On July 6, 2015, China’s National People’s Congress (NPC) released a draft of the Network Security Law (“Draft Law,” referred to in some press articles as the draft Cybersecurity Law) for public comment. Comments can be submitted through the NPC website or by mail before August 5, 2015. The release of the Draft Law follows closely on the heels of the new National Security Law that was enacted last week (see Covington blog post here).
This Draft Law, initially reviewed by the NPC in June, would apply broadly to entities or individuals that construct, operate, maintain, and use networks within the territory of China, as well as those who are responsible for supervising and managing network security. A number of the provisions in this Draft Law, if enacted in their current form, are likely to significantly impact information and communications technology (“ICT”) and other companies with business operations or interests in China.
Those that most merit the close attention of companies are those that relate to (1) the “secure” operations of networks and “critical information infrastructure,” and (2) data protection. This post focuses on the latter.
The Draft Network Security Law on Data Privacy
The Draft Law imposes a series of obligations on network operators. Network operators are defined to include operators of basic telecommunications network, internet information service providers, and key information system operators. Consistent with other existing laws and regulations, the Draft Law reiterates the following obligations of network operators:
- protecting personal information, privacy, and trade secrets of users;
- notifying and obtaining the consent of users when collecting and using personal information;
- refraining from leaking, tampering, stealing, or reselling personal information;
- setting up systems to handle complaints, reports, and requests to amend erroneous personal information;
- policing the network to prevent the dissemination of false or unlawful information; and
- maintaining records of relevant activities.
Violations can result in penalties including warnings, rectification orders, fines or confiscation of illegal gains, suspension of the business, or revocation of business license. Like many Chinese laws, the Draft Law contains general, open-ended penalty provisions stipulating that any violation of this law that causes damage to others should result in civil liability, and any violation of this law that constitutes a crime should result in criminal liability.
The obligations listed above are already set out in other laws and regulations in the field, such as the Decision on Strengthening Information Protection on Networks, the Provisions on Protecting the Personal Information of Telecommunications and Internet Users, and the Consumer Protection Law (see Covington blog posts on these regulations here, here, and here). The Draft Law consolidates these obligations, but leaves many questions unanswered. For example, the Draft Law provides that “network products and services” that collect user information must notify users of such functions and obtain consent for collection. It does not, however, provide further clarity on what types of notifications and consents would be deemed sufficient. Also, the Draft Law does not mention how long a network operator must keep records of activities and how it can determine whether the information it has been provided is authentic.
Although the majority of rules reiterate the provisions of existing laws and regulations, there are several new privacy-related rules in the Draft Law:
- Notification of data breach must be sent to users.
The Draft Law expressly requires network operators, in addition to reporting to the relevant government authority, to notify users when there is an actual or possible data breach. Existing law explicitly requires network operators only to report data breaches to government authorities and take remedial action, though some governmental authorities do, in practice, require network operators to inform users through a government notice. The new requirements of the Draft Law will require network operators to spend more resources and pay more attention than was previously the case in handling data breaches and the potential public relation crises and civil claims that may consequently arise.
- Certain data must be stored in China, with international transfers subject to security assessments
Although certain laws and regulations expressly require certain types of personal information (such as personal health information and personal credit reference information) to be kept in China, the Draft Law significantly expands the scope of personal information subject to such a data localization requirement. Specifically, personal data collected by operators of “critical information infrastructure” must be stored within Chinese territory. The draft defines “critical information infrastructure” to include the following types of systems:
- basic networks for public communications and radio and television transmission services;
- critical information systems for:
- key industries such as energy, transportation, water conservancy, and finance;
- public service sectors such as power, water and gas utilities, health care, social security, etc.;
- military networks and government networks; and
- networks and systems with a “very large” number of users.
If the operators of such systems must transfer personal information offshore for operational reasons, a “security assessment” is to be conducted by national network administration authorities. It is unclear whether the personal data of foreign citizens collected in China would be covered by this obligation, and whether this provision would apply only prospectively to future collection of personal information, or if data already collected would also be affected. The procedures for the “security assessment” are unclear. Pursuant to the Draft Law, an implementing rule for “security assessment” is to be separately promulgated in the future.
These new rules reflect a recent trend of tightening rules regarding cross-border data transfers. It will be more burdensome for multinational companies operating critical information infrastructure in China to transfer personal data internationally, whether intra-group or to third parties (such as data processing contractors).
- Broader definition of personal information
For the first time, this Draft Law identifies “personal biometric information” as a separate type of personal information. It does not, however, define “personal biometric information.” Currently, “personal biometric information” is generally understood to include fingerprint and gene information, which have already been explicitly listed as personal information in several Chinese laws and regulations.
In China, high-level laws such as the Draft Law are drafted using broad language, with implementing rules subsequently issued by regulating government agencies filling the gaps. To the extent possible, companies with an interest in these issues should carefully monitor the development and promulgation of such implementing rules and ensure that their interests are taken into consideration by regulating agencies.