China has always been the victim which suffers most serious hacker attacks around the world. Merely in 2013, more than 20 thousand Chinese websites were attacked by hackers, and at least 8 million domestic servers were controlled by oversea Bonnets and Trojans. Personal data protection legislation also faced plenty of doubts in the past few years, especially as the personal information of Chinese citizens was largely used for telecommunication and internet frauds.

Chinese people were hugely concerned about the domestic cyberspace after Edward Snowden made a wake-up call to break the illusion that they live in a safe and private digital world, and, in turn, their personal data and even national security are facing serious potential threats from all over the world. After long-term appeals and debates among different parties, China has eventually given the green light to the controversial Cybersecurity Law on 7 November, 2016, which will come into effect on 1 June, 2017. The Cybersecurity Law has been widely applauded by people inside China, while it encounters strong opposition from foreign companies and countries as their operations in China may be hindered by the new regulations.

The new law raises strong fears for foreign companies, with 46 of them from America, Asia, Europe, Oceania, and other regions jointly penning a letter in June to Li Keqiang, the Premier of the State Council, arguing that the Cybersecurity Law increased trade barriers for cross-border businesses and impeded the business development of multinational companies in China. Under the Cybersecurity Law, companies involved in critical information infrastructure such as public service, transportation and water conservancy, are required to store data locally as well as apply only technology which is considered “secure” by the Government. Under the security review system, foreign companies are forced to disclose their security code and other relevant information to the Government in order to prove that their technology is sufficiently “secure” to be applied in China. This requirement has raised concerns with the foreign companies that they would have to disclose their business secrets and intellectual properties. They also worry that the range of information infrastructure is very likely to be widened in the future due to lack of clear definition in the Cybersecurity Law. Actually, not only the foreign companies are effected, all market players including domestic companies will face huge challenges brought by the Cybersecurity Law. The Cybersecurity Law is even considered as a step backward for innovations in China by James Zimmerman (Chairman of the American Chamber of Commerce in China) as he believes the Cybersecurity Law could not achieve the goals that China sets to secure its cyberspace and information system.

At the same time, the Cybersecurity Law enjoys warm welcome from people in China as it has made a huge progress on personal data protection, which was a hard nut to crack previously in Chinese legislation because China doesn’t currently have a comprehensive and consolidated data protection law. Under the Cybersecurity Law, internet service providers are required to maintain the confidentiality of personal information which they obtain from internet users and are prohibited to collect private data which is not related to their service, or to reveal, tamper or impair the personal information they collect. In addition, any individual or organization is prohibited from stealing or illegally obtaining, or illegally selling or offering others any personal data. Internet service providers are also imposed strict responsibility to provide “support and assistance” with law enforcement in respect of internet management and crime investigation. Apart from imposing higher safety standards on internet service providers, the law also sets up a government supervision and management system. On the basis that the real-name system for telecom users was established according to the Anti-Terrorism Law, the Cybersecurity Law increases the standard, by requiring the application of real-name system on information published and real-time communication service. Under the Cybersecurity Law, timely warning and information notification system are also established to safeguard national security and public order, which entitles the authorized departments to take provisional measures such as communication constraints in specific areas during unexpected social security incidents with the permission of the State Council.

Arguably, nailing everything down too early is not wise as it is China’s first attempt to safeguard its cyberspace by legislation, and the Cybersecurity Law actually provides only general and broad principles. The Office of the Central Leading Group for Cyberspace Affairs is currently drafting the enforcement rules for collecting personal information. However, as with all things in China, what will be critical will be how to implement and interpret the law. For China, there are still countless difficulties to be solved in the way of protecting its digital area. Three critical problems with China in the next step of safeguarding its cyberspace are:

1. how to balance the demand of cyberspace management against the cost of business development;
2. how to define the unclear words in the Cybersecurity Law and make suitable security standards in accordance with the international practice for the law enforcement; and
3. how to seriously implement the relevant policies.

We will therefore need to keep a careful eye on the progress of the Cybersecurity Law and we will keep you informed.

Authors :  Ella Cheong, Senior Partner ([email protected])

                Alan Chiu, Managing Partner ([email protected])

                Nicole Huo, Paralegal ([email protected])

Date :      3 February 2017