20 July 2017
The Cyberspace Administration of China (‘CAC’) published, on 10 July 2017, draft regulations on security requirements pertaining to critical information infrastructure (‘CII’) (‘the Draft Regulations’) for consultation. The Draft Regulations are the latest rules issued by the CAC aimed at implementing the Cybersecurity Law 2016 (‘the CSL’), which entered into force on 1 June 2017. Among other things, the Draft Regulations expand on and clarify a number of definitions and requirements regarding CII introduced by the CSL.
Manuel E. Maisog, Partner at Hunton & Williams LLP, told DataGuidance, “A persistent point of uncertainty in coming to grips with what may be required under the CSL has been that there is a degree of vagueness in the definition of CII. The Draft Regulations appear at first to provide more detail as to just what this constitutes. However, the real determination of the infrastructure that falls within its scope still turns upon whether the destruction, loss of functionality, or leakage of data from the infrastructure would have an impact on matters of macroeconomic or national well-being, such as national security, the national economy and the public interest. The cyberspace administrative authorities are to publish handbooks that will provide guidance about how to identify CII. The various ministries or industry regulators are then to undertake actual identifications of CII within their fields. This postpones final certainty over the application of the term to a future date.”
The Draft Regulations define the scope of CII to include information systems and network facilities operated and managed by government entities and those in the energy, finance, transportation, water conservation, healthcare, telecommunications and defence sectors. The requirements would also extend to large-scale equipment, chemicals, food and pharmaceutical production units and other areas of scientific research.
Gregory Louvel, Partner at Leaf Legal, highlighted, “The localisation of data storage previously seen in the CSL and other various regulatory drafts is confirmed by the Draft Regulations, stating that ‘personal information and important data which are collected and produced in the course of the operation by operators in the People’s Republic of China should be stored in the territory.’ A further localisation precision is worth highlighting: the operation and maintenance of CII should take place in Chinese territory. Cross-border transfers of data are also covered by provisions of the Draft Regulations. Personal information and important data generated or collected by CII and physically stored in China are subject to specific measures should the need of an outbound transfer arise. The nature and the intended utilisation of the data shall be assessed by an authority, whose identity remains to be clarified.”
More interesting and tricky is that now operators of cloud computing and Big Data are also explicitly mentioned as CII operators under the Draft Regulations
According to the Draft Regulations, operators of CII are required to formulate internal network safety management systems and operating procedures, including strict identity authentication and rights management. Additionally, CII operators must take technical measures to prevent computer viruses, network attacks, intrusions or other hazards; take technical measures to monitor and record the operation of the network; store a log of any incidents for at least six months; undertake data classification; backup important data; and undergo encryption certification.
Michael Tan and Lynn Zhao, Partner and Associate respectively at Taylor Wessing, added, “As regards what will qualify as CII, the CSL only outlines certain industrial sectors, as well as the main features on an exemplary basis where the CII should be ‘protected with priority.’ The Draft Regulations now extend the exemplary descriptions by additionally scoping-in education, social insurance, and environmental protection industries. More interesting and tricky is that now operators of cloud computing and Big Data are also explicitly mentioned as CII operators under the Draft Regulations.”
Sanctions under the Draft Regulations extend from a warning or fines of between RMB 50,000 (approx. €6,400) and RMB 500,000 (approx. €64,000), to the suspension of business operations, website shutdown, or revocation of business permits.
Louvel concluded, “The CSL already stated the importance of CII; the Draft Regulations confirm and strengthen this importance. The broad scope of industries regulated may now include a multitude of companies previously spared. One key example would be foreign cloud computing providers, now potentially qualified as CII and therefore subject to constraining obligations on data storage and cross-border transfers. Foreign companies operating data-driven businesses in China should operate carefully, closely follow legal trends and take pre-emptive action to avoid being deemed CII and having to rethink their operation models in a hurry.”
The Draft Regulations remain open for public comment until 10 August 2017.
Hernán R. Dutschmann | Privacy Analyst