China’s new Cyber Security Law was released on 1 June 2017. The underpinning guidelines are currently open for public comment. The highly contested guideline, titled “Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment”, requires network operators to conduct security assessments prior to transferring specific information outside of China.
The guidelines are meant to protect Personally Identifiable Information (PII) data as well as “important information” for business data – broadly defined as “information which is very closely related to national security, economic development and the societal and public interests”. No cases have yet arisen to clarify what information relevant to economic development is in scope. This is most likely due to operators having a grace period until the end of December 2018.
China already had some laws, rules and regulations relating to information security prior to the enactment of the Cyber Security Law, such as Administrative Measures for Prevention and Treatment of Computer Viruses and Administrative Measures for Hierarchical Protection of Information Security, but none as far-reaching as this one.
The main challenge of this new law is its scope – i.e. “network operators”. The definition of network operators is so broad that any international organization operating in China will be counted as such. If this new law passes, PII or business data exported will be subject to a security assessment and will require consent from the data subject.
If the volume of data is considered “large” (over 500,000 individuals records) or involving particularly sensitive information (PII or “important information”), the regulatory authority needs to be involved in the security assessment.
For PII, the data subjects will also need to be notified and consent obtained prior to its transfer abroad (with some exceptions, such as if the life of the data subject is in danger). The actual security assessment is essentially a blend of a risk assessment and the traditional security/maturity/security controls assessment.
Areas affected by this new law
Here a quick run-down on the areas where “network operators” will have to be careful:
Personal Information Protection
- The Cyber Security Law clearly states requirements for the collection, use and protection of personal information.
- Amidst a growing focus on telecom fraud and personal data leaks, the Cyber Security Law introduces stricter requirements on the protection of personal information owned by organizations.
- Accurately identifying personal data owned by organizations, protecting the data using technology and identifying potential data leak risks will have to be key priorities for enterprises.
Critical information infrastructure
- The Cyber Security Law frequently mentions the protection of “critical information infrastructure”, this has been clarified as “information which is very closely related to national security, economic development and the societal and public interests”.
- “Network operators” are the owners and administrators of networks and network service providers. The Cyber Security Law clarifies operators’ security responsibilities. Building an effective security administration system, finding rational technical solutions and improving data protection capabilities are expected to be key priorities for network operators.
- Implications for security administration: network operators will be required to clarify responsibilities within their organizations, and ensure network security by implementing sound rules and regulations and operational processes.
- Implications for technology: network operators will have to adopt various technologies to prevent, combat and investigate cyber-attacks in order to mitigate network risks.
- Implications for data security: network operators will have to ensure data availability and confidentiality by backing up and encrypting data.
Preservation of Sensitive Information
- The Cyber Security Law requires personal information/important data collected or generated in China to be stored domestically. This is a new requirement in China
- Potential issues: enterprises that need to transmit data to their headquarters, partners and/or suppliers overseas will need to reassess their approach regarding data transfers if they are qualified to operate critical information infrastructure
- Implications for organizations deemed network operators: For personal data/important data that is stored overseas, the most direct and effective way to comply is to transfer and store the data locally in China. For personal data/important data that is stored in China but needs to be transferred overseas, the content and approach of the transfer should be adjusted to meet the new requirements.
Certification of Security Products
- After the law passes, critical cyber equipment and special cyber security products may only be sold or provided after receiving security certifications.
- The design of security review/assessment will have to ensure the security of personal information and support the secure operations of critical information infrastructure described in the Cyber Security Law.
- Providers of network equipment, products or services will have to actively respond to national security reviews to avoid being refused security certifications.
- Enterprises and organizations that violate the Cyber Security Law may be fined up to RMB 1,000,000
- Network operators, network product or service providers and operators of critical information infrastructure should carefully follow the related provisions of the Cyber Security Law to avoid being penalized.
- Initial indications suggest fines of RMB one million – although we are watching this closely, as the first case to be prosecuted will set the precedent. In the meantime, we are working closely with our colleagues at KPMG China to monitor the situation.
What does this mean for Swiss companies with operations in China?
This poses some interesting challenges for Swiss companies operating in China, or with data flowing to/from China. If this applies to your company, we have spelt out recommendations into three, high level, steps:
Step 1: Perform a data flow analysis – identify what data you have, where it is stored, processed and transferred. In today’s decentralized and outsourced environments, this can be a lot more complex than it would at first seem.
Step 2: Identify the business case for the data transfers – especially in the case of large transfers where the regulatory body needs to be involved. We have seen clients move portions of their storage/processing to the Chinese mainland so that the data is no longer exported from China, simplifying the issue.
Step 3: Be prepared – perform your security assessments regularly. While this is mandatory when transferring data in scope out of China, it remains good advice even if the data in question is not in scope of the new regulation. The Chinese law is fairly pragmatic, with no outright ban of transfers, but requiring a degree of assurance as to the transfers’ safety to the regulators.
Our services & further information:
- KPMG’s expertise in Cyber Security
- Overview of China’s Cybers Security Law
- Survey: Clarity on Cyber Security – Ahead of the next curve