as human rights.
Despite government enthusiasm, experts in the field generally consider data localization unsustainable policy practice. To date, no systematic study has shown data localization is likely to contribute positive economic returns. On the contrary, studies conducted by Matthias Baeur et al. in 2013, 2014, 2015 and Hosuk Lee-Makiyama in 2015 indicate that restrictions on cross-border data flow adversely impact the economy, such as by reducing the GDP of Indonesia by ~0.7%, Russia by ~0.27%, and the EU by ~0.8-1.3%. Compelling arguments have also been made by scholars including Anupam Chander, Uyen Le, Neha Mishra, Christopher Millard, Tatevik Sargsyan, and Christopher Kuner suggesting that none of the four goals cited above will in fact be achieved by data localization.
The intense regulatory focus on the physical location of data misses the point that physical access to data is neither adequate nor necessary for access to information from a technical perspective. However, control over physical data may bring legal, practical, and political benefits. For instance, the physical location of data is an important factor in determining jurisdiction, i.e. which governing law applies to the data. With data increasingly being seen as the “new currency” of the digital trade, possession of more information is a new way for a country to maximize wealth and power. Countries like China with large populations and/or resources may consider data localization as a tariff-free strategy to compete with American players currently dominating the market, especially in fields thriving on data volume such as cloud computing, e-commerce, and big data analytics. This new form of influence may ultimately transform into appealing political gains with the aid of a new war: the Data War.
This ambition, however, is undermined by the reality that the data localization requirement is extremely difficult to enforce. There is no—and cannot be—digital customs or digital police at a digital border. Indeed, most companies will comply with the costly data localization rule, while others (most likely foreign entities who have no personnel or assets on the ground against which to enforce a sanction) will simply ignore them. Some businesses may choose to leave or to not step foot in China while others may be barred from entering the country. The current enforcement provision of the Cybersecurity Law alone does not appear strong enough to alter this reality.
China has always been an open advocate of Internet and data sovereignty and discourages excessive reliance on U.S. communication infrastructure. In a September 2011 submission made to the United Nations, China, along with Russia and a few other nations, articulated desires to claim sovereignty over its citizens’ data and the rights to censor information and protect CII from foreign threats. The 2013 Snowden revelation led China to believe that it was a victim of extensive NSA [National Security Agency] surveillance exposing overseas data of which China has no control. Around the same time, China released the voluntary Information Security Technology – Guidelines for Personal Information Protection within Information Systems for Public and Commercial Services, prohibiting cross-border data transfers without express consent of users or (unspecified) regulatory approvals.
The Cybersecurity Law is not the first piece of Chinese legislation mandating data localization, but it is the first to expand the requirement from a few sectors to a much wider audience (through its definition of CII). Stricter data localization regimes had existed to govern state secrets (1989), and prohibit processing and overseas storage of banking data (2011), credit data (2013), and health information (2014). The early draft of the PRC Anti-terrorism Law required telecom service operators and Internet service providers (ISPs) to locate servers and store user data in China, but this was withdrawn when the Anti-terrorism Law was passed in December 2015. As telecom operators and ISPs are most certainly deemed CII, they will likely be subject to data localization under the Cybersecurity Law.
This expanded scope appears to be consistent with China’s open policy of Internet and data sovereignty, and its desire to tighten control over its data in the aftermath of the Snowden incident was further motivated, perhaps, by its strategy to combat U.S. competition.
So, against the global and historical backdrop of cybersecurity legislation, the question then becomes how China’s law differs from the others. After all, its rules appear much broader with a heavier regulatory focus.
The Cybersecurity Law’s legislative history alone shows a gradual expansion of data subject to localization. The first draft cited “citizens’ personal information and other important data”, while the second draft changed to “citizens’ personal information and important business data”, and the final draft settled with “personal information and important data”. Moreover, the first draft conditionally allowed both the “provision” and “storage” of data abroad, but the later drafts removed the “storage” option.
Three key interpretations may be drawn from these changes:
China appears to be one of the few countries conditioning cross-border data transfers solely on regulatory approvals without alternatives such as users’ consent. Moreover, regulatory approvals in other jurisdictions typically focus on whether the recipient country has adequate level of data protection. But “adequacy” does not appear to be a concern articulated anywhere in the Cybersecurity Law. Rather, neither the scope nor the content of “security assessment” is defined, resulting in wild speculations. The New York Times reported news of foreign companies submitting to security checks targeting encryption and data storage in China, leaving open the possibility to extract trade secrets or to identify weakness in products for state hackers to exploit. One wonders whether Article 30 of the Cybersecurity Law warranting information acquired during approvals be used exclusively “for the purposes of safeguarding cybersecurity” can be relied to address such concerns, noting, however, that even this provision can be broadly interpreted.
Another unique aspect of China’s data localization rule is that it only applies to CII (compared with all industries in many other jurisdictions). However, China’s narrower application is offset by the broader data captured by the rule mandating all data (both “personal” and “important”) be stored in China.
The definition of CII in the Cybersecurity Law has also evolved throughout the earlier drafts:
As the excerpts show, the first draft only envisions a finite list of industries. The second draft replaces the list with a broad catch-all phrase. The final draft combines the earlier two definitions but drops some exemplar sectors. One such omission is “networks and systems owned or managed by network service providers with a large number of users,” commonly interpreted to include Internet services such as e-commerce and social networks.
This omission appears incidental rather than intentional in light of July 2016 guidelines issued by the Cyberspace Administration of China (CAC) setting forth three CII categories including networks with numerous users: (i) websites for e-government, enterprises, non-profit organizations, and news; (ii) business platforms such as correspondences, e-commerce, e-payment, search engines, emails, blogs, mapping, video and audio; and (iii) providers of services such as enterprise systems, industrial controls, big data, cloud computing, and television broadcasting. Websites are considered CII if they have over one million average daily visits or if a data breach could affect over one million individuals.
The July guidelines also introduce a three-step procedure to determine whether a business is CII: (i) identify the critical business; (ii) identify the information or industrial control system supporting the critical business; and (iii) assess the level of reliance of the system by the critical business as well as the potential losses due to a security breach in the system. This identification method may generate a halo effect in IT procurement—businesses that are not CII themselves may, nonetheless, be subject to data localization if their “critical business” is relying on Chinese networks for operations or delivery of services.
In the latest National Cyberspace Security Strategy released by the CAC on December 27, 2016, additional sectors were added to the CII category such as education, scientific research, industrial manufacturing, social security, and public undertaking.
Other jurisdictions also have the concept of industry-based CII which are not tied down by data localization but are required to follow heightened network security measures. Common examples of CII include energy, ICT, finance, healthcare, food, water, transport, safety, and government. Chemicals are designated critical in Canada, Netherlands, the U.S., and the EU while legal/judicial is deemed critical in Netherlands. The EU made an attempt to add e-commerce and social networks to CII in 2015 but the proposal was later rejected by the European Parliament.
The Cybersecurity Law’s possible inclusion of Internet services may be understood in light of the large population of China and the potential benefits of possessing a large quantity of data associated with such online services.
One other major obligation imposed by the Cybersecurity Law is the “safe and trustworthy” standard. Both CII and network operators are required to ensure that critical network equipment and specialized cybersecurity products satisfy compulsory national security standards and pass a security certification by qualified institutions before being sold or provided for use. Similar to “secure and controllable” or “indigenous and controllable” referenced in other PRC regulations or guidelines, this standard is generally understood to mandate source code reviews, turn-over of encryption keys, and/or access to “backdoors” for government inspections.
Other than data localization, CII operators are also required to: (i) pass a security review organized by the CAC and State Council for purchasing network products and services; (ii) enter into a confidentiality agreement with IT vendors; (iii) conduct annual security assessment and submit reports to authorities; and (iv) establish procedures including appointing dedicated personnel in charge of security.
A “network operator” under the Cybersecurity Law refers to “a network owner, manager and/or network service provider” and is further required, among others, to record network operation status and security incidents and preserve logs for at least six months, as well as to censor content posted by users for any violations of laws and report them to the authorities.
Finally, the Cybersecurity Law imposes new privacy obligations, including an ambiguous breach notification where both network operators and CII must “promptly” inform affected users—and authorities—upon a data breach, and the mandate to correct or delete information upon a user’s request, a right analogous to the EU’s right of erasure. These rules may call for a reassessment of a business’s privacy notices and policies.
Clocks are ticking. Five months are too long to wait for the clarifications of the key terms of the law, yet too short to envision a full compliance of all requirements—especially the controversial data localization rule. Corporate legal departments should not wait, or render the Cybersecurity Law irrelevant based on a false hope that their business is not CII, keeping in mind that the CII definition is broad, open and growing, and that even if they are not CII, they may fall under “network operators” and will still be subject to myriad other requirements.
A proactive approach should be taken during the interim. A preliminary self-assessment can be conducted to assess the risks for compliance. Tools such as data maps can be used to identify the physical locations of data, and data flow charts to track the data’s life cycle. Extra caution must be taken to ensure that legal requirements and technology jargon are not lost in translation during internal communications.
Xiaoyan Zhang, Counsel
Mayer Brown JSM, Shanghai