The National Law Review (USA) has published the article People’s Republic of China Cybersecurity Law: A Preliminary Overview for Western Companies
On June 1, 2017, China debuted its first comprehensive cybersecurity law (the “PRC Cybersecurity Law”).1 This Law effectively consolidates and expands many of China’s existing laws and regulations that touch on cyber activities, with a stated goal of safeguarding Chinese “cyberspace sovereignty.” Notably, the PRC Cybersecurity Law may also reach the informational and security practices of many multinational corporations, to unexpected result. For example, multinationals that currently avoid storing data in China may now have to seriously consider paying for cloud-sharing and other services within the country in order to avoid the stiff penalties for noncompliance.
Notably, a recent report by the consulting firm Consilio found that among 118 legal technology professionals surveyed, only 25% claimed familiarity with the PRC Cybersecurity Law. It is therefore critical for multinational companies to begin to understand their potential liability under this framework and its immediate practical effect. This article provides a brief overview of the PRC Cybersecurity Law and highlights some of the key requirements that foreign companies doing business in China should be considering.
Brief Overview
The PRC Cybersecurity Law is one of a series of laws and regulations published in an effort to establish and protect China’s sovereignty over cyberspace. It aims to protect the rights and interests of citizens, safeguard national security, and promote economic development through heightened network security.
To achieve network security, the Law requires computer network owners, managers, and service providers (“Network Operators”) to adopt certain data security measures, such as computer virus prevention and security incident recording. Any company that operates a network related to services needed for public communication, utilities, and finance, as well as any infrastructure that would endanger national security if compromised (“Critical Information Infrastructure Operators” or “CII Operators”) must adhere to an additional set of stringent requirements, such as setting up specialized security management bodies and conducting disaster recovery backups. Additionally, companies providing network products and services in China must comply with relevant national security maintenance requirements.
Companies that fail to comply with the PRC Cybersecurity Law can be subject to fines up to RMB 1,000,000 ($146,923 USD), suspension of operations, or cancellation of business licenses.
The Law, as it was approved in November 2016, “left many of the details regarding rules and implementation to regulators like the Cyber Administration of China,” tasked with the formulation and timely revision of relevant national and industry standards for network security.2
