This blog post was co-authored by Anna Mae Koo (Vivien Chan IP Services) and Erika Yawger (Apple Inc.).
On June 1, 2017, the recently passed Cyber Security Law (the “Law”) will come into effect in in China. The Law is widely applicable to all entities with Chinese operations, and in many ways simply codifies traditional government restrictions on Internet usage. In general, the new Law tends to reinforce the Chinese government’s determination to maintain Internet safety and national security, while protecting the domestic public’s interests through censorship and regulations. Several key portions of the new Law are summarized below.
Article 2 stipulates that the “construction, operation, maintenance and use of the network within China” shall be governed by the Law, essentially covering all networks that are being used in China. Article 75 further establishes that other than injunctive measures, the assets of foreign entities or individuals engaging in activities that endanger the critical information infrastructure may be frozen. While it remains uncertain as to how this will be enforced on foreign entities, network operators are subject to additional obligations, as described below.
Article 21 requires network operators to implement a “graded network security protection system” to monitor and record the status of network operations and preserve network logs for at least six months. Network operators are also required to identify the users’ real identity when signing service agreements (Article 24).
“Critical Information Infrastructure” Operators
Sectors that are considered “critical information infrastructure” have heightened monitoring requirements and are subject to other enhanced regulations under the Law. Article 31 provides a list of types of activities that could be considered “critical information infrastructure,” including public communications and information services, energy, transportation, water conservancy, finance, public services, and e-commerce governance. The services enumerated are not exhaustive, and the Law leaves open the possibility that any service that might endanger national security, welfare, popular livelihood, or public interest if destroyed or hacked could be subject to these heightened regulations.
The Law states that “critical information infrastructure” operators must store important data within China (Article 37), and that overseas disclosure of such information is allowed only after security assessments by the authorities. Companies will also be subject to additional monitoring and security checks.
There are new provisions that limit the type and amount of personally identifiable information that can be collected and transferred (Articles 41–43). In addition, the identities of informants of contraventions to the authorities will be kept confidential (Article 14), and use of end users’ data shall be limited and only used if it is in the course of protecting cybersecurity (Articles 30).
The Law imposes heavy fines and other penalties for noncompliance. Companies can face fines of up to US $150,000 for violations of the Law, and agencies have broad authority to revoke business licenses and shut down websites for serious violations (e.g., illegal storage of data abroad by Critical Information Infrastructure providers; assisting or engaging in activities that endanger cybersecurity; failing to request users’ real identity information, etc.).
The Cyber Security Law introduces serious penalties and sanctions, affecting all entities that use or control a network used in China. We are still awaiting clarification on the implementation and enforcement of these sanctions; however, an audit of one’s own network use in China is recommended to avoid potential contravention of the Law.