Cybersecurity has remained a priority for the Chinese government in 2016. Following closely on the heels of the enactment of the National Security Law and the Anti-Terrorism Law, the second draft of the Cybersecurity Law was released for public comment on July 5, 2016. Although still in draft form, when it is adopted, the Cybersecurity Law will impose a number of requirements on companies with business operations within the territory of China that have been subject to heated discussions among multinational companies (MNCs). This article provides a review of a significant amendment in the second draft of the Cybersecurity Law that could have a substantial impact on MNCs’ China operations ‘ the expansion of the law to require the storage of a broad array of personal and business information within China.
The Expanded Data Localization Requirement
The first draft of the Cybersecurity Law included a data localization requirement that was relatively limited in scope with respect to both the type of the companies that would be subject to the requirement and the type of data had to be stored within China. Despite these limitations, private industry, including the MNCs, expressed concerns about the lack of clarity regarding the scope of the requirement. Instead of paring back the data localization requirement or clarifying its scope, as hoped for by MNCs, the second draft Cybersecurity Law goes even further than the original proposal, expanding the data localization requirement to an even broader set of companies and data.
The data localization requirement in the second draft requires critical information infrastructure operators (CIIOs), an ambiguously defined term, to store both personal information and “important business information” collected or generated while conducting business in China. If adopted, this data localization requirement may restrict the ability of MNCs to transfer or export data collected and generated as part of their routine business operations outside of China.
It should be noted that, like the first draft law, the second draft provides that if there is a genuine business need to transfer personal information and important business data outside China, companies must go through a “security assessment” conducted by Chinese network information administration authorities. The law delegates responsibility for defining the requirements of the security assessment to the State Council, the country’s highest governmental body.
Expanded Definition of CIIOs
The Cybersecurity Law limits the data localization requirement to CIIOs. The first draft law provided examples of companies that fall within the definition of CIIOs. These examples included companies that provided network infrastructures for: 1) public telecommunications and media broadcasting; 2) key industries, such as energy, transportation, water resources, finance, etc.; 3) public services, such as the supply of electricity, water, gas, health care and social security services; 4) military and government agencies above the municipal level; and 5) network services used by a “very large” number of users.
The second draft completely replaced these examples with a general and ambiguous definition of CIIOs that could be interpreted to apply to an even broader scope of companies. The second draft defined CIIOs to include any company that maintains systems that, if destroyed, disabled, or attacked “might seriously endanger national security, national welfare and the people’s livelihood, or the public interest.” However, the second draft law provides no detail regarding what constitutes “national security, national welfare, and the people’s livelihood, or the public interest,” and under what circumstances “national security, national welfare, and the people’s livelihood, or the public interest” might be endangered. Other Chinese laws and regulations also provide no clarity on these topics. Instead, the second draft law delegates the responsibility for further defining the scope of CIIOs, i.e., what companies must comply with the data localization requirement, to the State Council.
The lack of clarity regarding the definition of CIIOs puts multinational companies in a difficult state of limbo regarding whether or not they need to comply with the data localization requirement.
Addition of Undefined ‘Important Business Information’
In addition to the lack of clarity regarding what companies will be subject to the data localization requirement, there is additional ambiguity regarding what information is subject to the requirement. The data localization requirement in the first draft Cybersecurity Law applied to “important data collected or generated in [the CIIO's] operations, such as citizens’ personal information.” Although broad on its face, the data requirement appeared to be focused on “citizens’ personal information.” Many hoped that the second draft law would clearly limit “important data” to personal information. Instead, the new draft adds an additional category of data ‘ “important business information” ‘ to the types of data that must be stored within China. “Important business information” is a broad term that is left undefined and could apply to anything ranging from financial forecast data to trade secrets to strategic plans regarding a company’s China operations. Further, the second draft does not specify whether the definition of “important business information” will be clarified in other laws and regulations.
Increasing the Stakes of Violations
For MNCs that are concerned about the seemingly expanded restrictions imposed by the prospective Cybersecurity Law, another critical change in the new draft is the inclusion of more concrete consequences for violations. The second draft adds a new requirement that administrative decisions for violations of the Cybersecurity Law must be made public and included in the entities’ credit history.
This is the first time that Chinese government has formally required the publication of penalties on cybersecurity-related issues. In addition, although currently not directly linked to the data localization requirement, the second draft provides that the legal representative or other key individuals associated with a company might be interviewed by Chinese authorities in the case of cybersecurity-related incidents or when a network is exposed to high risks. The second draft remains unclear regarding how such interviews should be conducted and under what circumstances companies can expect to be investigated.
What to Expect Next
The draft Cybersecurity Law must still go through another round of review by the legislative body, which meets every two months, before being formally enacted. Although the legislative body did not review the law during its most recent meeting on Aug. 29, 2016, cybersecurity legislation has remained a top priority for Chinese government in 2016. Many observers and experts predict that the final version of China’s Cybersecurity Law will be issued soon, and possibly before the end of the year. Whether or not the data localization requirement remains part of the law is a question that all companies, including MNCs, will watch carefully in the coming year.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.