2018 has been an active year for developments in China’s cybersecurity and data protection regimes. In this e-bulletin we highlight the major regulatory and enforcement developments during the year in four key areas:
- Security protection obligations, where significant regulatory efforts have been made in 2018 to implement the law through new regulations to progress the establishment of the multi-level protection scheme and new inspection regulations that authorise the police to inspect the network security of internet service providers.
- Obligations to manage online information, where microblog regulations focusing on social networks were implemented and security assessment regulations have been introduced for services that enable public opinion to be expressed. Draft blockchain regulations were also released requiring the registration of blockchain information service providers;
- Obligations to protect personal information, where the first set of national standards on personal information security came into effect with draft guidance published by the police on the protection of personal information on the internet and the legislature prioritises the national laws on data protection on its legislative agenda; and
- Obligations of supply chain security, where developments have focused on appointing the qualifying institutions for certifying and testing key network equipment and security products and new rules for implementing security certification.
Further details are set out below. In each case we set out a reminder of the obligations under the Cyber Security Law and provide a brief summary of the main developments during this year.
For a more in depth update on the latest developments, please see our monthly e-bulletins (click here for the most recent one).
I. Security protection obligations
Reminder of legal obligations
Under Article 21 of the Cyber Security Law, network operators are required to implement the multi-level protection scheme for network security. Under this scheme, each network operator must be assessed and graded according to the security protection level applicable to that network operator. This will determine the set of security protection obligations that the network operator is required to comply with.
A network operator’s security obligations include, among others:
a.formulating internal security management systems and operation manuals, appointing personnel responsible for network security, and discharging network security protection responsibilities;
b.taking technical measures to prevent acts that could harm network security, hacking and viruses;
c.monitoring and recording the operational status of the network and network security incidents, the log document for which must be kept for no less than six months; and
d.taking data classification, backup (for important data) and encryption measures.
In particular, Articles 31 to 39 impose more stringent obligations, including a data localisation requirement, on selected network operators of critical importance to state security or the national economy or public interest, These are known as critical information infrastructure operators. In July 2017, the Cyberspace Administration of China published draft regulations on the protection of critical information infrastructure, which has yet to be enacted (please click here for our analysis on the draft regulations).
Under Articles 56 and 59, in the case of a breach of the security protection obligations the competent authorities may (i) demand a meeting with the legal representative of the network operator; (ii) order rectification; (iii) issue warning letters; and (iv) impose a fine on the network operator and the person directly responsible for the breach. In serious cases, criminal penalties could arise. The Ministry of Public Security, namely the police, and its cyber police arm are charged with enforcing the regulations.
1.The Ministry of Public Security has made significant regulatory efforts to implement the security protection obligations under the law. The Ministry is progressing towards establishing the multi-level protection scheme regime and published draft regulations on multi-level protection scheme of network security in June 2018 and in March 2018 published the administrative measures on evaluating institutions. These regulations are a key component to establishing the multi-level protection scheme. The regulations will apply to all network operators and, once enacted, will lay down the legal framework for implementing the multi-level protection scheme and pave the way for the Ministry to police the enforcement. It is expected that these will be the first major regulations to be enacted since the law came into force in June 2017.
2.In September 2018, the Ministry of Public Security issued regulations on the supervision and examination of internet security. The regulations authorise the police to inspect the network security of providers of the following services: (i) internet connection services, internet data centres, content delivery networks and domain services; (ii) internet information services; (iii) internet cafe services; and (iv) other internet services (which is not defined but could cover nearly all the services constituting the internet industry in China).
The regulations summarise and consolidate the security obligations of internet service providers set out in the Cyber Security Law and a series of regulations and circulars applicable to different types of internet service providers. The regulations give the police authority to conduct onsite inspection of an internet service provider’s place of business and carry out remote testing of network loopholes. The powers of the police and the procedures for inspecting internet service providers and imposing penalties are also clarified.
3.In November 2018, the Cyberspace Administration of China and the National Information Security Standardization Technical Committee, the body responsible for promulgating a number of cyber security standards (also known as TC260), launched a pilot scheme to evaluate the final draft of guidelines on security examination and evaluation of the of critical information infrastructure . Under the pilot scheme, six institutions will evaluate the critical information infrastructure protection of 12 selected operators pursuant to the draft guidelines with the aim of discovering issues that could arise in implementing the guidelines as well as the protection obligations. This moves China a step closer to implementing its critical information infrastructure protection regime.
There have been fewer cases reported on violations of security protection regulations since January 2018 after an initial wave of enforcement cases in late 2017 after the Cyber Security Law came into force. This could be due to the main regulations and standards on the multi-level protection scheme are still in the consultation process and are yet to be enacted.
However, the Ministry of Public Security seems to have stepped up its enforcement actions since the police powers were clarified in the supervision regulations discussed in paragraph 2 above came into force. It is reported that cyber police in Shenzhen and Chongqing handed down penalties in November shortly after the regulation came into force. It is likely that the cyber police will conduct more regular inspections on internet service providers to discharge their obligations under the regulation. We expect that Ministry will further step up its enforcement actions after the network security regulations discussed in paragraph 1 above are enacted.
II. Obligations to manage online information
Reminder of legal obligations
Articles 24 and 47 of the Cyber Security Law require network operators to enforce real-name registration requirements on their users, manage information published by their users, and take measures to cease transmitting prohibited information, prevent further dissemination, maintain records and report relevant matters to the competent authorities.
Breach of these obligations carries more serious consequences. The penalties can include not only an order for rectification, a warning, confiscation of income and a fine, but also suspension of the network operator’s operations or business, closure of its website, revocation of its operation permit or even its business license.
The Cyberspace Administration of China is charged with the duties of administering content and speech published on the internet and internet news service and enforcing the obligations under the law.
1.In February 2018, the Cyberspace Administration of China issued administrative measures focused on microblog information services, the social networking services that are equivalent to Twitter in China. These regulations specify the obligations of microblog service providers, including, among others, the obligations to (i) protect the security of service and information, (ii) impose real-name registration requirements, (iii) monitor and manage the information published by the users and take action against information not permitted by law, (iv) establish a complaint system, and (v) keep a record of the user log information for a minimum of six months.
Notably, on 15 November 2018, the Cyberspace Administration of China published a further regulation requiring all service providers to carry out a security assessment on services that enable the public to express their opinion or are capable of being used to “mobilise the public to carry out certain activities”. Such services cover almost all mainstream forms of internet services related to online speech, such as internet forums, blogs, microblogs, chatrooms, messaging groups, official accounts, short-videos and live broadcasting. A service provider can conduct the security assessment on its own or authorise a third party do so, and the resulting report must be filed with the local cyberspace administration and the police at (or above) the municipal level, who have the power to review the report and require onsite inspection or re-assessment if necessary.
The microblog measures are consistent with the four regulations published in August and September 2017 on online forums and communities, user posts and comments, social network official accounts and internet chat groups published (please click here for our articles on those four regulations). The microblog measures and the security assessment regulation are important regulatory developments that complete the legal framework established by the last year’s regulations on services related to speech on the Internet, which now covers the majority of online speech and the relevant service providers.
2.In October 2018, the Cyberspace Administration of China released draft administrative regulations on blockchain information services, which require all blockchain information service providers in China to register with them (via an online registration system) within ten business days of starting to provide services. The draft regulations bring blockchain information service providers within the administration’s scrutiny with a focus on content management. The draft regulations are designed to ensure that blockchain information service providers will maintain good records of their users and the activities on their platforms (including complying with the real-name registration requirement) and manage information being transmitted and published using their service and maintain security of the information. Interestingly. The draft regulation also requires blockchain service providers to report new products, applications and functions to the administration for security assessment.
Unsurprisingly, there has been a significant increase in the number of enforcement cases, where the Cyberspace Administration of China and its local counterparts have frequently required meetings with certain major internet companies and ordered the closure or suspension of some popular mobile apps. Notably, the enforcement actions were targeted at inappropriate or illegal content transmitted on platforms, such as online news, social networking, short-video, online music and e-commerce apps. The casualties include some of the most popular apps and services, including Toutiao (Bytedance), Kuaishou, Tik Tak and Microblog. With rapid progress on the regulatory framework for online speech, enforcement in this area will remain active for a substantial period of time.
III. Obligations to protect personal information
Reminder of legal obligations
The Cyber Security Law requires network operators to adhere to the principles of legality, legitimacy and necessity in dealing with personal information. The law also imposes a series of data protection obligations on network operators, including, among others, obligations to inform data subjects and obtain consent, take remedial measures in a data breach, and enable data subjects to exercise certain rights to their person information. Breach of the law could give rise to administrative as well criminal penalties.
1.The Personal Information Security Standards, which came into effect on 1 May 2018, set out detailed requirements designed to implement the data protection obligations under the law, and should serve a good practice guide for data protection compliance in China.
They are the first set of national standards published on personal information protection in China. Despite their lack of mandatory effect, the standards could serve as an important reference for the authorities and courts in assessing whether a data controller has discharged its data protection obligations under the law. Additionally, the comprehensive scope and detailed measures set out in the standards render them a useful good practice guide for compliance. Companies are advised to take measures to implement the standards to ensure compliance with the law. We have prepared a detailed analysis on the standards (please click here).
The standards establish a security impact assessment regime in respect of personal information, under which a data controller should test the legality of its data processing activities, assess the risks to data subjects and evaluate the effectiveness of its data protection measures. Draft standards on personal information security impact assessments were released for comments in June 2018, and are expected to be finalised in the coming months.
There has not been any report on the legislative progress of the regulations and guidelines on exporting personal information and important data abroad since the drafts were released in 2017. To our knowledge, the drafts are still being discussed and revised.
2.Industrial regulatory bodies have also taken action to strengthen data protection. The newly merged banking and insurance regulatory body, the China Banking and Insurance Regulatory Commission, published its Guidance on Data Governance of Banking Financial Institutions in May 2018. The guidance requires banking financial institutions to establish a data governance framework to ensure safe, efficient and effective processing of data.
The healthcare regulator, the National Health Commission, also issued administrative measures on standards, security and service of health and medical big data in July 2018, which requires all health authorities, health institutions, and other relevant entities to take action to comply with the legal requirements and indicates that standards on health big data will be drafted. Notably, the these measures impose a data localisation requirement that all health and medical big data should be stored in safe and trustworthy servers within China and that the export of such data will only be permitted on an as needed basis after satisfying a security assessment.
3.In the legislative schedule released by the Standing Committee of the National People’s Congress in September 2018, Personal Information Protection Law and Data Security Law appear as class I legislative items, which means that the Standing Committee considers it is in a position to submit bills on these laws for the formal reading process within its five-year term. If enacted, the two laws will become the first national laws on data protection in China. Notably, the two laws were absent from the legislative schedule published by the previous Standing Committee, which shows that data protection has quickly moved up the legislative agenda of the government in the past a few years.
4.In November 2018, the cyber police arm of the Ministry of Public Security published draft guidance on the protection of personal information on the internet to guide internet companies on establishing their personal information protection systems and measures. Although the guidance will not be mandatory, it is expressly intended to be used by the cyber police as a reference when they supervise, scrutinise and enforce personal information protection.
The guidance has been drafted on the basis of, and incorporates a significant portion of, the personal information security standards discussed in paragraph 1 above as well as the 2008 standards on the multi-level protection scheme (which are set to be replaced by new standards currently being amended). Notably, the incorporation of the standards on multi-level protection scheme means that compliance with that scheme will form part of the requirements for data protection.
Whilst the guidance applies to all “personal information holders”, which is defined to encompass data controllers as well as data processors, the personal information security standards mainly apply to data controllers. As such, the guidance could apply to companies that are not data controllers and are therefore not subject the standards. There is no discussion in the guidance as to any possible conflict between the guidance and other data protection regulations, in particular the personal information security standards.
We have seen a dramatic increase in the number of criminal cases that have been reported in relation to infringement of personal information. Most of these cases concern the illegal collection and sale of personal information, involving private companies and individuals as well as civil servants and government employees. The police have been more active in pursuing data protection cases than previously.
With the personal information security standards coming into force and the security impact assessment regime soon to be established, we estimate that more enforcement actions will ensue. Further, the release of the draft guidance by the by Ministry of Public Security shows that the police are stepping up their regulatory was well as enforcement efforts in data protection. The guidance will provide the cyber police with a detailed and practical reference when assessing compliance by internet companies (and potentially other companies) with data protection obligations.
IV. Obligations of supply chain security
Reminder of legal obligations
The Cyber Security Law requires that the network products and services should meet compulsory national standards. In addition, key network equipment and network security products must be tested or certified by accredited institutions for compliance with such compulsory national standards. The Cyberspace Administration of China and other relevant ministries are charged with publishing the list of key network equipment and network security products.
In 2017, the administration issued regulations which require network products and services concerning national security to pass through a security review regime (click here for our analysis on the regime). Authorities also issued the first catalogue of key network equipment and network security products. Manufacturers may choose to have their product listed in the catalogue certified or tested by accredited institutions, which will submit the testing or certification results to the relevant authorities.
In March 2018, the relevant authorities published a list of 16 institutions qualified for certifying or testing key network equipment and network security products. In May and June of 2018, the Certification and Accreditation Administration published the rules for implementing security certification. These rules also provide that manufacturers can apply to convert an existing certification into the new one under the regime, if the products have been certified by the accredited institutions before the implementing rules came into force and are still within their validity term.
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2020