Close on the heels of a sweeping new National Security Law, the Standing Committee of the National People’s Congress released last month for public comment a very significant draft Network Security Law (“Draft Law”), also referred to as the draft Cybersecurity Law.

Since it came into power in 2012, China’s current leadership has attached an unprecedented level of attention to network security, which it sees as a core aspect of national security. Marking the establishment of a new Central Leading Group for Cyberspace Affairs in 2014 that he himself would lead, President Xi Jinping declared that “network security and informatization are key strategic issues related to national security and development,” and that “national security no longer exists without network security.” President Xi went on, in those remarks, to call for the development of a legal infrastructure for the administration of cyberspace, with particular emphasis on the protection of “critical information infrastructure” (see further discussion below). The resolution of the Fourth Plenum of the Central Committee of the Chinese Communist Party in October 2014 echoed this theme.

The focus on network security appears to stem from the explosive development and extensive usage of network and information technologies, made more pressing by Edward Snowden’s disclosures in 2013 regarding activities of the US National Security Agency (NSA). Since the Snowden leaks, it has been repeatedly reported that the Chinese government is working actively to wean government networks and financial systems off of IT products and services from foreign companies. The Draft Law is the government’s latest effort to consolidate existing security-related requirements and grant government agencies more security-related powers. On its face, the Draft Law does not discriminate against foreign products and services. However, designed to “safeguard cyberspace sovereignty and national security,” it could be implemented to become an additional hurdle for foreign companies seeking to access China’s vast market if and when it comes into effect.

The draft Network Security Law is a major, high-level step in implementing the government’s priorities in cyberspace and on information networks more broadly. The Draft Law is engineered to govern most activities that take place over “computer networks,” defined broadly in Article 65(1) to encompass essentially any “network or system, composed of computers or other terminals together with relevant devices, that serves to collect, store, transmit, exchange, or process information following predefined rules and procedures.” Compared to the much more general terms in the National Security Law, the seven chapters and 68 articles of the Draft Law provide more details on, among other things, security requirements for network-related products and services; data privacy; and monitoring and emergency response systems. The Draft Law attempts to (1) sort out and develop, in a more systematic way, existing but scattered legal requirements (e.g., obligations of network users to provide real identities and obligations of network operators to protect personal information of users), and (2) implement new, high-priority mandates such as provisions on the protection of critical information infrastructure.

Foreign investors should pay particular attention to the following proposals in the draft Network Security Law:

  • Procurement-Related Security Reviews for Network Products and Services. The Draft Law proposes that network products and services that operators of “critical information infrastructure” procure must pass a security review if they “may affect national security.” “Critical information infrastructure” is a new term that is defined broadly by the draft to include networks and systems in sensitive areas such as public communications, radio and television, energy, transportation, water, finance, utilities, healthcare, social security, military, and government administration. Furthermore, the definition also contains a loose catch-all for networks and systems that “have a large number of users.” The draft does not explain what would constitute a “large number,” but one could imagine it being interpreted broadly to cover, for instance, websites run by online service providers. This new security review requirement could have a significant impact on information technology companies that supply products or services to operators of “critical information infrastructure,” such as banks, utility companies, transport companies, and major websites.
  • Data Localization Requirements. Operators of what is deemed to be critical information infrastructure must store “important data” such as users’ personal information collected and generated during operations within PRC territory. If they seek to store or transfer such data overseas for business reasons, their request must pass a new government security assessment. The draft is unclear as to what, beyond personal information, would be considered to be “important data” for these purposes.
  • Government National Security Standards. The Draft Law proposes to formulate and revise national and industry standards on network safety management and on network products, services, and operations; grant government support to key industries and innovation projects related to network security technology; adopt a multi-level protection system on network security; and publish a catalogue on key network equipment and network security products. Given past experience, it is possible, if not likely, that such standards and policies may be formulated in a way that favors homegrown technologies, products, and services, particularly given the emphasis on national security.
  • Data Privacy Requirements. The Draft Law also consolidates a number of rules on data privacy and protection that are currently scattered across a range of laws and regulations, and adds some new ones — e.g., an expanded definition of personal information and notification requirements for data breaches. A discussion of the data privacy implications of the draft can be found on Covington’s privacy blog, Inside Privacy, here.

Companies, industry associations, and governments — both foreign and domestic — are advised to pay close attention to the development of this draft law as it may have important implications for the business environment in China. Those with more significant interests in the country may seek to further engage with Chinese policymakers to ensure that their interests are taken into consideration.

To learn more about the contents of the draft Network Security Law, read our e-alert on the topic here.

Material for this post was supplied by Shirleen Hong of Covington & Burling LLP.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashwin Kaja Ashwin Kaja

With over a decade of experience in China, Ashwin Kaja helps multinational companies, governments, and other clients understand and navigate the complex legal and policy landscape in the country. He plays a leading role in Covington’s China international trade and public policy practices…

With over a decade of experience in China, Ashwin Kaja helps multinational companies, governments, and other clients understand and navigate the complex legal and policy landscape in the country. He plays a leading role in Covington’s China international trade and public policy practices and, outside of Covington, serves as the General Counsel of the American Chamber of Commerce in China.

Ashwin helps clients solve acute problems that arise in the course of doing business in China and position themselves for longer-term success in the country’s rapidly evolving legal and policy environment. He is an expert on Chinese industrial policy and has worked on matters related to a wide range of sectors including technology, financial services, life sciences, and the social sector. Ashwin has also counseled a range of clients on data privacy and cybersecurity-related matters.

As the General Counsel of the American Chamber of Commerce in China (AmCham China), Ashwin serves as a senior officer of the organization and as an ex officio member of its Board of Governors, supporting nearly one thousand member companies in developing their businesses in China and advocating for their needs with China’s central and local governments.

Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.

Yan is named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Yan is a Certified Information Privacy Professional (CIPP/Asia) by the International Association of Privacy Professionals and an active member of the American Bar Association’s Section of Antitrust Law.