{"id":2271,"date":"2016-05-20T13:46:14","date_gmt":"2016-05-20T10:46:14","guid":{"rendered":"http:\/\/greece-china.gr\/?p=2271"},"modified":"2016-05-20T13:46:14","modified_gmt":"2016-05-20T10:46:14","slug":"chinas-legislature-gears-up-to-pass-a-sweepingly-vague-cybersecurity-law","status":"publish","type":"post","link":"https:\/\/greece-china.gr\/en\/archives\/2271","title":{"rendered":"China\u2019s Legislature Gears Up to Pass a Sweepingly Vague Cybersecurity Law"},"content":{"rendered":"

Drew Foerster<\/p>\n

About the Authors:<\/p>\n

Drew Foerster<\/a>\u00a0is an attorney in Seattle, Washington, with a practice focused on information technology, intellectual property, and business law. In his free time, he enjoys spending time with his family and friends, and also providing pro bono legal services to non-profits with a focus on governance based upon the principles of sociocracy.<\/p>\n

\"image001\"While businesses in the United States may feel they suffer from a multitude of sometimes contradictory laws, regulations, and standards governing their information governance and security practices, in the People\u2019s Republic of China businesses face a different problem with few laws and regulations that are both vague and grant law enforcement and judicial authorities a large degree of discretion when interpreting them. In response to a lack of unified information governance and security standards, in July 2015, the Legislative Affairs Commission of the Standing Committee of the National People\u2019s Congress (NPC) in China publicly released a draft cybersecurity law (also translated as the \u201cNetwork Security Law\u201d) that, if passed into legislation, will along with the implementing regulations provide more sources of guidance but also of ambiguity. At this point, no one knows when the Standing Committee\u2019s next move on this law will come; however, the fact that the NPC\u2019s Standing Committee has released a draft version strongly suggests that the NPC will not let the law languish like a draft personal information protection law that has not seen any action since representatives from various Chinese ministries submitted it to the State Council in 2009.<\/p>\n

The State Council oversees Chinese ministries and departments, and the NPC oversees the State Council. The Standing Committee of the NPC for all intents and purposes wields the authority of the whole NPC; rarely, if ever, have representatives to the NPC attempted to deviate from the Standing Committee\u2019s actions and recommendations. The NPC as the national legislative body of China ultimately of course carries out the task of officially promulgating laws. The draft cybersecurity law identifies one administrative body in particular, the Cyber Administration of China (CAC), as the main agency responsible for implementing most of its provisions. The text of the draft law, though, refers to the CAC as the \u201cNational Network Information Department,\u201d which could also be translated as the \u201cState Cyber Information Department.\u201d<\/p>\n

Why Businesses Should Care<\/strong><\/p>\n

Businesses operating in China should care a great deal about this draft cybersecurity law because it contains several provisions that could greatly impact their information security practices and liabilities. To give one initial example, businesses could face the confiscation of between one and ten times their \u201cillegal gains\u201d that result from misusing or failing to protect personal information. Another provision in the law, article 10, gives any individual or organization the \u201cright\u201d to report practices that \u201cthreaten\u201d information security to various Chinese authorities to include the ministry of industry and information technology or the ministry of public security. There are no indications yet whether businesses in China can contract away this right, or require initial reporting internally within the company, with a well-drafted nondisclosure agreement or some other contract. These are two examples of the many provisions in this draft law that businesses operating in China will need to shape their operations around in order to minimize their legal liability risks.<\/p>\n

Not only does anyone have the right to report insecure information governance practices to authorities, but any individual who has suffered undefined \u201cdamage\u201d resulting from \u201cnetwork operators\u201d violating any of the draft cybersecurity law provisions has the right to bring a civil suit against those network operators. The draft law, however, does not provide any guidance concerning what sorts of damage may give rise to such civil claims. In addition, the draft law\u2019s definition of network operators is so vague and generalized as to potentially apply to all businesses operating in China since nearly all businesses administer computer networks at least for internal use.<\/p>\n

Mandatory Reporting Requirements and Providing Assistance to Chinese Law Enforcement<\/strong><\/p>\n

While anyone generally has the right to report insecure information governance practices to the government, according to the draft cyberspace law network operators have the duty to report security defects, loopholes, or other network security risks to both users and to the government, and to remediate those problems. When network operators discover data breaches, or data destruction or loss, then they must immediately notify users and authorities, and immediately remediate the issue. The law, however, does not define \u201cimmediately\u201d with any specific deadlines, nor does it provide any guidance to help network operators discern when their knowledge about an actual or potential data breach has crossed into territory creating the duty for them to carry out the above measures.<\/p>\n

Article 23 of the draft cybersecurity law also requires network operators to provide assistance and support to Chinese law enforcement authorities for the purposes of national security and criminal investigations. The draft law does not further elaborate what specific duties this provision may impose on network operators, though such information may come in the implementing regulations.<\/p>\n

Enforcement<\/em><\/p>\n

Article 59 of the draft cybersecurity law actually imposes fines on network operators who fail to cooperate with law enforcement, or who fail to report \u201cnetwork security risks or network security incidents to relevant competent authorities.\u201d These fines range up to 500,000 RMB (around $77,100) for network operators, and up to 100,000 RMB (around $15,400) for individuals responsible for failures to report or cooperate. Notably, though, article 59 does\u00a0not<\/em>\u00a0specify that violation of this duty could result in businesses losing any permits or licenses as other articles in the legal liability chapter of the draft cybersecurity law do.<\/p>\n

At least within the terms of the draft cybersecurity law, refusing to provide assistance to Chinese authorities may result only in relatively modest financial fines. In any case, though, Chinese law enforcement can leverage other laws and regulations to impose harsher penalties for failing to cooperate with them. For example, article 84 of China\u2019s new December 2015 antiterrorism law allows 5 to 15 days of imprisonment for, under undefined \u201cgrave circumstances,\u201d failing to provide network security sufficient to prevent the dissemination of materials containing terrorist content.<\/p>\n

General Network Operator Cybersecurity Mandates<\/strong><\/p>\n

In December 2005, the ministry of public security promulgated a set of regulations titled \u201cProvisions on Technical Measures for Internet Security Protection\u201d that imposed a number of duties on Internet service providers, Internet information service providers, Internet data service center providers, and \u201corganizations that use networks.\u201d It defines this last category as \u201corganizations that need to connect with and use the Internet for their applications.\u201d That definition would seem to encompass all modern businesses operating in China. It does not define Internet information services providers, but the plain meaning of this term would seem to encompass the vast majority of business enterprises in a modern economy.<\/p>\n

These Internet security protection regulations reference the enforcement mechanisms in an earlier set of ministry of public security regulations, the December 1997 \u201cAdministrative Measures for Protection of the Security of International Internetworking of Computer Information Networks.\u201d These regulations impose very modest fines on the individuals responsible for the violation of a specific set of information security practices listed in the 1997 and the 2005 ministry of public security regulations. However, if \u201cthe circumstances are serious,\u201d with \u201cserious\u201d left undefined, then law enforcement may shut of network connections, shut down devices, and even recommend that other administrative units revoke business licenses.<\/p>\n

The following presents some of the more important duties imposed by these two ministry of public security regulations:<\/p>\n