The controversial new Cybersecurity Law which came into force on 1 June 2017 in China brings significant change and some uncertainty for companies but is to be expected in a rapidly evolving environment of new technologies and big data, says digital forensics and eDiscovery specialist, KrolLDiscovery.
“Mirroring what is happening all around the world, the Chinese government is becoming more involved with data protection and strengthening enforcement,” says Han Lai, the China Country Manager for KrolLDiscovery in Shanghai.
“Up until now, its rules have not been clearly defined or regularly enforced, but this new law is looking to change that, and companies need to be fully up to speed with its requirements, especially network operators managing data.”
The majority of the new law’s provisions apply to “Critical Information Infrastructure Operators” (CIIO) possessing data critical to China’s security. Industries predominantly targeted in this new definition include financial, transportation, healthcare, utilities and telecommunications.
The most significant, and controversial, change is that Chinese citizens’ “personal information” and “important data” must now be stored on servers within China. Any companies claiming an exception that is “truly necessary” must undergo a security assessment before information can be released.
“This will affect the majority of foreign companies that operate in China, in particular those which use their global infrastructure and IT resources to operate their business in China, as the original data collected, including business data and customer data within China will typically be stored directly in the data centres or servers physically located overseas,” said Lai. “For example many global companies are still using email servers located outside China for their China operations. Companies need to start thinking and planning ahead to restructure their infrastructure to be in line with the new law.”
In addition, the new law reinforces the requirement for network operators to obtain their clients’ consent before collecting and disclosing personal information, including the reason for the disclosure, and take measures to ensure the security of personal information.
“This tightening is commensurate with other developed markets, but will take a while to get used to in China where data on individuals is collected on a mass scale for sales and marketing purposes without proper consent, and probably without awareness of what the risks might be,” remarked Lai.
From now on, all network providers must also pass a “network security examination.” This includes specific requirements that network operators must follow when purchasing new network systems.
What is not clear yet, as the law is currently untested, is what the consequences will be of noncompliance, but they are expected to be more severe than in the past, and more rigorously enforced. Cancellation of a business license was one penalty in the previous regulations.
“The new regulations require CIIO’s to establish violation reporting mechanisms, suggesting that the government is taking the new law very seriously,” noted Lai.
Lai added, “Companies need to ensure that an appropriate framework is established for collecting and using data, demonstrating that any data collected has a proper purpose and that its use can be explained in detail. Companies should also ensure appropriate security and protection measures are in place to safeguard the data as well as incident response procedures for responding and reporting any breach.”