The Effects of China’s New Cybersecurity Law on Multinational Companies

Published on in Cybersecurity/Government/Technology

By Mingmei Zhu 

China’s Cybersecurity Law became effective on June 1, 2017. It subjects multinational companies to liability or penalty if they endanger China’s network security and personal information. Multinational companies have to comply with certain requirements under the Law, though the Law is unclear in some aspects and should be interpreted in more detail.

Introduction

China’s Cybersecurity Law[1] (“the Law”) came into effect on June 1, 2017.[2] It provides sweeping and vague provisions regarding network security and personal information protection.[3] The Cyberspace Administration of China (“CAC”) released Measures on the Security Review of Network Products and Services (Trial)[4] and Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data[5] to provide guidance on the application of the Law. Both were also effective on June 1, 2017.[6]

The Law is very widespread as it applies to construction, operation, maintenance and use of networks within the territory of China.[7] The Law also has the ability to impose a penalty on overseas institutions or organizations if they engage in activity that endangers China’s crucial information infrastructure.[8] Therefore, multinational companies, especially those conducting business in China, will likely to be subject to the Law.[9]

New Obligations and Potential Risks

Application of the Law

The Law is applicable to “network operators” and “critical information infrastructure operators.”[10]

Network operators are defined as network owners, managers, and network service providers.[11] A network operator that is not registered in China would be regarded as conducting “domestic operations,” and thus is subject to the Law, if it conducts business or provide products or services within China’s territory.[12] Network operators have to comply with some requirements, including protecting their networks’ security, formulating an appropriate emergency response, maintaining the truthfulness and confidentiality of users’ personal information, monitoring information to comply with any law or regulation, establishing complaints and reports system, and assisting and providing technical support for preserving network security.[13]

“Critical information infrastructure operators” include “any business operating in the communications, finance, water, power, or traffic sectors, as well as any other businesses using infrastructure that could harm China’s security, economy, or citizens if it were to fail.”[14] Therefore, a multinational company would be targeted by the Law if it is a key supplier to a “critical” sector, or possesses substantial Chinese citizen’s information.[15] “Critical information infrastructure operators” shall comply with stricter obligations than network operators, including data localization, hardware and software review, consent requirements to collect personal information, third-party data transfers and cross-border and multi-level protection scheme.[16] Multinational companies are more likely to get exposed to the Law under this category. The data localization rule, among other obligations, would be the most troublesome obligation for multinational companies.

Transmitting Personal Information and Important Data Overseas

The data localization rule requires and important dataa data localization rule, which requires tude any business operating in the communications, finance, powervalpersonal information and important data collected or generated in China to be stored domestically.[17] This information and data is further subjected to security assessment before transferring such information overseas.[18] For instance, if a U.S based multinational company intends to share and transfer its Chinese customer’s information, like the name and address, with their headquarter in United States, it has to comply with the security assessment requirement. This highly influences the free transfer of data and information, resulting in an efficiency problem. Furthermore, if the law were to be narrowly interpreted, multinational companies would have to use a separate data system in China to store information regarding all Chinese customers and dealings in a Chinese server.[19] To comply with the data localization rule, multinational companies will have to utilize a separate data server in China which would be exposed to government spot-checks, or employ a local data server, like Alibaba, or Huawei.[20] This would definitely increase the cost and burden on multinational companies.

Extraterritorial Effects on Multinational Companies

Any overseas institutional, organization, or individual will be investigated under the Law if it engages in any activity that jeopardizes China’s key information infrastructure through “invasions, interference, or destruction.”[21] The government may freeze its assets, impose punitive damages or criminal liability on it depending on the circumstances.[22] Therefore, the Law could be enforced extraterritorially on multinational companies.[23] Nevertheless, as the concrete content and means of sanctions are not referred in the Law, it is unclear about the extent of enforcement on multinational companies.[24]

Suggestions for Dealing With Risks

There is a general concern that the Law will become a barrier to business for multinational companies, but this is denied by China’s regulator.[25] China’s regulator declares the Law “does not restrict foreign companies or their technology or products from entering the Chinese market, nor does it limit the orderly, free flow of data.”[26] In addition, although the Law may raise concern in multinational companies, the personal data privacy provisions are in conformity with worldwide custom practice – i.e. it accords with Europe’s General Data Protection Regulation.[27]

Precaution and anticipatory measures should be taken in complying with the Law. Multinational companies should first identify their exposure under the Law— to see whether or not they qualify for “network operators” or “critical information infrastructure operators.” If the company qualifies for either one, it should conduct inside risk assessment regarding its current compliance with the Law, and should warrant its work to comply with the Law.[28] Companies should also determine the necessary data collection, storage and transfer protocols for conducting ordinary business to avoid potential risk and liability.[29] Companies should also start filtering the personal information and important data in China to determine whether it will be subject to the Law. Companies might consult and seek international regulatory support from the General Data Protection Regulation framework adopted in the EU, and the proposed federal regulations of financial institutions in U.S.[30]

Conclusion

Multinational companies have no easy way forward. As outlined above, companies must do their best to interpret the law, and comply with any guidance that is provided.

 

 

 

[1] Official Chinese Version: http://www.npc.gov.cn/npc/xinwen/2016-11/07/content_2001605.htm.

[2] Overview of China’s Cybersecurity Law (February 2017), https://assets.kpmg.com/content/dam/kpmg/cn/pdf/en/2017/02/overview-of-cybersecurity-law.pdf; See Also Sara Xia, China’s New Cybersecurity Law: The 101, Basics Of China Business Law, China Business, Internet (June 24, 2017), https://www.chinalawblog.com/2017/06/chinas-new-cybersecurity-law-the-101.html.

[3] Id.

[4] China Releases Final Regulation on Cybersecurity Review of Network Products and Services (May 3, 2017), https://www.cov.com/-/media/files/corporate/publications/2017/05/china_releases_

final_regulation_on_cybersecurity_review_of_network_products_and_services.pdf; Official Chinese Version: http://www.cac.gov.cn/2017-05/02/c_1120904567.htm.

[5] China’s New Cybersecurity Law and Draft Data Localization Measures Expected to Burden Multinational Companies (May 2017), http://www.jonesday.com/chinas-new-cybersecurity-law-and-draft-data-localization-measures-expected-to-burden-multinational-companies-05-08-2017/; Official Chinese Version: http://www.cac.gov.cn/2017-04/11/c_1120785691.htm.

[6] China Releases Final Regulation on Cybersecurity Review of Network Products and Services (May 3, 2017), https://www.cov.com/-/media/files/corporate/publications/2017/05/china_releases

_final_regulation_on_cybersecurity_review_of_network_products_and_services.pdf; See Also China’s New Cybersecurity Law and Draft Data Localization Measures Expected to Burden Multinational Companies (May 2017), http://www.jonesday.com/chinas-new-cybersecurity-law-and-draft-data-localization-measures-expected-to-burden-multinational-companies-05-08-2017/.

[7] Ben Chai, Cloud Li, Cyber Security Law and multinational corporations (May 10, 2017), http://www.sohu.com/a/139539784_778173.

[8] Id.

[9] Id.

[10] China’s 2016 Cybersecurity Law Will Change the Way Multinational Companies Do Business in China, https://www.quinnemanuel.com/the-firm/news-events/article-january-2017-chinas-2016-cybersecurity-law-will-change-the-way-multinational-companies-do-business-in-china/.

[11] Clayton Utz, Comply or be prepared to pay: China’s new Cybersecurity Law (December 7, 2017), https://www.lexology.com/library/detail.aspx?g=48aa5f50-08c9-482a-8c49-0025e2fdcb0a.

[12] China Releases Four Draft Guidelines in Relation to Cybersecurity Law (September 5, 2017), https://www.huntonprivacyblog.com/2017/09/05/china-releases-four-draft-guidelines-relation-cybersecurity-law/.

[13] China Releases Four Draft Guidelines in Relation to Cybersecurity Law (September 5, 2017), https://www.huntonprivacyblog.com/2017/09/05/china-releases-four-draft-guidelines-relation-cybersecurity-law/.

[14] Id.

[15] Carly Ramsey, Ben Wootliff, China’s Cyber Security Law: The Impossibility Of Compliance? (May 29, 2017), https://www.forbes.com/sites/riskmap/2017/05/29/chinas-cyber-security-law-the-impossibility-of-compliance/#2f69876471c8.

[16] Adam Golodner, Claire Reade, Charles A. Blanchard, Ronald D. Lee, Yingxi Fu-Tomlinson, Anton A. Ware, Zhe Yu, E. Christopher Beeler, China’s New Cybersecurity Law Imposes Heightened Restrictions on Company Computer Networks (July 20, 2017), https://www.arnoldporter.com/en/perspectives/publications/2017/07/chinas-new-cybersecurity-law-imposes.

[17] China’s 2016 Cybersecurity Law Will Change the Way Multinational Companies Do Business in China, https://www.quinnemanuel.com/the-firm/news-events/article-january-2017-chinas-2016-cybersecurity-law-will-change-the-way-multinational-companies-do-business-in-china/; See Also Overview of China’s Cybersecurity Law (February 2017), https://assets.kpmg.com/content/dam/kpmg/cn/pdf/en/2017/02/overview-of-cybersecurity-law.pdf.

[18] Id.

[19] China’s 2016 Cybersecurity Law Will Change the Way Multinational Companies Do Business in China, https://www.quinnemanuel.com/the-firm/news-events/article-january-2017-chinas-2016-cybersecurity-law-will-change-the-way-multinational-companies-do-business-in-china/.

[20] China’s Cybersecurity Law: What You Need to Know, Jack Wagner (June 1, 2017), https://thediplomat.com/2017/06/chinas-cybersecurity-law-what-you-need-to-know/.

Alibaba Group Holding Limited (Chinese: 阿里巴巴集团控股有限公司) is a Chinese multinational e-commerce, retail, Internet, AI and technology conglomerate that provides consumer-to-consumer, business-to-consumer and business-to-business sales services via web portals, as well as electronic payment services, shopping search engines and data-centric cloud computing services. Alibaba Cloud is the largest high-end cloud computing company and has the largest domain registration service and web hosting service company in China. https://en.wikipedia.org/wiki/Alibaba_Group.

Huawei a Chinese multinational networking and telecommunications equipment and services company. It provides network infrastructure, fixed and wireless communication, data center, and cloud computing solutions for global telecommunications customers. https://en.wikipedia.org/wiki/Huawei. . avialbel at 17tal security. ropriate information which ful infomration asure, including onal comapnies Law.s and cross-border,

[21] Ben Chai, Cloud Li, Cyber Security Law and multinational corporations (May 10, 2017), http://www.sohu.com/a/139539784_778173.

[22] Ben Chai, Cloud Li, Cyber Security Law and multinational corporations (May 10, 2017), http://www.sohu.com/a/139539784_778173; See Also Adam Golodner, Claire Reade, Charles A. Blanchard, Ronald D. Lee, Yingxi Fu-Tomlinson, Anton A. Ware, Zhe Yu, E. Christopher Beeler, China’s New Cybersecurity Law Imposes Heightened Restrictions on Company Computer Networks (July 20, 2017), https://www.arnoldporter.com/en/perspectives/publications/2017/07/chinas-new-cybersecurity-law-imposes.

[23] Ben Chai, Cloud Li, Cyber Security Law and multinational corporations (May 10, 2017), http://www.sohu.com/a/139539784_778173.

[24] Id.

[25] China Internet regulator says cyber security law not a trade barrier (May 31, 2017), http://www.chinadaily.com.cn/business/2017-05/31/content_29563471.htm.

[26] Id.

[27] Yuan Yang, China’s cyber security law rattles multinationals (May 30, 2017), https://www.ft.com/content/b302269c-44ff-11e7-8519-9f94ee97d996.

[28] China’s 2016 Cybersecurity Law Will Change the Way Multinational Companies Do Business in China, https://www.quinnemanuel.com/the-firm/news-events/article-january-2017-chinas-2016-cybersecurity-law-will-change-the-way-multinational-companies-do-business-in-china/.

[29] Jeff C. Dodd, Jerry Li, Dora Luo and Ross Campbell, People’s Republic of China Cybersecurity Law: A Preliminary Overview for Western Companies (July 18, 2017), https://www.andrewskurth.com/insights-1530.html.

[30] Id.