Two years after China released its landmark cybergovernance framework, cybersecurity is beginning to take root in the country’s internet. However, many in China’s tech scene are still scratching their heads.
The Cybersecurity Law, which went into effect on June 1, 2017, is broader than comparable privacy-focused measures such as the EU’s General Data Protection Regulation (GDPR). “Unlike GDPR or privacy laws in other countries, the law is not just about privacy or personal data. The purpose is to govern the whole internet space,” Keith Yuen, Greater China Advisory Cybersecurity Leader at Ernst & Young (EY), told TechNode. His firm produces an annual report surveying cybersecurity professionals around the world.
In the past two years, the law has made real-name identity verification a standard across Chinese internet services, brought Chinese companies closer to the global best practices of network security and data management, established a personal data regime, reformed content moderation policies, and enforced data localization policies that Beijing believes will support national security.
With major regulations set to take effect later this year, many crucial details are still unknown, including which companies are covered by the law. The legislative process is not complete; new rules and standards will continue to come out in the next year or two. The legal schemes set up under the law will have tech firms consulting with regulators about many aspects of their operations, yet lawyers working on China are still puzzling over several key questions.
TechNode read through law blogs and talked to experts, trying to make sense of one of the most important laws to land upon China’s cyberspace. Many refused to be quoted.
In 2017, the landmark legislation established a legal framework, upon which regulations have built standards and specifications. “The law is evolving, and the clarifications keep coming,” Richard Watson, EY’s Asia-Pacific Cybersecurity Risk Advisory Leader, told TechNode.
However, compliance remains tricky as regulators continue to fill in the details—and in the meantime, companies are getting penalized for bad outcomes. Distinct boundaries between the jurisdictions of different agencies remain fuzzy, as does the meaning of a term that is commonly used in various regulations: “social public order.”
Under the law, the State Council can restrict network communications in an area if it’s deemed necessary for “social public order,” but no definition nor examples of the term are given.
Small fines, real penalties
The law also makes network operators responsible for information transmitted through their systems, which can be controlled by other “legal or administrative regulations.” Network operators can be fined up to RMB 500,000 (about $72,000) for the dissemination of content that authorities deem inappropriate.
The highest possible fine that a company can face is RMB 1 million, for breaking rules relating to “critical information infrastructure.”
Other, non-infrastructure-related fines range from RMB 10,000 to RMB 500,000—figures which might sting small and medium-sized enterprises but are unlikely to hurt tech giants. By contrast, the GDPR spells out fines of up to $22.4 million or 4% of annual revenue. But China’s Cybersecurity Law threatens severe punishment through other means.
“If you fail to do something or you violate the law very seriously, they can shut down your business, take away your license, blacklist you, and also maybe stop you from registering another business,” Yuen said.
Since the law went into effect, one of the largest security-related fines targeted utility operator Luoyang Beikong Water Group in central China’s Henan Province. When the company’s remote data monitoring platform was hacked, law enforcement determined that their data had not been sufficiently secure, and subsequently fined the company RMB 80,000 and three managers a total of RMB 35,000.
Thus far, the BAT trio—Baidu, Alibaba, and Tencent—and other big players in China’s internet have seen trouble over content moderation policies. In September 2017, the Cyberspace Administration of China fined Baidu and Tencent for failing to manage pornographic and violent content on their platforms, as well as content that authorities deemed as promoting “ethnic hatred.”
In January 2019, Baidu, Alibaba, and Bytedance’s Toutiao were asked to meet with authorities for failing to respect their users’ right to know what data was collected. Later that month, Sina Weibo was asked to correct its moderation of content that was deemed unsuitable for children and offensive to minorities.
Foreign companies have yet to suffer severe punishments under Chinese cybersecurity law, analysts said.
The business of compliance
The law got executives’ attention by threatening to fine them personally if their companies got in trouble over cybersecurity or content moderation.
“Holding directors accountable for cybersecurity has helped move the issue from being an IT problem to a whole organization problem,” said Watson.
The cybersecurity market has yet to reach maturity, but the law has gone a long way in bringing about better cybersecurity practices, Watson said. “A lot of the homegrown cybersecurity activity in China tends to have a manual flavor to it while in places like the US or Israel the processes are more automated,” Watson said.
The Cybersecurity Law has spurred significant investment to automate cybersecurity practices. Watson expects that “it’s only a matter of time before some of those technologies begin to penetrate China.”
According to EY’s 2018 Global Information Survey, 94% of companies operating in Greater China have incorporated cybersecurity into their management strategy, a figure which is well above the world average. But the report also found that spending on cybersecurity lags behind global peers, suggesting that many of these strategies never get beyond paper.
The EY report also found that Chinese companies prefer to outsource cybersecurity practices. For example, 82% of companies in Greater China outsource risk assessment of vendors, as opposed to 35% worldwide. This is in part explained by the fact that Chinese companies have had to build cybersecurity systems from scratch since past regulations were neither clear nor strictly enforced.
As a result of this need for cybersecurity services, new companies have been popping up around China. Under the law, in order to legally perform cybersecurity tasks, they must be accredited by Chinese authorities.
“Foreign firms have a different focus. They try to see how they can make their existing global cybersecurity program fit with this regulatory environment,” Yan Luo, a Beijing-based lawyer who advises companies on cybersecurity compliance, told TechNode.
On December 1, the first piece of this legislative puzzle goes into effect, but many companies are still unclear on whether it applies to them or exactly how to comply with it. The Multi-Level Protection Scheme (MLPS) divides network operators into five levels of sensitivity based on national security, privacy, and “social public order”— those designated level 3 and above are subject to enhanced security requirements.
Firms must carry out self-assessments regularly to find where they fall on this scale. If they determine that they are at level 3 or above, they must submit their assessment for review to the Ministry of Public Security.
The scope of this requirement is ambiguous, since “network operators” in the law are defined as the owners and administrators of “systems comprised of computers and other information terminals” that gather, process, exchange, and store data, according to a widely used translation of the law by Jeremy Daum, senior fellow at Yale Law School’s Paul Tsai China Center.
This definition could apply to most network information systems, including home WiFi networks or the CCTV at a neighborhood convenience store. The MLPS adds additional controls for internet of things (IoT) devices, cloud computing, industrial control, and mobile network systems, according to an analysis of the law published by Covington & Burling, an international law firm.
It’s not entirely clear how to figure out which level of the scale a network operator falls on, since the levels are outlined using terms such as “serious harm” and “damage” without further specification, according to China Business Review, a journal published by the US-China Business Council. The definitions also hang on the aforementioned “social public order,” a term which remains unexplained throughout the law.
The MLPS creates a legal framework that asks for encryption, backup of data, system monitoring, and network defense for all network operators, which would entail significant costs for small- and medium-sized enterprises. Because “network operators” have not been well defined, the exact scope of the scheme depends upon implementation, but noncompliance could lead to fines of up to RMB 100,000. Other measures that are not yet mandatory, such as data localization for cloud computing operators, could have international companies scrambling to comply.
The Ministry of Public Security has said it plans to release further guidance in the coming months.
A hammer for business deals?
The law has created a tool for Chinese authorities to block tech imports on national security grounds. Companies defined as Critical Information Infrastructure (CII) providers must submit any purchase of foreign hardware or software to review by the Cyberspace Administration of China and 11 other agencies.
The measures have not been finalized yet and are expected to apply to network operators in the telecoms, utilities, energy, e-government, finance, transport, and other industries, according to Covington & Burling.
Released only days after the US ban on Huawei was signed, the regulations for CII were seen by many observers as retaliation. However, “this has been in the books for a long time,” said Luo. The government review requirement for such deals existed in the past, but the review process was a “black box” and the new standards “make sure that operators are more aware of their obligations,” she said.
Experts agreed that the CII provisions can be used as a tool to block deals for reasons that are not clearly cybersecurity-related. Even though the information that CII operators must submit for a review is specified, how the deals are reviewed remains an opaque process, meaning there will be no way of knowing why certain procurements are scrapped. A few weeks later, China also announced plans for an “entity list,” mirroring the US restrictions that threaten Huawei’s access to critical technology.
The CII draft measures highlight the importance of the supply chain, which could affect the availability and operation of critical infrastructure. The draft guidelines call for CII operators to consider geopolitical stability, directing them to build infrastructure that cannot be held hostage by international politics. References to “control” by foreign governments as well as “political, diplomatic, and trade” risks mirror similar laws in the US according to New America, a Washington DC-based think tank. The inclusion of personal data is a novelty in the Chinese context, signaling that regulators are starting to consider personal data security as integral to national security.
However, the definitions of these terms are absent from the draft, leaving much room for interpretation.
Armed with the provision that a review can be triggered if administration officials across several agencies “believe” that a purchase could jeopardize national security—even if the network operator is not classified as a CII—regulators have a lot of leeway when assessing the risks of these deals.
CII operators which do not follow the review process can be fined up to RMB 100,000 and the purchases from foreign entities can be frozen. The highest fines for CII operators will be levied for not following the mandated cybersecurity principles, which can incur damages of up to RMB 1 million.
Cross-border data flows
In 2017, strict rules on the transfer of Chinese data through international borders caused such a stir in the World Trade Organization (WTO) that authorities had to hit the brakes on the rollout.
If implemented, those rules will require all network operators to assess the security of any cross-border transfers they wish to conduct—and, depending on the nature of the data, to get government permission should they wish to transfer them outside China.
The regulation appears to be an attempt to balance business with security concerns. The Chinese government recognizes that data flows are the norm nowadays, but also considers control of data fundamental to national cybersecurity. On paper, its regulations allow for cross-border data transfer, as long as it doesn’t include information that could damage national security.
Network operators wishing to transfer data that is “important” to national security and “social public order” must have the transfer reviewed by the government if:
- The data contains personal information on more than 500,000 people
- The outbound data is larger than 1,000 GB
- It includes information on military and defense, nuclear facilities, public health, chemical biology, large engineering projects, marine environment, and sensitive geographical locations
- It includes cybersecurity details about CIIs
- It belongs to CIIs
- The government administration of the sector deems an assessment to be necessary
In addition, the owners of personal data must be informed of the international transfer of their information.
Even before they come into effect, the regulations on cross-border data transfer have provoked a negative reaction from international organizations. In September 2017, the US submitted a formal complaint to the WTO, claiming that the measures effectively promote Chinese internet companies over foreign competitors.
Under pressure from trading partners, the Chinese government suspended the implementation of the regulations ahead of US President Trump’s visit to China in 2017, responding to the WTO complaint by saying “the controversy and compromise has not yet been resolved, which will continue to test the technological and coordinating capabilities of the legislature.”
A final regulation on cross-border data transfer is pending.
Along with the 2017 rules on cross-border data transfer came guidelines on personal information and privacy. Further measures were drafted in 2018. A set of standards was released for public comment in May 2019.
Personal data has been defined in line with GDPR, strengthening the protection of individual privacy against tech companies. The rights to consent and to know when data is harvested, as well as to control targeted advertising, have been asserted.
One provision that has been scrutinized abroad is the requirement of real-identity authentication for online services. Registering for apps in China now almost always requires a valid mobile phone number, which diminishes people’s ability to stay anonymous to government authorities.
Overall, the law “expands the scope of privacy protection, strengthens the protection of privacy, and stipulates more detailed obligations and responsibilities for relevant subjects, making privacy regulations more clear, and has greatly protected privacy protection in China,” Qi Aimin, a professor at Chongqing University School of Law, told TechNode.
The law has gone a long way in establishing directives for cyberspace, where rules had previously been either absent, unclear, or fragmented. Clarifications will continue to roll out over the next year at least, and as implementation takes place, firms will get a better sense of how to comply.
Nonetheless, every new draft measure includes ambiguous new categories, which apply to new entities and require additional compliance measures. Every list of justifications for review and punishment ends with a provision that leaves an open window for administrators to exercise unforeseen juridical control.
Additional reporting by Chris Udemans and Wei Sheng. With contributions from Rachel Zhang.