China’s controversial Cybersecurity Law has come into force effective June 1, 2017, bringing uncertainty to companies. The law requires enterprises to store data in servers within China, not offshore, and to get consent before collecting and sharing personal data.
“Companies need to be fully up to speed with [the law’s] requirements, especially network operators managing data,” says Han Lai, the China Country Manager for digital forensics and eDiscovery specialist KrolLDiscovery in Shanghai. “Up until now, its rules have not been clearly defined or regularly enforced, but this new law is looking to change that.”
Most of the law’s provisions apply to entities newly defined as “Key Information Infrastructure Operators” or KIIOs – companies that possess data considered critical to China’s security. They typically belong to industries such as financial services, transportation, healthcare, utilities and telecommunications.
These KIIOs must make sure that the “personal information” and “important data” of Chinese citizens must be stored on servers within China. A company can ask to be exempted, but must undergo a security assessment.
“This will affect the majority of foreign companies that operate in China, in particular those which use their global infrastructure and IT resources to operate their business in China, as the original data collected, including business data and customer data within China will typically be stored directly in the data centres or servers physically located overseas,” says Lai.
“For example many global companies are still using email servers located outside China for their China operations. Companies need to start thinking and planning ahead to restructure their infrastructure to be in line with the new law.”
International law firm DLA Piper notes that Chinese authorities has made clear that unauthorized collection, disclosure and receipt of "citizen's personal information" now constitutes a criminal offense under the PRC Criminal Law.
The range of sanctions will take into account the degree of harm, amount of illegal gains and repeat offenses, among other things, and include fines of up to five times the amount of any illegal gains.
According to DLA Piper, companies in China should know that:
If your organization provides "important network products and services" to KIIOs or other networks and information systems that relate to national security, you will also be subject to a new supervisory assessment regime. It has been suggested that products and services that fail these assessments will be blacklisted from future procurement by KIIOs, warns DLA Piper.
If your organization uses or provides encrypted products and encryption-related services in China, a proposed new encryption law may impose additional obligations. While use of encryption would now be mandatory for some networks and data, it appears encryption will remain a heavily regulated area in China and the requirement for licenses for encryption technologies will remain.
A likely source of concern to some international businesses operating in China is the requirement for decryption support, says DLA Piper. For national security reasons or for criminal investigations, certain government bodies would be legally entitled to require telecommunication operators and internet service providers to provide "decryption technology support".
In practice, if passed, this requirement will increase the compliance obligations on those providing and using encryption technologies in China.