Challenges and Advice for Multinational Companies in Complying With Chinese Cybersecurity Law
In June 2017, China’s Cybersecurity Law (the CSL) came into effect, bringing China’s patchwork of cybersecurity-related regulations under one comprehensive law. Importantly, the CSL also imposes a host of additional requirements on multinational companies operating in China related to data security, the protection of personal information, cross-border data transfers. The full scope and impact of CSL remain unclear, largely because the Chinese government has yet to finalize all of the CSL’s implementing regulations. However, we provide here an overview of the key requirements imposed by the CSL and a roadmap for multinational companies seeking to assess their obligations and responsibilities under the law.
Overview of the CSL
The key legal requirements of the CSL fall under three general categories: (1) data security; (2) protection of personal information; and (3) cross-border data transfers. The law imposes basic requirements related to these three categories on all “network operators” doing business within the territory of mainland China. The CSL broadly defines “network operators” to encompass “network owners, administrators, and network service providers”—which covers virtually any business that operates an internal computer network, or even just a website, in China. Multinational companies with Chinese subsidiaries or China-focused trade should assume that they are at least a network operator for purposes of the CSL.
The CSL then imposes heightened requirements on the subset of network operators that are termed “critical information infrastructure operators” (CIIOs). The definition of critical information infrastructure is vague, including any system that, “if destroyed, disabled, or leaked data, might seriously endanger national security, national welfare and the people’s livelihood, or the public interest.” The Chinese government has promised to clarify the CSL’s definition of CIIOs in forthcoming regulations, but the Cyberspace Administration of China has identified the energy, transportation, health care, financial, media and telecommunications, and industrials sectors as providing critical infrastructure, suggesting that the definition of CIIOs ultimately may be a broad one.
Data Security Requirements. All network operators must implement baseline security requirements, many of which multinational companies should already have in place, including:
• Developing internal security management policies and protocols;
• Designating a responsible person for cybersecurity protection within the company;
• Adopting measures to prevent viruses, cyberattacks, network intrusions, and other threats to network security;
• Adopting measures to monitor and keep records of network operations and network security incidents, and retaining those network logs for at least six months;
• Identifying important/sensitive data and adopting measures, such as automatic backup and encryption, to protect it;
• Developing an emergency plan for responding to security incidents; and
• Implementing remediation steps after detecting security loopholes or failures.
In addition to these baseline requirements, the CSL also imposes an additional obligation on network operators to “timely” report security incidents to relevant Chinese authorities as required under “applicable rules.” However, the details of just what rules apply to such reports, and how promptly reports must be submitted to be considered “timely,” remain unspecified under the law.
The more stringent data security requirements imposed on CIIOs include:
• Designating an administrative department to be in charge of cybersecurity, and requiring background checks on personnel that fill key positions in the department;
• Providing cybersecurity training, technology training, and skill evaluations to relevant personnel;
• Implementing a disaster recovery backup protocol for important systems and databases;
• Developing response plans for cybersecurity incidents and conducting drills on a regular basis; and
• Conducting, or engaging a network security consultant to conduct, regular inspection and assessment of the company’s network security and potential risks.
The CSL also subjects CIIOs to stricter requirements when procuring and using network products and services. For example, if those products and services might affect national security, the procurement may need to undergo a national security review process conducted by the Chinese government. Further, the law requires CIIOs to sign security and confidentiality agreements with network product and services providers. Some global businesses that worry that the CSL could be used improperly to gather sensitive information about private network infrastructure and intellectual property have criticized these requirements. Again, the Chinese government has promised to issue additional clarifying regulations related specifically to CIIOs.
Personal Information Protection. The CSL emphasizes privacy protection and imposes requirements on network operators related to the collection, use, storage, and protection of personal information. The CSL broadly (and somewhat vaguely) defines “personal information” to include any data that identifies an individual either independently or when combined with other information. In some aspects, the key requirements of the CSL mirror the requirements of the European Union’s General Data Protection Regulation related to personal information, including:
• Ensuring the legitimacy and necessity of personal data collection and use (including storage, transfer, and handling);
• Providing adequate disclosure and obtaining informed consent regarding collection and use of personal information;
• Adopting adequate technical and compliance measures to protect the security of personal information; and
• Giving individuals the right to correct or delete their own personal data.
Cross-Border Data Transfers. Although drafts of the CSL included strict data localization requirements, the final version of the CSL does not prohibit network operators from transferring any data outside of China. Instead, the CSL allows network operators to transfer data freely unless it includes personal information or “important data,” for which network operators must first conduct a security self-assessment of the risk of overseas transfer.
In addition to the security self-assessments, before transferring personal data overseas, a network operator must disclose the purpose, scope, type of transfer, and the country or region to which the data will be transferred to, and obtain informed consent from, all individuals whose data is included. Further, draft data transfer regulations suggest that network operators may be required to disclose results of their security self-assessments to relevant industry regulators, such as the Chinese Food and Drug Administration or Chinese Banking Regulatory Commission, prior to conducting any large-scale outbound transfers of personal information (comprising more than 500,000 individuals per year).
The CSL’s draft implementing regulations also suggest that network operators will be required to disclose the results of security self-assessments to (and potentially be required to receive approval from) relevant industry regulators prior to transferring “important data” outside of China. “Important data” broadly includes information relating to population health, important financial data, and other data affecting national security, economic development, or the public interest. The current draft regulations suggest that network operators may be prohibited from transferring certain “important” data overseas if the transfer could endanger Chinese national security, economic development, or public interests.
Takeaways for Businesses Operating in China
Companies operating in China should consider the following steps to better comply with the CSL’s new and evolving legal requirements, as violations can result in fines, disgorgement, website suspensions, and business license revocations:
• Consider whether your business qualifies as a network operator or CIIO.
If your business qualifies as a network operator (which it likely does), you should consider taking immediate steps to build up your CSL compliance program, including implementing the baseline security measures required by the CSL. Consult counsel to determine if you qualify as a CIIO, in which case you will be subject to heightened compliance requirements.
• Consider conducting a cybersecurity risk assessment to identify potential compliance risks and gaps, and implement remediation measures.
Conducting an effective cybersecurity risk assessment can help your business identify areas of vulnerability and noncompliance and prioritize areas for remediation. Compliance with the cybersecurity requirements has been an enforcement priority of Chinese regulators since the CSL came into force.
• Determine what types of data your business collects and generates in China.
It is important to understand the types of data your business collects and generates in China, especially whether any of it falls into the definition of “personal information” and/or “important data.” Working with your IT departments and business units to map the types of data you collect and store in China will help you to better design or update your privacy protection and data localization/transfer policies and procedures for China business. This is particularly significant for companies collecting personal information in China that is processed by an office outside of China (e.g., health care, insurance, retail finance).
• Review and update existing privacy policies/notices, agreements, employment contracts to comply with the privacy protection requirements imposed by the CSL.
The Chinese government has subjected Internet companies and other consumer-facing enterprises to heightened scrutiny of privacy protection practices. Updating existing policies and contracts is an easy way to ensure compliance with this portion of the CSL’s requirements.
• Provide training for Chinese employees to ensure awareness of cyber security and data protection policies and procedures.
A company’s cybersecurity system will only work well if employees are trained properly on it. Consider providing data security and privacy protection training for all employees in China, and enhanced security training for specific employees in key positions.
• Closely monitor the legislative developments.
Because many of the CSL’s implementing regulations, guidelines, and standards are still in draft form, with additional rules and regulations to be issued throughout 2018, companies should actively monitor legislative developments relating to the CSL.
Cori Lable, a partner in the Hong Kong office, Zach Brez, a partner in the New York office, and Jodi Wu, a partner in the Shanghai office, are all members of Kirkland & Ellis’ government and internal investigations group.
June 2017, China’s Cybersecurity Law (the CSL) came into effect, bringing China’s patchwork of cybersecurity-related regulations under one comprehensive law. Importantly, the CSL also imposes a host of additional requirements on multinational companies operating in China related to data security, the protection of personal information, cross-border data transfers. The full scope and impact of CSL remain unclear, largely because the Chinese government has yet to finalize all of the CSL’s implementing regulations. However, we provide here an overview of the key requirements imposed by the CSL and a roadmap for multinational companies seeking to assess their obligations and responsibilities under the law.
Overview of the CSL
The key legal requirements of the CSL fall under three general categories: (1) data security; (2) protection of personal information; and (3) cross-border data transfers. The law imposes basic requirements related to these three categories on all “network operators” doing business within the territory of mainland China. The CSL broadly defines “network operators” to encompass “network owners, administrators, and network service providers”—which covers virtually any business that operates an internal computer network, or even just a website, in China. Multinational companies with Chinese subsidiaries or China-focused trade should assume that they are at least a network operator for purposes of the CSL.
The CSL then imposes heightened requirements on the subset of network operators that are termed “critical information infrastructure operators” (CIIOs). The definition of critical information infrastructure is vague, including any system that, “if destroyed, disabled, or leaked data, might seriously endanger national security, national welfare and the people’s livelihood, or the public interest.” The Chinese government has promised to clarify the CSL’s definition of CIIOs in forthcoming regulations, but the Cyberspace Administration of China has identified the energy, transportation, health care, financial, media and telecommunications, and industrials sectors as providing critical infrastructure, suggesting that the definition of CIIOs ultimately may be a broad one.
Data Security Requirements. All network operators must implement baseline security requirements, many of which multinational companies should already have in place, including:
• Developing internal security management policies and protocols;
• Designating a responsible person for cybersecurity protection within the company;
• Adopting measures to prevent viruses, cyberattacks, network intrusions, and other threats to network security;
• Adopting measures to monitor and keep records of network operations and network security incidents, and retaining those network logs for at least six months;
• Identifying important/sensitive data and adopting measures, such as automatic backup and encryption, to protect it;
• Developing an emergency plan for responding to security incidents; and
• Implementing remediation steps after detecting security loopholes or failures.
In addition to these baseline requirements, the CSL also imposes an additional obligation on network operators to “timely” report security incidents to relevant Chinese authorities as required under “applicable rules.” However, the details of just what rules apply to such reports, and how promptly reports must be submitted to be considered “timely,” remain unspecified under the law.
The more stringent data security requirements imposed on CIIOs include:
• Designating an administrative department to be in charge of cybersecurity, and requiring background checks on personnel that fill key positions in the department;
• Providing cybersecurity training, technology training, and skill evaluations to relevant personnel;
• Implementing a disaster recovery backup protocol for important systems and databases;
• Developing response plans for cybersecurity incidents and conducting drills on a regular basis; and
• Conducting, or engaging a network security consultant to conduct, regular inspection and assessment of the company’s network security and potential risks.
The CSL also subjects CIIOs to stricter requirements when procuring and using network products and services. For example, if those products and services might affect national security, the procurement may need to undergo a national security review process conducted by the Chinese government. Further, the law requires CIIOs to sign security and confidentiality agreements with network product and services providers. Some global businesses that worry that the CSL could be used improperly to gather sensitive information about private network infrastructure and intellectual property have criticized these requirements. Again, the Chinese government has promised to issue additional clarifying regulations related specifically to CIIOs.
Personal Information Protection. The CSL emphasizes privacy protection and imposes requirements on network operators related to the collection, use, storage, and protection of personal information. The CSL broadly (and somewhat vaguely) defines “personal information” to include any data that identifies an individual either independently or when combined with other information. In some aspects, the key requirements of the CSL mirror the requirements of the European Union’s General Data Protection Regulation related to personal information, including:
• Ensuring the legitimacy and necessity of personal data collection and use (including storage, transfer, and handling);
• Providing adequate disclosure and obtaining informed consent regarding collection and use of personal information;
• Adopting adequate technical and compliance measures to protect the security of personal information; and
• Giving individuals the right to correct or delete their own personal data.
Cross-Border Data Transfers. Although drafts of the CSL included strict data localization requirements, the final version of the CSL does not prohibit network operators from transferring any data outside of China. Instead, the CSL allows network operators to transfer data freely unless it includes personal information or “important data,” for which network operators must first conduct a security self-assessment of the risk of overseas transfer.
In addition to the security self-assessments, before transferring personal data overseas, a network operator must disclose the purpose, scope, type of transfer, and the country or region to which the data will be transferred to, and obtain informed consent from, all individuals whose data is included. Further, draft data transfer regulations suggest that network operators may be required to disclose results of their security self-assessments to relevant industry regulators, such as the Chinese Food and Drug Administration or Chinese Banking Regulatory Commission, prior to conducting any large-scale outbound transfers of personal information (comprising more than 500,000 individuals per year).
The CSL’s draft implementing regulations also suggest that network operators will be required to disclose the results of security self-assessments to (and potentially be required to receive approval from) relevant industry regulators prior to transferring “important data” outside of China. “Important data” broadly includes information relating to population health, important financial data, and other data affecting national security, economic development, or the public interest. The current draft regulations suggest that network operators may be prohibited from transferring certain “important” data overseas if the transfer could endanger Chinese national security, economic development, or public interests.
Takeaways for Businesses Operating in China
Companies operating in China should consider the following steps to better comply with the CSL’s new and evolving legal requirements, as violations can result in fines, disgorgement, website suspensions, and business license revocations:
• Consider whether your business qualifies as a network operator or CIIO.
If your business qualifies as a network operator (which it likely does), you should consider taking immediate steps to build up your CSL compliance program, including implementing the baseline security measures required by the CSL. Consult counsel to determine if you qualify as a CIIO, in which case you will be subject to heightened compliance requirements.
• Consider conducting a cybersecurity risk assessment to identify potential compliance risks and gaps, and implement remediation measures.
Conducting an effective cybersecurity risk assessment can help your business identify areas of vulnerability and noncompliance and prioritize areas for remediation. Compliance with the cybersecurity requirements has been an enforcement priority of Chinese regulators since the CSL came into force.
• Determine what types of data your business collects and generates in China.
It is important to understand the types of data your business collects and generates in China, especially whether any of it falls into the definition of “personal information” and/or “important data.” Working with your IT departments and business units to map the types of data you collect and store in China will help you to better design or update your privacy protection and data localization/transfer policies and procedures for China business. This is particularly significant for companies collecting personal information in China that is processed by an office outside of China (e.g., health care, insurance, retail finance).
• Review and update existing privacy policies/notices, agreements, employment contracts to comply with the privacy protection requirements imposed by the CSL.
The Chinese government has subjected Internet companies and other consumer-facing enterprises to heightened scrutiny of privacy protection practices. Updating existing policies and contracts is an easy way to ensure compliance with this portion of the CSL’s requirements.
• Provide training for Chinese employees to ensure awareness of cyber security and data protection policies and procedures.
A company’s cybersecurity system will only work well if employees are trained properly on it. Consider providing data security and privacy protection training for all employees in China, and enhanced security training for specific employees in key positions.
• Closely monitor the legislative developments.
Because many of the CSL’s implementing regulations, guidelines, and standards are still in draft form, with additional rules and regulations to be issued throughout 2018, companies should actively monitor legislative developments relating to the CSL.
Cori Lable, a partner in the Hong Kong office, Zach Brez, a partner in the New York office, and Jodi Wu, a partner in the Shanghai office, are all members of Kirkland & Ellis’ government and internal investigations group.
REPRINTED WITH PERMISSION FROM THE FEBRUARY 23, 2018 EDITION OF CORPORATE COUNSEL © 2018 ALM MEDIA INC. ALL RIGHTS RESERVED. FURTHER DUPLICATION WITHOUT PERMISSION IS PROHIBITED
