Recent key developments in cybersecurity include the publication of the following draft and final laws and regulations for public review and comment:
- April 2017 - draft Cryptography Law of the People’s Republic of China (Cryptography Law);
- April/May 2017 - draft Measures for the Security Assessment of Outbound Transfer of Personal Information and Important Data (Data Transfer Measures);
- May/August 2017 - draft Information Security Technology Guidelines for Cross-Border Data Transfer Security Assessment (Data Transfer Guidelines);
- July 2017 - draft Regulations on the Security Protection of Critical Information Infrastructure (CII Regulations);
- January/May 2018 - Personal Information Security Specification (GB/T 352730-2017) (PI Specification); and
- June 2018 - draft Regulations on the Classified Network Security Protection (Graded Network Classification Regulations).
On 13 April 2017, the Office of the State Commercial Cryptography Administration (OSCCA) published the draft Cryptography Law for review and comment. Significant highlights of the draft law include:
- The Cryptography Law categorises cryptography into ‘core cryptography’, ‘ordinary cryptography’ and ‘commercial cryptography’. Core cryptography or ordinary cryptography may be used to protect state secrets, and commercial cryptography may only be used to protect information that does not fall within state secrets. Export of core cryptography or ordinary cryptography outside of China is prohibited, and the import or export of ‘commercial cryptography’ is subject to the government approval. The Cryptography Law empowers the Ministry of Commerce, OSCCA and the PRC General Administration of Customs to jointly formulate and publish the Import/Export Catalogue of Commercial Cryptography for Administration.
- CII should employ cryptography to protect systems in accordance with applicable laws and regulations and national mandatory standards relating to cryptography, and cryptography protection systems must be planned, built and operated simultaneously with other systems of CII.
- If required for national security or for criminal investigations, the MPS, the Ministry of State Security and the relevant People’s Procuratorates may require telecommunications operators and internet service providers to provide technical support for decryption.
Data Transfer Measures
On 11 April 2017, the CAC released the draft Transfer Measures for review and comment, which were revised and republished on 19 May 2017. The draft measures are principally concerned with ordering a system for assessing the security of cross-border data transfers and establishing a two-tier assessment framework comprised of network operator self-assessments and, where required, governmental assessments. A network operator self-assessment would include pre-transmission assessments and periodic assessments to be conducted annually. In particular, the Data Transfer Measures are especially significant because, for the first time, a specific framework has been put forward to guide the conduct of mandated security assessments, which would be expanded to encompass every ‘network operator’ and, by reference, any other person or entity involved with the provision of regulated data to an overseas destination.
Data Transfer Guidelines
Following the publication of the draft Transfer Measures, on 27 May 2017, the NISSTC released the Draft Transfer Guidelines for review and comment, which were revised and republished on 30 August 2017. As compared with the Data Transfer Measures, these draft guidelines propose more detailed guidance with respect to the implementation of a security assessment programme. The network operator initiates the self-assessment by formulating a data export plan, which is required to set out the purpose, scope, type and scale of the data export, the IT system involved, the transit country and the destination, and the security control measures to be taken. The security assessment is intended to demonstrate that the proposed outbound transfer is lawful and justified, and that the risks are controllable. The degree of risk is to be assessed by taking into account both the characteristics of the data (eg, the volume, scope, type, sensitivity and technical measures) and the possibility of security breach incidents, which requires an evaluation of the technical safeguards and management capabilities of both the data exporter and the recipient, as well as the legal and political environment of the destination country.
On 10 July 2017, the CAC published the draft CII Regulations for review and comment. Significant highlights of the draft regulations include expanding the conceptual scope of CII to encompass the additional industrial sectors and establishment of specified responsibilities of a CII operator’s ‘responsible person’ and establishment of prerequisite qualification requirements with respect to key technical personnel.
On 25 January 2018, the SAC published the PI Specification with effectiveness from 1 May 2018. Significant highlights of the specification include expanded definition of PI (including the establishment of the sub subcategory of ‘sensitive PI’) and ‘PI controller’; establishment heightened requirements with respect to the collection, preservation, usage, disposition and other related PI-processing activities; enumeration of PI subject rights; and identification of expanded obligations for PI controllers.
Graded Network Classification Regulation
On 27 June 2018, the MPS published the draft Graded Network Classification Regulations for public comment. Significant highlights of the draft regulations include:
- establishment of a revised graded network classification system;
- requirement for all networks to establish a comprehensive network cybersecurity protection systems;
- networks Grade II or above must satisfy a network expert review, with results to be provided to the industry regulator for approval. In addition, any Grade II and above network must be satisfactorily tested prior to use; and
- networks Grade III and above must satisfy additional specified measures, including provision of an annual report to the MPS and limitation of its maintenance work in the PRC.
Back to top