Cyber Security in China and Data Protection
With China’s new Cybersecurity Law, effective 1st June 2017, businesses in China will find themselves facing increased internet regulation with the aim to protect Critical Information Infrastructure (CII). Critical Information Infrastructure is broadly defined in Article 31 of the law as “public communication and information services, power, traffic, water, finance, public service, electronic governance and other critical information infrastructure that if destroyed, losing function or leaking data might seriously endanger national security, national welfare and the people’s livelihood, or the public interest”.
Important definitions relevant to the law are found in Article 76 of the law.
- “Networks” refers to systems comprised of computers or other information terminals and related equipment that follow certain rules and procedures for information gathering, storage, transmission, exchange and processing.
- “Network security” refers to taking necessary measures to prevent network attacks, incursions, interference, destruction and their unlawful use, as well as unexpected accidents; to put the networks in a state of stable and reliable operation, as well as ensuring the capacity for network data to be complete, confidential and usable.
- “Network operators” refers to network owners, managers and network service providers.
- “Network data” refers to all kinds of electronic data collected, stored, transmitted, processed, and produced through networks.
- “Personal information” refers to all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person’s identity, including, but not limited to, natural persons’ full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers, and so forth.
(2016 Cybersecurity Law; Article 76)
Because “Network Operators” is a term so broad that it can include any business which operates a website within mainland China, it is important to understand the new law.
Important aspects of the law
- Privacy Protections:
- The bill grants many privacy protections for network users in mainland China. Network operators will be required to strictly maintain confidentiality of user information and will be required to install protection systems to defend user information. It is required that network operators explicitly state their purpose, means, and scope when collecting user data. The network operator must gain the user¡¯s permission before they collect any data and no data unrelated to the services the network operator provides can be legally gathered. In the event that data is leaked, corrupted, or lost, network operators must immediately take remedial measures, quickly inform users and make a report to the relevant departments in accordance with regulations. Network operators may not unlawfully sell or provide a user¡¯s information to any other party. (Articles 40-44)
- Network Security:
- The new cybersecurity law implements a tiered network security system. Network operators will be required to follow measures designed to prevent network interference, damage, unauthorized access, data leaks, theft, and data falsification. Network operators will be required to immediately remedy security flaws and vulnerabilities when they are discovered and must provide security maintenance throughout the time period agreed upon with clients (Articles 21 & 22).
- Network operators will be required to generate emergency response plans and put them into immediate action for network security incidents, such as computer viruses or network attacks (Article 25).
- Critical Information Infrastructure (CII) Operators purchasing network products and services that could impact national security must have their purchases sent through a national security review. (Article 35)
- The law requires that information gathered and produced in mainland China must be stored in mainland China. If it is truly necessary that information be stored outside of the mainland then a security assessment must be conducted (Article 37).
- At least once a year Critical Information Infrastructure operators must perform an inspection of network security and submit a security report. CII operators will be subject to spot tests to test readiness, they must perform emergency response drills, share network security information with relevant parties, and provide technical assistance for network security management and recovery. (Articles 38 & 39)
- Violating the provisions in Articles 41-43 can result in the confiscation of unlawful gains and a fine 1-10 times the amount of the unlawful gains. In situations where there are no unlawful gains then a fine up to rmb1,000,000 may be administered and responsible personnel may be fined up to rmb500,000 in serious circumstances. (Article 64)
- Using products or services that have not been given a security review can get a fine of 1-10 times the purchase price and responsible personnel may be fined up to rmb100,000. (Article 65)
- Storing network data outside of mainland China can result in confiscation of unlawful gains, a fine of rmb500,000, temporary suspension of operations, revocation of business licenses and permits and individual fines up to rmb100,000 for responsible personnel. (Article 66)
LehmanBrown Cybersecurity Service
Performing an internal audit of your business can help prepare you for the era of cybersecurity by providing you with the information necessary to formulate a unique cybersecurity strategy and adapt to new regulations. Internal audits analyse the business processes, goals, management systems and risks within a company to provide valuable unbiased feedback and recommends steps to be taken to improve.
LehmanBrown can support you in the field of cybersecurity by offering an internal audit of your company.
SOURCE MATERIAL: http://www.chinalawtranslate.com/cybersecuritylaw/?lang=en