The General Provisions of the Civil Law of the PRC (Civil Law) recognises an individual’s fundamental civil rights over his or her personal information (PI) and establishes the general principles of PI security and lawfulness of PI collection and processing.
As compared to the general principles set forth by the Civil Law, the Cybersecurity Law of the PRC acts as the overarching construct of the cybersecurity regime in China and sets forth specific requirements in various cybersecurity segments. The Cybersecurity Law applies to network operators (NOs) in China, a term defined as any entities that own or administer network or provide network services, setting forth liabilities of violation in the form of fines and injunctions against the network operators and/or their responsible personnel.
The subject matter regulated by the Cybersecurity Law, supplemented by relevant regulatory documents (including drafts), can be summarised in two main categories: (i) network operation security, which addresses to the security of operation, structure and management of a network system; and (ii) network information security, which mainly focuses on measures and structural arrangements to protect PI and important data. The specific requirements of the two categories can be divided into the following major segments.
Network Operation Security
Multi-level protection scheme (MLPS)
A classified cybersecurity protection scheme (also known as the multi-level protection scheme or MLPS) is recognised as the basic legal system to ensure structural network security in China. Under MLPS, network operators must be classified by one of the five levels according to their security impact if the system is damaged, with classification levels ranging from one to five. Progressively stringent requirements for network security and filing obligations with authorities are imposed on network operators at higher MLPS classification levels. Please refer to 4.3 Critical Infrastructure, Networks, Systems for further details of MLPS.
Certain security requirements are imposed on the suppliers of network products and services, such as taking remedial actions to correct security vulnerabilities and continuing provision of security maintenance services. Any identified key network equipment and specialised cybersecurity product must pass security certification before its supply.
Critical information infrastructures (CIIs)
Critical information infrastructures (CIIs) – defined as network facilities and information systems that may severely endanger national security, social welfare and public interests upon sabotage, malfunction or data breach – are afforded additional and strict security protection requirements and there are obligations regarding security management mechanism, training, technical measures of cybersecurity protection, procurement of network products and services, emergency response plans, and others.
In addition, in the event that procuring network products and services by CII operators (CIIOs) may affect national security, competent authorities must conduct cybersecurity review of such procurement.
Network operators shall set up cybersecurity monitoring, early warning and emergency response plans to mitigate cybersecurity risks and timely notify relevant parties upon the occurrence of cybersecurity incidents.
Network Information Security
NOs shall process (including but not limited to collection, storage, use, sharing, transfer, disclosure and deletion) personal information lawfully, legitimately, and only to the extent necessary, and obtain informed consent from the PI subjects regarding the purpose, methods and scope of processing. NOs shall also take necessary measures to ensure the security of PI it collects and promptly inform PI subjects and relevant authorities upon divulgence of PI.
NOs shall take measures to respond to legitimate request from PI subjects related to their PIs. In particular, with reference to national standards supporting the Cybersecurity Law, depending on their different roles in PI processing, NOs are categorised as personal information controllers (PICs) – defined as any entity or individual capable of determining the purpose and method of PI processing – and personal information processors (PIPs) – defined as entities or individuals processing PI on behalf of PICs.
When PI contains sensitive personal information (SPI), additional security requirements are imposed on PICs, such as protection by encryption. Please see 4.1 Personal Data for details of PI protection requirements for NOs, PICs, and PIPs.
Important data refers to data whose divulging may directly affect national security, economic security, social stability, public health and security, such as undisclosed government information and information regarding mass population, genetic health, geographical and mineral resources. NOs collecting and processing important data are subject to various security obligations, such as adopting technical measures of encryption, back-up, and others. Please see 4.2 Material Business Data and Material Non-public Information for details on important data protection requirements.
Cross-border data transfer
CIIOs conducting cross-border data transfer abroad of PI and important data must store such data within China and perform security assessment of cross-border transfer. General NOs conducting cross-border data transfer are also advised to perform such security assessment. According to the current draft regulations on cross-border data transfer, such assessment may cover the nature of data to be transferred, the data exporter and the data recipient’s respective capabilities of data security protection, the receiving country or region’s political and legal environment of data protection, and evaluation of the impact to PI subjects, national security and social interests by such transfer. Cross-border data transfer is prohibited if it threatens national security or public interests.
The Cybersecurity Law and relevant regulatory documents are mainly enforced by the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology of China (MIIT), the Ministry of Public Security of China (MPS), the State Administration for Market Regulation (SAMR). It is worth mentioning that regulatory documents in drafts are commonly applied as important reference for cybersecurity enforcement.
Other Laws and Regulations
Various other laws and regulations also contribute to other segments of the cybersecurity regime as illustrated below.
The Cryptography Law
The Cryptography Law, mainly enforced by the Cryptography Administration of China (SCA), sets forth requirements for supplying and adopting various encryption, in particular the commercial encryption which plays a key role in network security required by the Cybersecurity Law. The law also sets forth civil liabilities of violation.
The Criminal Law
The Criminal Law of the People’s Republic of China (Criminal Law) recognises the various cybercrimes infringing PI or computing systems and crimes utilising networks, and the crime of failure to perform cybersecurity obligations, punishable by imprisonment and/or fines. The above-mentioned Criminal Law provisions are enforced by MPS and its local agencies.
All key regulators of cybersecurity in China, namely the CAC, MIIT, MPS and SAMR, have regulatory authorities at the national level and their branch agencies at the county level or above that exercise their authorities within their respective geographic jurisdiction.
Under Article 8 of the Cybersecurity Law, the CAC is assigned overarching responsibility of planning and co-ordination of cybersecurity regulation. It is the most active regulator in terms of enacting cybersecurity regulatory documents, and its enforcement focuses on the governance of the "internet ecology" and network information content.
The MPS is the key regulator and enforcement authority of the MLPS and network operation security, and responsible for investigating and preventing crimes related to computing system and PI infringement.
The MIIT oversees the telecommunication and information technology industry and thus administers the licences of the market participants in this industry. Its enforcement focuses on PI protection in these industries, especially the telecommunication value-added services.
The SAMR is responsible for the protection of consumer rights, including consumers’ rights in PI and fair market competition.
In addition to the four key regulators, some national regulators focuses on specific areas of cybersecurity-related matters. The National Information Security Standardisation Technical Committee (TC260) is responsible for the promulgation of cybersecurity-related national standards; the National Administration of State Secrets Protection (NASSP) is responsible for MLPS classification and protection related to state secrets. The SCA is responsible for regulation and enforcement in relation to encryption activities. The China Securities Regulatory Commission (CSRC), the China Banking and Insurance Regulatory Commission (CBIRC), the China Insurance Regulatory Commission (CIRC), and the China Banking Regulatory Commission (CBRC) also regulate cybersecurity matters in their respective financial areas.
The regulators conduct audits and investigations in relation to cybersecurity. The MPS is the primary and most active enforcement agency in the audits and investigations regarding PI infringement and other violations of cybersecurity-related laws and regulations, especially when criminal culpability may arise. The CAC, MIIT and SAMR also participate in the audits and investigations of network operators regarding violation of cybersecurity-related laws and regulations. In 2019, the four abovementioned authorities initiated a joint enforcement campaign against mobile applications collecting and using PI in violation of laws and regulations, marking a trend of frequent joint enforcement of audits and investigation.
In general, the penalties that cybersecurity regulators or data protection authorities impose on the investigated entities or individuals must comply with the liabilities articulated by the Cybersecurity Law and, in case where criminal culpability arises, the Criminal Law.
As for regulator-specific administrative process, the Provisions on Internet Security Supervision and Inspection by Public Security Organs (Public Security Provisions) set forth the standard administrative process of cybersecurity enforcement by the MPS and its branch agencies. The Public Security Provisions limit the scope of the targeted network service providers and the contents of supervision and investigation by public security agencies. It also articulates two methods of supervision and investigation, namely on-site inspection and remote inspection, and sets forth procedural requirements for and limitations on each method that public security agencies must follow during enforcement.
Other due process and appeal rights issues not contemplated by the abovementioned laws and regulations shall, in theory, apply the administration laws of China. The Administrative Penalty Law of the PRC (Administrative Penalty Law) prescribes the process and restrictions of administrative penalty in general and the Administrative Reconsideration Law of the PRC (Administrative Reconsideration Law) and the Administrative Litigation Law of the PRC (Administrative Litigation Law) prescribes the respondents’ due process and rights to appeal. In practice, we have no knowledge of any remedies under the three abovementioned administration laws initiated by respondents. Thus, further observation is advised regarding the applicability of the administration laws to cybersecurity-related administrative process and enforcement.
Currently, most cybersecurity enforcement actions are based on laws and regulations at the national level. Regulations at provincial or municipal level are comparatively limited in number and lack uniformity and consistency in subject matter and legal effectiveness. Furthermore, such regional regulations may only specify but not exceed the requirements already contemplated by the Cybersecurity Law. For example, the Tianjin City Cyberspace Administration issued the Measures for the Administration of Data Security of Tianjin (for Trial Implementation) in June 2019 to further specify Cybersecurity Law requirements for data collection and processing conducted within Tianjin.
Agencies at the subnational level play a piloting and critical role in cybersecurity enforcement activities. For example, during the “Jingwang” ("cleansing the internet") national campaign in 2019 against cybercrimes and PI infringement, the Guangdong Province Public Security Department detained more than 10,000 people for suspected internet criminal activities and seized billions of pieces of illegally collected and processed PI from suspects violating laws and regulations. In September 2019, Hangzhou Municipal Public Security Bureau launched a campaign against big data companies illegally collecting PI by technical means and penalised numerous target companies.
The National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNERT) is a national non-government cybersecurity information-sharing organisation that has played the key co-ordinating role in China’s cybersecurity emergency response community since 2001.
CNERT runs the two databases that monitor, alert and provide solutions of information vulnerabilities and malware, namely the China National Vulnerability Database (CNVD) and Critical Information Infrastructure Security Response Centre (CII-SRC), both of which are joint efforts of information system operators, telecommunication operators, cybersecurity service providers and internet service providers.
In addition, the China National Vulnerability Database of Information Security (CNNVD) is a central government-funded database that has analysed, alerted and responded to information vulnerabilities since 2009. It is worth mentioning that in November 2019 the CAC released the Measures for the Administration of Network Security Threat Information Publication (Draft for Comments), which contemplate limitations on entities or individuals releasing network security threat information or alerts, such as content restrictions in network security information and, in some instances, prior consent by relevant network and information system operators.
While the scope of cybersecurity regime in China is comparatively comprehensive and diverse in subject matter, it is still under development with more supplemental measures expected to be released. Cybersecurity enforcement in China has been active and aggressive, especially since 2019, usually focusing in specific areas, such as the mobile application data protection campaign in 2019. Enforcement is expected to expand in scope and enhance in extent in 2020.
The cybersecurity legal system in China absorbs some security protection mechanisms from both the US and the EU systems, while maintaining its distinctive designs. For the network security perspective, China affords special protection to CII, a concept derived from the critical infrastructure in both the EU and the US systems; China also sets forth requirements for emergency response, similar to the EU and the US systems. However, the methodology to identify CII and its boundaries in China differs from that used in the EU and the US; in addition, security requirements for CII is more expansive in China as they are organically connected to other cybersecurity segments, such as security review, MLPS, and cross-border data transfer.
As for data protection, China is similar to most other jurisdictions in the respect that consent of PI subjects is the foundation of PI protection, yet it is different in at least three major respects:
In the previous 12 months, a series of key laws and regulations (including drafts) were released, including but not limited to the following:
There are also quite a number of new regulations and national standards in the legislative pipeline in 2020, covering areas of informed consent of PI subjects, PI in mobile apps, cloud computing security, in-vehicle equipment information security, and others.
As for significant law enforcement activities, the special enforcement campaign against mobile applications illegally collecting and processing PI has discovered hundreds of mobile applications infringing PI and ordered violators to rectify accordingly, marking the trend of increasing and extensive enforcement activities by joint forces of regulators. The “Jingwang 2019” campaign against internet-based crimes and PI infringement also marks the commencement of elevated cybersecurity enforcement by the MPS.
The legislative dynamic in 2020 is expected to focus on the sectors of (i) cross-border data transfer of PI and important data, (ii) identification and protection of CII, and (iii) identification and security requirements for important data. A number of draft regulations and national standards regarding these sectors are likely to be finalised this year.
In addition, hot topics of enforcement emerging since the second half of 2019 include (i) the lawfulness of collecting data from third parties by technical measures, including web spidering (using automated scripts or programs to systematically browse the internet and retrieve targeted data), software development kit (SDK), application programming interface (API) and others, (ii) risks in transferring data to entities in sensitive industries such as micro-scale loans via the internet that may contribute to loan frauds by abusing PI, and (iii) data compliance by companies to conduct initial public offerings or other sorts of listings.
As mentioned in 1.1 Laws, the Cybersecurity Law lays the foundation of the cybersecurity legal system in China that applies to all kinds of data, systems, NOs, and information infrastructures, supplemented by a series of implementation measures and other laws and regulations as listed below and sorted by the segments of the Cybersecurity Law.
Network Operation Security
A1: MLPS – Regulation on Graded Protection of Cybersecurity (Draft for Comments) (Draft MLPS Regulations).
A2: CII Protection– Regulations on the Security Protection of Critical Information Infrastructure (Draft for Comments) (Draft CII Regulations).
A3: Cybersecurity Review and Emergency Response – Cybersecurity Review Measures (Draft for Comments) (to replace the Measures for the Security Review of Network Products and Services (for Trial Implementation) upon finalisation).
A4: encryption – Cryptography Law and Law on Guarding State Secrets.
Network Information Security
B1: Personal Information Protection – Measures for the Administration of Data Security (Draft for Comments) and Provisions on the Cyber Protection of Children’s Personal Information.
B2: Cross-border Data Transfer – Measures for the Administration of Data Security (Draft for Comments) and Measures for the Security Assessment for Cross-border Transfer of Personal Information (Draft for Comments).
B3: Internet Information Content Administration – Provisions on Governance of Network Information Content Ecology, Provisions on the Administration of Blockchain Information Services, Provisions for the Administration of Internet News Information Services, and others.
In addition, articles 253(1), 285, 286, and 287(2) of the Criminal Law applies to the crimes related to cybersecurity.
The key cybersecurity regulators consist of the CAC, MIIT, MPS, and SAMR. The TC260, NASSP, and SCA are also important regulators in their responsible area. Please refer to 1.2 Regulators for their respective responsible area of cybersecurity.
Under Article 8 of the Cybersecurity Law, the CAC is the overarching cybersecurity regulator and agency in China. Please refer to 1.2 Regulators for its specific regulatory role.
The CAC, MIIT, MPS, SAMR at the national level and their branches at the county level or above are the major data protection authorities and privacy regulators. Please refer to 1.2 Regulators for their respective role in data protection. As discussed in 1.2 Regulators, in 2019, the four abovementioned authorities initiated a joint enforcement campaign against mobile applications illegally collecting and using PI, marking the trend of expanding joint enforcement by data protection authorities. The TC260 is also an important privacy regulator that focuses on the promulgation of data protection-related national standards, and most of the national standards are not legally binding but serve as important reference in legal enforcement activities.
The CSRC administers a series of securities-related financial activities in China, including initial public offering (IPO), corporate restructuring, and related transactions, and data compliance of listing companies has become one of the key factors in approving such activities. Cybersecurity and data protection have gradually become a frequent topic of CSRC’s inquiry to listing companies during their filing for approval of these financial activities, and factors that contribute to CSRC’s rejection of IPO listing application in some cases. The CBIRC, CIRC, and CBRC also regulate cybersecurity matters in their respective responsible financial areas. In particular, the CBIRC takes an active regulatory role, as it issued the Guidelines for Data Management of Banking Financial Institutions in May 2018 and is currently promoting the legislation regarding personal financial information protection.
Other key regulators include the NASSP and the SCA, as discussed in 1.2 Regulators.
A series of national standards and government announcements have been released. Most of these documents are still in draft form for public comments and currently all such national standards are not mandatory. However, in practice a number of these documents are commonly deployed as guidance for law enforcement and corporate compliance, such as the following.
MLPS and network security in general
The Information Security Technology-Baseline for Classified Protection of Cybersecurity (GB/T 22239-2019) (MLPS Baseline Standards), the Information Security Technology-Evaluation Requirement for Classified Protection of Cybersecurity (GB/T 28448-2019), and the Information Security Technology-Technical Requirement of Security Design for Classified Protection of Cybersecurity (GB/T 25070-2019) set forth specifications encompassing the MLPS classification and evaluation process and the respective requirements for systems at each MLPS classification level. Guidelines on the Protection of Information Security of Industrial Control Systems (ICS Guidelines), promulgated by the MIIT, set forth security protection for industrial control systems (ICS) in various aspects, such as physical environment, authentication, remote access, and emergence response.
The Information Security Technology-Cybersecurity Protection Requirements of Critical Information Infrastructure (Draft for Comments), Information Security Technology–Guide to Security Inspection and Evaluation of Critical Information Infrastructure (Draft for Comments), and Information Security Technology-Indicator System of Critical Information Infrastructure Security Assurance (Draft for Comments) contemplate the requirements of the identification, inspection, evaluation and security of CIIs.
The National Cybersecurity Incident Emergency Response Plan, promulgated by the CAC, sets forth emergency response measures to various cybersecurity incidents by authorities. The Emergency Response Plan for Cybersecurity Incidents in Public Internet Network, promulgated by the MIIT, sets forth emergency response measures applicable to internet industry participants.
The national standard, PI Specifications, is the key and fundamental guidance to PI protection-applicable PICs and is prevalently referred to and adopted in data protection compliance practice and enforcement. Guidelines for Internet Personal Information Security Protection, promulgated mainly by the MPS, provides guidance of PI protection tailored to internet companies. Measures for the Identification of Collecting and Utilising Personal Information by Apps in Violation of Laws and Regulations, jointly issued by the CAC, MPS, MIIT and SAMR, sets forth methods of identifying unlawful PI processing by mobile applications.
Cross-border data transfer
Information Security Technology-Guidelines for Data Cross-Border Transfer Security Assessment (Draft for Comments) sets forth security requirements to the data transferor and receiver in cross-border transfer of PI and important data and guidance for security assessments. However, this draft national standard is likely to be subject to substantial revision in the near future.
In addition, as mentioned in 1.7 Key Developments, there are a number of national standards in the legislative pipeline in 2020 covering various areas of cybersecurity.
The major commonly applied framework for required “reasonable security” are the regulations and national standards related to the MLPS. Please see 2.1 Key Lawsand 3.1 De Jure or De Facto Standards for further details.
The following illustrate the legal requirements and applicable standards for specific cybersecurity sectors.
Written Information Security Plans or Programmes
China has not established any legal requirements regarding the written information security plans or programmes. However, NOs are generally required to provide PI subjects with written documents, usually in the form of privacy policies or consent letters, to inform them of the purpose, methods, and scope of PI collection and processing, the NOs’ PI security protection mechanisms, PI subjects’ approaches of asserting PI-related claims, risks of PI processing, and others.
Incident Response Plans
The Cybersecurity Law requires that relevant government authorities formulate emergency response plans for their respective industries and fields. Such emergency response plans shall comply with the National Cybersecurity Incident Emergency Response Plan, which classifies cybersecurity incidents into four categories according to their severity and articulates the respective responses to different levels of incidents by government authorities.
As for private practices, under MLPS requirements all information or computing systems classified at MLPS level 2 or above must formulate their own emergency response plans, provide training to its relevant personnel, and conduct drills. The Emergency Response Plan for Cybersecurity Incidents in the Public Internet Network also sets forth response requirements for foundational telecommunication companies, domain name administration entities, and internet companies. Similar to authorities’ response plans, it classifies cybersecurity incidents into four categories. The regulated entities are required to:
The ICS Guidelines also instruct ICS to formulate response plans and timely report incidents to competent authorities.
Appointment of Chief Information Security Officer or Equivalen
Under the Cybersecurity Law and MLPS-related regulations, each NO shall appoint an officer with the general responsibility of overseeing the NO’s cybersecurity and MLPS-related arrangements. The CIIOs shall, in addition to appointing such officer, also conduct security background check of the officer. Further, the PI Specifications and some other national standards also require PICs to appoint the officer responsible for personal information protection.
Involvement of Board of Directors or Equivalent
In China, there is no general legal requirement for direct involvement of the board of directors or equivalent in the cybersecurity matters of a company. However, the fiduciary duty of board of directors under theCompany Law of the PRC may give rise to the board’s obligations to establish and maintain an effective cybersecurity systems and to take corresponding security measures, depending on the circumstances such as the company’s affiliated industry, the significance of cybersecurity risks, and others.
It is worth mentioning that in October 2015 the CBIRC issued the Provisions on the Administration of Informatisation of Insurance Institutions (Draft for Comments), requiring institutions to establish an informatisation committee, responsible for informatisation matters including cybersecurity, under the direct leadership of the board of directors. The director of the committee shall be the chairmen of the board, general manager, or executive director, and the chief information officer shall be a member of the committee.
Conducting Internal Risk Assessments, Vulnerability Scanning, Penetration Tests, etc
Several cybersecurity segments in China have contemplated risk assessments requirements.
First, MLPS national standards and draft regulations set forth a large variety of risk assessment requirements. For example: systems at level 2 or above shall conduct periodical security check of system operation, vulnerability, back-up and others; systems at level 3 or above shall take periodical security assessments, issue assessment reports and take corresponding mitigation measures.
Second, the Draft CII Regulations require that the CIIOs establish and maintain a CII risk assessment mechanism and conduct assessment at least once a year and before the initiation of CII operation or any material change of the CII.
Third, according to the draft regulations of cross-border data transfer, NOs transferring PI or important data abroad may be required to conduct security assessments of the risks to PI subjects or state and public interests arising from such transfer.
Fourth, under PI Specifications,PICs shall conduct PI security impact assessments on its PI processing in certain circumstances such as before entrusting, sharing, or transferring PI to a third party or publicly disclosing PI. PICs shall assess the sufficiency of consent, necessity of PI processing, risks of adverse effect to PI subjects, effectiveness of security measures, and others.
Multi-factor Authentication, Anti-phishing Measures, Ransomware, Threat Intelligence
The MLPS national standards set forth a variety of security requirements to network and computing systems, such as: (i) systems at level 2 or above shall adopt multi-factor authentication of user identity using passcodes, encryption, biometric technologies and/or other technical measures, in which at least one factor must be encryption; and (ii) all systems shall install counter-malware software, update malware code database regularly, and establish internal policies of malware countermeasures.
Insider Threat Programmes
The MLPS national standards set forth access control requirements to mitigate insider threat. For example, systems at level 2 or above shall only grant access authority to their managing users to the minimal extent necessary for the purpose, and all systems shall timely withdraw access authority when their personnel resigns. The PI Specifications also articulate strict access control requirements to PICs, such as: (i) only granting their personnel minimal access to PI to the extent necessary; (ii) separately granting the authority of security management, data operation and auditing to different personnel; and (iii) establishing stringent procedure of access granting.
Vendor and Service Provider Due Diligence, Oversight and Monitoring
Obtaining PI from vendors and service providers is recognised as indirect collection of PI. The PI Specifications articulate that PICs indirectly collecting PI shall request the PI providers to clarify the source of PI, the lawfulness of the source, and the scope of PI subjects’ consent, and obtain supplemental consent from PI subjects if the intended processing exceeds the scope of consent.
When PICs provide their vendors or service providers with PI, their activities constitute the entrusting, sharing, or transferring of PI. The PI Specifications set forth a series of requirements for such PI provision, such as:
In the event of providing PI to vendors and service providers abroad, PICs shall conduct cross-border data transfer security assessments.
When procuring network products or services from vendors or providers, under MLPS, the NOs shall ensure that the products or services comply with applicable regulations and standards, and systems at level 3 or above shall conduct inspections before procurement and regularly update and review the list of candidate products. In addition, when CIIOs procuring network products or services in a manner that affects or may affect national security, such CIIOs shall ensure that the products or services have passed the cybersecurity review by the state.
Use of Cloud, Outsourcing, Offshoring
The use of cloud is mainly regulated from the MLPS aspect. The MLPS national standards articulate a complexity of extended security requirements for cloud computing at each MLPS level, covering various aspects of cloud computing security, such as physical environment, network structure, access control, audits, authentication, data integrity and back-up, internal management, service providers, and others. It is worth mentioning that cloud computing systems at level 2 or above shall maintain their servers physically within China. When the use of cloud involves PI, PICs shall keep such PI physically stored within China.
Legal requirements for outsourcing activities mainly concerns the entrusting, sharing and transferring of PI to third parties. Please see the above “vendor and service provider due diligence, oversight and monitoring” in this Section for details.
Legal requirements for offshoring and for use of cloud involving offshore servers mainly concerns cross-border data transfer. Please see the discussion of this topic in 1.1 Laws for details.
Under the Cybersecurity Law, CIIOs are required conduct cybersecurity education, technical training and skill assessment for employees on a periodical basis. Under PI Specifications, NOs are required to conduct periodical training and assessments for their relevant personnel regarding PI protection.
Although China has not entered into any treaties specifically concerning data privacy or cybersecurity, China has entered into various bilateral agreements on mutual legal assistance in civil, commercial or criminal matters with a number of countries. These treaties set forth due process requirements of bilateral international legal assistance, which lays the foundation of China’s participation in multinational co-operation, such as international co-operation in combating internet-related crimes and frauds.
In addition, China has been actively participating in activities of the establishment of international standards initiated and organised by the International Organisation for Standardisation (ISO).
According to Article 42 of Cybersecurity Law, NOs shall take technical and other necessary measures to ensure the security of PI it collects, and to protect PI from disclosure, damage or loss. In case of disclosure, damage or loss of, or possible disclosure, damage or loss of such information, the network operator shall take immediate remedies, notify the users in accordance with the relevant provisions, and report to the competent authority.
Specifically, with reference to the Cybersecurity Law and its supporting measures, information security requirements focus on four main areas – de-identification, safe transmission, deletion, and contingency plan. NOs shall establish and improve in internal system for user information protection. Internal department or personnel in charge of the cybersecurity must keep any and all PI, privacy, and business secrets obtained during their performance of duties in strict confidence.
PI should be immediately de-identified after being collected by PICs, and technical and managerial measures should be taken to separately store the de-identified data and information that can be used to restore the identification, and it should be ensured that no particular individual will be identified during subsequent processing of such data.
According to PI Specifications, in principle, PI is not allowed to be shared or transferred. If sharing or transfer by the PICs is necessary, PICs shall perform a PI security impact assessment beforehand, obtain PI subjects’ consent after proper notification, and accurately record the sharing or transferring of PI. Particularly, SPI shall be transferred and stored using encryption and other security measures.
As to the issue of cross-border data transfer, please refer to 1.1 Laws (Cross-border transfers) for details.
If a PI subject finds that collection and use of his or her PI by NO violates the laws, administrative regulations or the agreement by and between such NO and the PI subject, the PI subject is entitled to require NO to delete his or her PI. In case of the PI subject’s discovery of an error, PI subject is entitled to require NO to make corrections and shall take measures to delete or correct.
What’s more, in order to meet the necessity requirement under Cybersecurity Law, the retention period of PI shall be the minimum necessary to realise the purpose. When the agreed-upon retention period expires, PI shall be deleted or anonymised as soon as possible.
Emergency Response Plan
Please refer to 3.3 Legal Requirements (Incident response plans) for details.
In general, NO’s internal department or personnel in charge of the cybersecurity must keep all business secrets obtained during their performance of duties in strict confidence. Data protected by China’s cybersecurity regime can generally be divided into categories of PI, important data, trade secrets, commercial encryption, and others.
Enterprises are advised to first identify whether its material business data and material non-public information would fall under the definition of PI or important data. If both categories do not apply, such data may, if applicable, fall under the scope of trade secrets, the identification and protection of which are set forth by the Anti-Unfair Competition Law of the PRC.
For security requirements of business data or non-public information identified as PI, please refer to 4.1 Personal Data.
If material business data is recognised as important data, according to Cybersecurity Law, NOs are required to take measures such as back-up and encryption of important data. Besides, the Measures for the Administration of Data Security (Draft for Comments)sets forth specific affirmative security requirements for the administration of important data though it has not taken effect yet. Thereunder, NOs may be required to file with local cyberspace administration when they collect important data, appoint persons responsible for data security, conduct security assessment before transferring such data abroad and report to the competent regulatory department for approval.
Various requirements are imposed by the Cryptography Law when enterprises adopt commercial encryption to protect its data. The commercial encryption products closely related to national and social public interests shall be certified by qualified inspection agencies before marketisation. CIIOs adopting commercial encryption shall conduct security assessments by themselves or qualified inspection agencies. When CIIOs’ procurement of network products or services adopting commercial encryption may affect national security, security review of the procurement shall be conducted by relevant state authorities.
Under the MLPS, in principle NOs are required to:
MLPS protects generic information networks, ICS, cloud computing platforms, internet of things (IoT), big data platforms, mobile communication systems, and others network systems (MLPS subjects). NOs have different filing and self-assessment obligations for their MLPS subjects at each of the five protection levels – the higher level the classification is, the higher compliance obligations the NOs have.
In addition to the above requirements applicable to all NOs, CIIOs are in principle identified as level 3 or above, and have additional general obligations to:
In the scenario of cross-border data transfer by CIIOs, please refer to 1.1 Laws (Cross-border transfers) for details.
In addition, the Draft CII Regulations further specify the requirements on the security protection of CII, encompassing the establishment of CIIs, response to security incidents, daily operation and security maintenance, security monitoring and inspections, local data storage, security assessment of cross-border data transfers, security of network products and services procurement, and others.
Apart from the general security requirements for NOs under the Cybersecurity Law illustrated in 4.3 Critical Infrastructure, Networks, Systems, the Draft MLPS Regulations contemplate general MLPS monitoring requirements related to preventing denial of service attacks. Particularly, while NOs shall monitor and record their network security status, operators of MLPS subjects at level 3 or above shall in addition adopt further precautionary and monitoring measures and timely file the results with local public security bureaus.
With regard to the technical specifications of preventing denial of service attacks,theMLPS Baseline Standardsprescribe respective requirements for MLPS subjects at each level regarding the security protection capacity in the four key technical aspects: secure management centre, secure network, safe regional boundary and safe calculation environment.
Apart from overarching guidelines in the Cybersecurity Law and supporting regulatory documents, there are laws and regulations in particular industries or sectors that also touch on the topic of cybersecurity. For instance:
According to the National Cybersecurity Incident Emergency Response Plan, cybersecurity incidents refer to incidents that cause harm to the network and information systems or data therein and adversely affect society due to human factors, hardware or software defects or failures, natural disasters, etc. They can be categorised as hazardous program incidents, network attack incidents, information destruction incidents, information content security incidents, equipment and facility failures, catastrophic incidents, and other incidents. Furthermore, cybersecurity incidents are graded into four levels, namely severely material, material, relatively material, and general cybersecurity incidents.
For the purpose of data security incident or breach regulations, generally all types of data may be covered. In addition to general types of protected data, namely PI, important data, and trade secrets, data contemplated under the National Cybersecurity Incident Emergency Response Plan, other data that may be covered include state secret information, important sensitive information, critical data or other data whose loss would pose certain threats to or have certain impacts on national security, social order, economic construction, and public interests, are also covered.
The legal construct of data security incident or breach covers: (i) systems involving important network and information systems that undertake business closely related to national security, social order, economic development and public interest; and (ii) network and information systems who would pose threats to or incur impacts on national security, social order, economic construction, and public interests upon being damaged.
Guidelines for Technical Review of Medical Device Network Security Registrationarticulate general security requirements for the applicants for medical device network registration, such as: (i) paying continuous attention to cybersecurity issues during the whole life cycle of medical device production; (ii) perfecting the user access control mechanism; and (iii) notifying users of relevant cybersecurity information in a timely manner, etc.
The fundamental security requirements for ICS (including SCADA) can be found in the ICS Guidelineswhich list 11 protection requirements, covering security software selection and management, configuration and patch management, boundary security, physical and environmental security, identity authentication, remote access security, security monitoring and emergency drills, asset security, data security, supply chain management, and responsibility implementation. In addition, the MLPS Baseline Standards provide security requirements specifically for ICS such as outdoor control equipment protection, network structure security, dial-up usage control, wireless use control, control equipment security, etc.
MLPS Baseline Standards provide security extension requirements for IoT such as the physical protection of sensor nodes, device security of sensor nodes, device security of gateway nodes, management of sensor nodes and data fusion processing. Other national standards also serve as reference to IoT security, such as the security technical requirements for data transmission.
Under the Cybersecurity Law, concerned NOs shall report incidents that threatens cybersecurity to competent authority. Thereunder, for instance:
As for CII, authorities in charge shall establish the cybersecurity monitoring mechanism and information reporting mechanism for specific industries/sectors within their respective jurisdictions.
In case of increasing risk of cybersecurity events, governments at provincial level and above shall take measures to require authorities, agencies and personnel concerned to promptly collect and report necessary information and enhance monitoring of cybersecurity risks.
In accordance with the Cybersecurity Law, China has established a national cybersecurity information reporting mechanism led by the CAC and MPS while at the same time multi-ministries/bureaus, including MIIT, NDRC, secrecy bureau, etc, are participating.
Under the Cybersecurity Law, in case of disclosure, damage or loss (or possible disclosure, damage or loss), NOs are obligated to notify the affected users promptly. In addition, for any risk, such as security defect or bug in network products or service, the product/service providers concerned shall inform the users of such risk. In addition, according to PI Specifications, in case of PI security incident, affected PI subjects shall be notified of information related to the incident.
Other Companies or Organisations
There are various thresholds and standards of notification in the China’s cybersecurity regime.
For instance, according to the Emergency Response Plan for Cybersecurity Incidents in Public Internet Network, the lowest level of network security incident is the general network security incident which shall suit one of the following conditions: (i) large number of internet users within one municipality are unable to access the internet normally; (ii) the leakage of the information of more than 100,000 internet users; and (iii) other incidents that cause or may cause general harm or effect. It could be implied at least the same level of threshold of cybersecurity harm is applicable to data breach incident notification.
In addition to the harm to cybersecurity, notification obligations are also triggered when personal information is “likely to be divulged, damaged or lost” under the Cybersecurity Law.
According to theMeasures for Monitoring and Handling Threats to the Cyber Security of Public Internet, telecommunications authorities (including MIIT and provincial communication administrations) are in chargeof monitoring cybersecurity threats.Thereafter, Information security technology – Basic Requirements and Implementation Guide of Network Security Monitoring sets out the framework and baselines for network security monitoring, which contemplate that network security monitoring are conducted through real-time collection of network and security equipment logs, system operation data and other information.
The intersection of cybersecurity and privacy illustrate the conflict arising from the intertwined interests of the community and of individuals/entities. For instance, from the commercial practice perspective, as companies impose confidentiality obligations on their employees, an employee reporting the vulnerability of his or her company’s network system to a third party is in conflict with his confidentiality obligations.
Though it is difficult to clearly define the boundaries between the two, the state tries to balance the scales. For example, public authorities may only collect and use personal information upon data subjects’ authorised consent or statutory authorisations by laws or administrative regulations, even when cybersecurity threat is involved; generally speaking, we understand that only circumstances of certain criminal investigations or threats to national security may trigger such statutory authorisation. Additionally, under Article 45 of the Cybersecurity Law, authorities and their staffs bearing cybersecurity regulatory authority must carefully keep strict confidentiality of any PI, privacy information, and business secrets obtained in their performance of duties. Furthermore, Article 30 of the Cybersecurity Law prescribes that cyberspace administrations and authorities concerned shall only use the information accessed in performance of their duties for cybersecurity protection purposes.
Please refer to 5.7 Reporting Triggers (Government authorities) for details of this matter.
With regard to Article 29 of the Cybersecurity Law, the state supports the co-operation among network operators in collection, analysis and notification of cybersecurity information and emergency response, in order to improve their cybersecurity protection capacities. The relevant industry organisations shall establish and improve respective cybersecurity rules and co-ordination mechanisms, enhance analysis and assessment on cybersecurity risks, regularly release risk alerts to their members, and assist their members with coping with cybersecurity risks.
In China, users, suppliers and research institutions are encouraged to report any potential system vulnerabilities identified to the CNVD, as described in 1.5 Information Sharing Organisations above, so as to gather, verify, and warn against any security vulnerabilities and to establish an effective and co-ordinated emergency response mechanism among all operators.
Since the implementation of the Cybersecurity Law, the main regulators – namely CAC, MPS, SAMR and MIIT – have carried out cybersecurity inspections or special law enforcement activities across the country several times.
Since March 2019, MPS has deployed public security organs across the country to carry out the “Jingwang 2019” campaign for combating pornography and illegal publications. By 30 December 2019, public security bureaus around the nation had successfully detected and solved a number of cybercrimes.
Currently, we have not spotted any administrative or regulatory litigations with respect to cybersecurity being publicly disclosed in China.
Depending on the circumstances, enforcement authorities impose penalties, order for remedial actions, or issue warnings to companies and their management personnel for cybersecurity or information security violations.
For example, during the "Jingwang 2019" campaign, an online shopping mobile app in Ningbo City was found collecting PI and obtaining user authorisation without informing its users. In December 2019, the local public security authority imposed administrative fine of CNY100,000 on the owner company of the app and CNY20,000 on the person in charge of app maintenance.
Another example is a cybersecurity inspection led by MIIT in January 2019, in which a network radio broadcasting company failed to formulate emergency response plan for network security incidents in accordance with the Cybersecurity Law requirements. The company also failed to maintain mature cybersecurity event management, develop its incident report and management system, establish notification process for incident, and report the relevant situation to competent authorities after the occurrence of the cybersecurity incident. The local municipal communications bureau interviewed the key persons in charge of the company, and ordered them to take active cybersecurity measures such as implementing security management policies and improving emergency response and reporting system.
Please refer to 1.3 Administration and Enforcement Process and 1.4 Multilateral and Subnational Issues.
Qunar, a major online ticket-booking platform in China, and China Eastern Airlines were sued by one of their users for tort before the First Intermediate People’s Court of Beijing in March 2017, alleging that the his PI, including name and telephone number, was disclosed by Qunar and China Eastern Airlines to a third party who subsequently sent phishing messages to the plaintiff claiming that his flight was cancelled. The court ordered Qunar and China Eastern Airlines to apologise to the plaintiff.
As of today, we are not aware of any class actions related to cybersecurity incidents or data breach in China.
The process of diligence in corporate transactions mainly concerns the security aspect and the asset aspect of data.
For the security aspect, MLPS classification and evaluation of company’s information system are the first steps of due diligence. Comprehensive assessments of cybersecurity based on MLPS classification will then be conducted to perform gap analysis of various security-related matters, including, as the case may be, emergency response, PI protection, cross-border data transfer security, CII protection, and others.
As for the asset aspect, due diligence will focus on confirming the legitimacy of the corporate data and identifying the legal boundary of corporate data assets. As security and compliance of data are the premises of data assets, taking data mapping as reference, assessment reports will be issued to review the corporate compliance of data regarding various matters, such as PI processing, internal corporate systems related to cybersecurity and data compliance, information content administration, and others. Identifying the boundary of the company’s data and the claims the company has over them will be the next step to confirm the company’s proprietary rights on the corporate data.
The National General Response Plans for the Public Emergency Incidents set forth local government authorities’ obligations to report public emergency incidents to higher lever authorities. Cybersecurity risks that constitute public emergency incident may be disclosed and reported to various level of authorities for emergency alerts and responses. The Emergency Response Law of the PRC also require that all entities shall timely report their potential emergency incidents to local authorities in accordance with applicable laws and regulations. In financial area, the Measures for the Administration of Initial Public Offering and Listing of Stocks and other similar IPO administration measures require that any information that may have any major impact on the investors' decisions on investment shall be disclosed in IPO prospectuses.
However, entities should note that the disclosure of cybersecurity information may be subject to certain limitations under recent draft measures by the CAC, as described in 1.5 Information Sharing Organisations.
When two or more network sub-systems at different MLPS level link with each other, the combined system may adopt the MLPS security standards of its sub-system at the highest MLPS level.
Embracing an Improved Cybersecurity Protection Regime in China
Cybersecurity has long been recognised as a state-level concern in China and the state has witnessed notable progression in both cybersecurity legislation and relevant law enforcement in recent years. The first milestone was the implementation of the Cybersecurity Law of the PRC which sets forth the basics of the guarantee and management of network security for different network participants of government authorities, enterprises and individuals. Rapid development in both legislation and law enforcement fields has taken place, including the establishing of a cybersecurity regime based on the classified cybersecurity protection scheme (also known as the multi-level protection scheme or MLPS) and the regularity of multi-agency co-ordinated network security inspections and enforcement.
Legislation Development Based on the MLPS
The MLPS is a structural system of network security requirements for all types of information or network systems in China and is the foundation of the Chinese cybersecurity regime. Back in 1994, China introduced the concept of MLPS for computer information systems through the issuance of the Regulations on the Security Protection of Computer Information System. After years of subsequent administrative and legislative work, with the issuance of Administrative Measures for the Graded Protection of Information Security (2007 Administrative Measures) by the Ministry of Public Security (MPS) in 2007 and various supporting measures, China established the cybersecurity regulatory scheme with the 2007 Administrative Measures at the core, which marked the commencement of China's “MLPS 1.0” era.
The MLPS classifies network and computing systems into five levels depending on their social and economic importance and the security impact incurred upon damage to the system. More demanding requirements in all cybersecurity aspects are progressively imposed on systems classified at a higher MLPS level.
The Cybersecurity Law of 2017 recognises the MLPS as the fundamental framework of cybersecurity protection for network operators, marking the commencement of the “MLPS 2.0” era, followed by a series of MLPS regulations and standards, including the Regulations on Graded Protection of Cybersecurity (Draft for Comments), released by the MPS in 2018, and three MLPS national standards effective since May 2019 (as described in Section 3.1 De Jure and De Facto Standards of China Cybersecurity Law and Practice).
MLPS 2.0 has made important progress compared to the earlier MLPS system, such as: (i) expanding the scope of systems protected by MLPS; (ii) introducing personal information protection requirements for each MLPS level; (iii) in addition to general security requirements, setting forth specialised requirements for cloud computing, mobile application, internet of things (IoT), and industrial control systems at each MLPS level; and (iv) requiring systems at level three or above to conduct annual MLPS assessments and report to local public security authorities.
In synergy with MLPS, over the past two years a series of laws, regulations and standards concerning various segments of cybersecurity in China have been released, such as:
In particular, it is perceived that the identification and protection of CIIs will be one of main topics in the legislation forthcoming in 2020. While government authorities at various levels have carried out pilot practices of CII identification, assessment and protection, currently such practices are conducted via internal communications between the regulators and CIIs identified by them, and no finalised regulations or guidance on implementation measures of CII protection are available.
In addition, the recently released draft national standards covering various specific areas of cybersecurity, as mentioned above, also illustrate the continuing legislative attention to legal requirements in specific cybersecurity segments.
Regularity of Network Security Law Enforcement
Since the implementation of the Cybersecurity Law, the major regulatory departments – namely the Cyberspace Administration of China (CAC), the Ministry of Public Security (MPS) and the Ministry of Industry and Information Technology (MIIT) – have initiated several cybersecurity-related inspections or special law enforcement actions across the nation. The normalisation and regularity of cybersecurity law enforcement is on-trend, as evinced by the following aspects.
Jingwang ("cleansing the internet")
Each year, the aforementioned three departments, together with the National Work Group for Combating Pornography and Illegal Publications, initiate the “Jingwang” ("cleansing the internet") campaign, during which competent authorities investigate and endeavour to prevent incompliance with the Cybersecurity Law and combat cybercrimes.
During the Jingwang campaign in 2019, the cybersecurity team of MPS and local public security bureaus around the nation successfully solved more than 690 cases by multi-level co-ordination of MPS agencies, cracked down on more than 210 black industry companies, shut down 40 platforms operating in the trading of mobile text message authentication codes and assisting malicious network account registration, arrested more than 14,000 criminal suspects, seized more than 13 million illegal mobile phone numbers, confiscated more than 1.14 million pieces of unlawful equipment (such as modem pools, card pools, pinhole cameras and others), removed more than 42.5 million malicious registered accounts and seized 1.263 billion pieces of illegally collected and processed citizens' personal information from suspects violating laws and regulations.
Network security inspections
MIIT initiates network security inspections in the telecommunication and nternet industries each year. For instance, in 2019, MIIT issued relevant notice to carry out inspections in order to clarify the responsibilities of the concerned parties, prevent network security risks, and improve the protection level of network security in telecommunication and internet industries.
The targets of the inspections comprised of the basic telecommunications enterprises, internet enterprises, domain name registration administration, and service institutions that were legally licensed by the competent telecommunications authorities, among which the following were afforded extra attention: network infrastructure and critical information systems that collected and processed user information and network data through public internet, including IP-carrying networks, supporting networks, internet data centres, public cloud service platforms, content distribution networks.
The inspection focused on the network operators’ compliance and implementation of the Cybersecurity Law, Administrative Measures for Security Protection of Networks, and Provisions on Protecting the Personal Information of Telecommunications and Internet.
Monitoring and management
In addition to routine cybersecurity inspections, MIIT organises local communications administrations, basic telecommunications enterprises, network security professional institutions, internet enterprises and network security enterprises to carry out network security threat monitoring and management in accordance with the Provisions of the Measures for Monitoring and Responding to Public Internet Cybersecurity Threats. Since 2018, the Cybersecurity Administration of MIIT has published analysis and review of the network security threat situation in the previous quarter on its official website on a quarterly basis, including the notable cybersecurity threats, the main tasks completed and the prioritised tasks for the next step.
Furthermore, in addition to on-site inspections, China aims at advancing its practice of remote cybersecurity inspections and monitoring in the near future, similar to common practices in cybersecurity protection in other jurisdictions. Notably, the MPS issued the Provisions on Internet Security Supervision and Inspection by Public Security Organs (Public Security Supervision Provisions) in 2018, which articulates procedural requirements of both on-site and remote supervision for public security agencies and the rights to classification of personal information, privacy and commercial or state secrets.
It is expected that more specific measures by the major regulators on topics of remote supervision and detection of cybersecurity threats or cybercrimes will be promulgated before or along with the mass deployment of such remote supervision. Furthermore, the long-standing topic of the intersections and boundaries of cybersecurity, data protection and proprietary rights of enterprises, such as trade secrets, will also be a key issue to be addressed in the next phase of cybersecurity law enforcement; the goal is to reach a balance of interests between the state and individuals and entities.
Advices to Enterprises
In the tide of China’s rapid legislative and enforcement development for improved cybersecurity protection, enterprises are advised to pay close attention to updates of relevant laws and regulations.
It is worth mentioning that a number of key regulations and national standards in drafts have been commonly applied as frameworks and guidelines in national cybersecurity enforcement, and that a great number of national standards (either finalised or in drafts) covering specific segments of cybersecurity, such as encryption, cloud computing, detection of vulnerability and others, have been and will continue to be released. As such, when developing, supplying and adopting network products and services – particularly in high-end and emerging industries – enterprises shall make sure that they comply with legal requirements both in general and in relevant cybersecurity segments, including those contemplated in draft regulatory documents.
Specifically, considering the unforeseeable risks to cyberspace, enterprises are advised to take the following measures in response to the trending regulations on cybersecurity.
In conclusion, while the foundation of China’s current cybersecurity regime is established upon the requirements of Cybersecurity Law and MLPS 2.0 regulations and standards, the cybersecurity legal system is still under rapid and sustained development, with many gaps for legislation to fill in specific cybersecurity segments, in particular the protection of CIIs. On the other hand, the increasing activities of cybersecurity enforcement also pose challenges for enterprises to respond strategically. Indeed, it is high time for enterprises to attach great importance to cybersecurity compliance in corporate strategies.