China’s new Cybersecurity Law

China’s new Cybersecurity Law ( or “CSL”) was passed November 7, 2016, and came into force June 1, 2017 (but there was a grace period until December 31, 2018 in order to comply with some obligations).

Together with many other related regulations, guidelines, and national standards already released or being drafted, the Cybersecurity Law is the first Chinese comprehensive privacy and Cybersecurity regulation. 

The implementation of Cybersecurity Law must be seriously considered by the companies with operations in China as involves compliance with new rules to avoid serious penalties:

- confiscation of illegally earned gains, as well as a fine of up to 10 times the gain obtained illegally;

- fines of between 50,000 and 500,000 RMB;

- the closure of websites and other online systems;

- the revocation of commercial licenses and other permits;

- a custodial sentence between five and fifteen days in case of serious violations.

The Cyber Security Law has two main categories of data managers as recipients: Critical Information Infrastructure Operators and Network Operators.

A company can be considered as Critical Information Infrastructure Operators (subject to more stringent requirements) if:

- belongs to strategic sectors such as radio, television, energy, transport, water conservancy, finance and public service;

- manages IT platform;

- collects and processes a considerable amount of data;

- the violation of the system used to manage the data can cause considerable damage to state security, to the national economy and to people’s interests.

The definition of Network Operator includes owners and administrators of network and service providers of network (network means a system of computers or other information terminals and related equipment for collecting, storing, transmitting, exchanging, and processing information according to certain rules and procedures).

According to art. 76 of Cyber Security Law, personal data is any information that recorded on an electronic support or by other tools (alone or together with other information) makes it possible to identify a person, including name and surname, date of birth, identification numbers (related, for example, to passport or identity card), personal biometric information, addresses, telephone numbers, etc.

 To guarantee the network security, based on Art. 21 of Cybersecurity Law, Network Operators must:

- establish internal rules and operational procedures for cybersecurity management;

- appoint the personnel responsible for cybersecurity;

- adopt technical measures to prevent computer viruses, attacks and other acts that could endanger the cybersecurity;

- take technical measures to monitor and record cybersecurity incidents;

- to store network logs for at least six months;

- implement actions such as data categorization, backup and encryption of important data.

Network Operators who manage network access and domain name registration services or information publication or instant messaging services shall require users to provide real identity information when signing service agreements with users (Art. 25 of Cybersecurity Law).

Network Operators must also adopt plans to promptly manage network security emergencies, immediately address problems related to system vulnerability, computer viruses, network attacks and other IT security risks (Art. 26 of Cybersecurity Law).

According to the national standard "Personal Information Security Specification Standard GB / T 35273-2017", after data collection, companies must implement technological and management measures to adequately protect and archive personal information processed.

Data collection must be strictly limited and consistent with the management of authorized corporate activities and have a precise duration. Data archiving must have a specific expiration date, limited in the shortest possible time period, that is strictly necessary to achieve the objectives for which the data were collected (at the end of this period, the information must be deleted or anonymised).

The Art. 41 of the Cyber Security Law requires that Network Operators obtain consent before collecting personal data.

Network Operators must inform the data subject about the procedures for the collection and use of the data, explicitly state the purposes, means and scope of data collection and use, the possible recipients, and obtain the consent by the data subject (client, employee, or anyone else to which the data refers); the data controller must be able to prove that the data subject has provided a clear indication of his consent at the time his data were collected.

Therefore, in the form for gathering the consensus, it is advisable to inform the data subject in detail about the collection and use of their data and to give the possibility of providing or denying his consent as well as to inform about the procedures for accessing the data management system and check his data at any time (the national standard "Personal Information Security Specification Standard GB / T 35273-2017" provides a template for consent gathering).

The Cyber Security Law (even in the absence of an explicit regulatory provision) also applies to databases created before the entry into force of this law; therefore, for the data contained in these databases, it is necessary to ask for consent to the interested parties or to delete the personal information stored (similar to the provisions of the European GDPR regulation). 

Art. 42 of the Cyber Security Law requires Network Operators not to disclose personal data to third parties without the prior consent of the data subject (unless the data have been rendered anonymous, i.e. it is impossible to refer them to a specific person ). In addition, Network Operators must take appropriate measures to ensure the security of the data collected, to prevent breaches or damage to data; in the event that a breach or damage occurs, the Network Operators must promptly take corrective measures, inform interested parties and report the violation to the relevant government departments.

Art. 43 of the Cybersecurity Law assigns to the data subject who discovers breaches in the processing of his data the right to request Network Operators to delete their data (or ask for making corrections if there are errors in relation to his personal data).

According Art. 44 of the Cybersecurity Law, no one can acquire data or transfer data to third party by using illegal methods; the subjects responsible for the control and management of computer security must keep strictly confidential all the personal information and trade secrets they learn of in performing their duties (Article 45 of the Cybersecurity Law). 

Articles 46 and 47 of the Cybersecurity Law provide that Network Operators must monitor the information transferred through the network, prevent anyone from using the network for illegal and criminal activities; if they discover information whose publication or communication is prohibited by laws and regulations, they must promptly block their publication and inform the competent authorities.

Electronic information sent or software provided, by any individual or organization must not install malicious programs, and must not contain information that laws and administrative regulations prohibit the publication. Electronic information distribution service providers and software download service providers shall guarantee the comply with these security rules and, in case they verify the violation of rules by users, they shall promptly block the service and inform the competent authorities (Art. 48 of Cybersecurity Law).

Furthermore, Art. 49 of the Cybersecurity Law requires Network Operators to establish complaint and reporting procedures relating to Cybersecurity by making public the procedures for making reports and by managing promptly any possible complain.

Based on Article 37 of Cyber Security Law, personal information and important data collected or generated by Critical Information Infrastructure Operators in China must be stored in China.

It is a burdensome measure for many multinational companies that store personal data outside of China, with an IT infrastructure managed at the central office (abroad) or globally distributed on cloud platforms (for example, CRM programs, loyalty programs , online booking tools, human resource management systems or, in general, any database containing personal information).

In case it is necessary to transfer data abroad, Critical Information Infrastructure Operators must periodically carry out an assessment on the safety of their networks and on the relative risks following the procedures established by the Chinese authorities.

The substantive criteria to be adopted during the security assessment procedure are divided into two steps.

First of all, the transfer of personal data must satisfy the following legitimacy criteria:

- it is not explicitly forbidden by any regulation in force;

- it is legitimate or necessary and related to the activity of the company;

- the subject of the personal information has been adequately informed about the transfer of data, as well as the purposes and methods of their use, the recipients and the risk associated with the transfer;

- explicit consent was obtained from the data subject for the transfer of data.

After evaluating the legitimacy of data transfer, an assessment of the security risk should be performed, by checking in particular:

- the characteristics of the transferred data (i.e. types of data, recorded volume of data, scope, sensitivity and state of technical processing);

- probability of accidents and their impact level (to be assessed on 15 risk factors).