On 8 July 2015, the People’s Congress released the first draft of the Cyber-security Law (the “Cyber Law”) for public comment. The Cyber Law is the first regulation in China exclusively devoted to information security and data privacy in cyberspace. The Cyber Law is an important step to bringing China’s privacy regulation and information security regulation in line with the rest of the world even though its particular features have generated concerns and will present implementation challenges for the international community.
Notably, prior to the Cyber Law China did not have one single over-arching legislation that specifically addressed the collection, storage, transmission, and operation of personal information. Rather, individuals had to rely on sector-specific laws to enforce their right to privacy of their data. Some provisions in the Cyber Law appear to replicate provisions in the existing MIIT Regulation governing telecom providers (Article 36, for example) and those in the existing Consumer Rights Law governing sales of goods (Article 35, for example), which generally require the consent of the data subjects before the collection, use, or disclosure of their personal information. The Cyber Law, however, does appear to make progress in other aspects. For example, Article 31, for the first time, addresses the cross-border transfer of citizens’ personal information; Article 37 expressly grants a user the right to access, correct, and delete their personal information; and Article 36 requires a network operator to notify a user and to report to the relevant department of the State Council when a serious privacy breach occurs.
The Cyber Law also provides high level guidance to network providers on security policy, incident planning, and routine operations while imposing penalties such as suspension of business, take down of websites, revocation of licenses, and fines (between RMB 10,000 and 100,000) for violations. The lack of specificities of these guidelines and relatively low penalties available, however, have caused some commentators to question their effectiveness.
Operators of “Critical Information Infrastructures,” defined broadly to cover media, energy, transportation, finance, public services, military and government affairs as well as network service providers, are now subject to heavy reporting and monitoring regulations of the State Council, including the requirements to store Chinese citizens’ personal data within mainland China, and to obtain a “security assessment” prior to any cross-border transfer of such data (Article 31).
Before the Cyber Law, only Chinese banks were required to store users’ data within mainland China. This expansion of the coverage of the rule to other industries has given rise to concerns given the free flow of information cross borders in the normal conduct of business these days. Even though Article 39 vaguely requires that government officials keep confidential all personal information gathered during the fulfilment of their duties, it is worth mentioning that China does not have an independent judicial review mechanism, so concerns will remain about the potential to abuse such powers.
Companies with operations across multiple countries will potentially face new challenges triggered by these new requirements. For example, some business functions such as customer services are typically served across borders which inevitably involve data transfers and perhaps (temporary and/or permanent) storage of some Chinese users’ personal information outside mainland China. After the Cyber Law comes into force such companies will need to re-evaluate their data architecture, and apply for a “security assessment” prior to any cross-border transfer, the standard and content of which is not clearly defined.
Whether the Cyber Law is progress or a sideways step in the protection of data security and privacy largely depends how it is carried out in practice.