On 1 June 2017, the Network Security Law of the People’s Republic of China, also known as Cybersecurity Law, came into effect.
The regulation aims at increasing the level of security and protection of the IT data in the Chinese territory. The new concept of Cyberspace sovereignty has been coined by the Chinese legislator.
The first articles of the law describe the main principles which shall be pursued by the State.
The departments dealing with Cybersecurity law will be the Cybersecurity administration of China (CAC), together with the administrative department of telecommunications and the department of public security.
The provisions will apply to two macro-classes which are defined by the law as network operators and operators of key IT infrastructures, respectively. Network operators are the owners, managers and suppliers of network services. In order to clarify the meaning of key IT infrastructures, the law considers by way of example businesses operating in the fields of communication and information, energy, water conservation, finance, public services and e-government. Both definitions are grey, leaving much room for speculation and interpretation. For instance, can an online platform with a million of daily visitors or clients be considered an operator subject to this law? At present the law does not provide further clarifications.
However, the regulation requires a series of conducts from the operators in order to protect their IT data, including the establishment of an IT security department, the determination of the persons in charge of network security and the regulation of operative procedures. This will also allow to communicate more easily with the Government authorities.
On 4 February 2017, the CAC released the “Measures for Security Review of Cybersecurity Products and Service (Draft for Comments)”. The analysis of these guidelines within the Cybersecurity Law framework allow a better understanding of the key issues for the operators involved.
In brief, according to these measures, the relevant IT products and services will undergo a security assessment carried out by the State, outlining their actual reliability and security. The assessment will consider the risk of illegal control of the product or the service; the risk of suspension of the product or the service; the risk the provider of the service or product may collect, store, process or use the personal information of users in order to gain an unfair advantage; the risk the use of the product or service may lead to unfair competition or harm the user’s interest.
These assessments may be carried out upon request of the State, after a relevant accident or upon voluntary request.
The requisites for the localization of IT data are a controversial aspect of the law. If an operator of key IT infrastructures produces or collects personal information or other relevant data related to business activities, the Cybersecurity Law requires the operator to store the data within the Chinese territory.
If the transfer of the aforementioned data outside the Chinese territory is needed for commercial purposes, the Chinese authority shall provide an authorization after a security test is carried out.
Due to the protests against the regulation, the State has conceded a nineteen month extension for the companies to comply.
All the companies operating in China or dealing with Chinese clients should therefore pay particular attention to the developments of the regulation.
(Shanghai Office – Luigi Zunarelli – 0086 21 51501952 )