On 10 October 2016, we sent an alert about the second draft of China's new Cyber security law. On 7 November 2016, the draft became law. It will come into effect on 1 June 2017.
The Cyber security law is China's first comprehensive regime on cyber security and it will impact all companies operating in China. The new law is substantially consistent with the drafts; an in-depth review of the second draft can be found here.
However, there are two changes since the second draft that merit attention.
Changes to the definition of "Key Infrastructures":
In the first draft of the law, "Key Infrastructures" included references to some specific sectors such as energy, public communication, social security and finance. However, these references were deleted in the second draft so that "Key Infrastructures" was defined as those "industries that relate to national security, national economy, citizen's wellbeing, and public interests".
The new law merges and expands the two versions of the definition so now "Key Infrastructures" includes reference to "public communication, information service, energy, transportation, finance, public service, electronic government affairs" and "industries that relate to national security, national economy, citizen's wellbeing, and public interests". This new definition still has the problem of the second draft that industries relating to "citizen's wellbeing" and "public interests" can be construed very broadly.
In addition, the new law also includes a wide list of sectors under the "Key Infrastructures" definition. It is worth emphasising that if a company is defined as a "Key Infrastructure" it will be subject to scrutinisation if it wants to transfer any personal and/or "important" data generated in China internationally (which could affect data transfers between a China subsidiary and its other group companies outside of China). In the second draft, the language used was "important business data" but this was amended to "important data" in the final version of the law. Neither phrases are defined but the phrase "important data" is very likely to be construed more broadly.
Enhanced penalties to operators infringing personal data obligations
Amongst other things, the new law has increased the maximum fine imposed on network operators illegally gathering, selling and using personal data. The second draft stipulated that penalties for violating network operators' obligations with regard to personal information of such data include:
- A fine ranging between one and ten times the profits resulting from the illegal use of personal information;
- A fine up to CNY 500,000 (approximately £58,000) if no profits were gained; and
- The possible suspension or revocation of a company's business licence.
In the new law, if no profits were gained by the infringing network operators, the maximum fine which can be imposed is CNY 1,000,000 (approximately £115,000) - twice the amount imposed in the second draft.
What steps should businesses in China now take?
Even though the law will be effective from 1 June 2017, there are still uncertainties around the provisions relating to the international transfer of information within "Key Infrastructures". Although the transfer of such information for commercial purposes will be scrutinised at the discretion of competent authorities, the precise measures and criteria on how this will be conducted are yet to be determined. Further guidelines are expected to be published by relevant authorities before the effective date.
Before the Cyber security law becomes effective, companies which might be affected by this law ought to consider possible internal measures they can implement, particularly if there is a risk they are categorised as "Key Infrastructures". Once categorised as "Key Infrastructures", there will be significant impacts on companies' internal plans for data storage, transmission and network security in China. Protection of data will be the key in the future and it will be very important that companies understand the parameters they must work within and that they have the correct safeguards in place.