China's Cyber Security Law: how prepared are you?
China’s Cyber Security Law: how prepared are you?
China is developing a unique cyber security and data protection regime that will fundamentally change the corporate information technology landscape. China’s cyber regime is primarily driven by national security and social stability concerns, rather than personal data protection. Multinational companies, however, are used to regulatory regimes that focus primarily on protecting personal data and networks. While these are key goals of the Chinese authorities, Beijing is also equally concerned with the content transmitted on those networks.
China’s Cyber Security Law (CSL), which came into effect on 1 June 2017, is the apex of a host of regulations aimed at creating a separate and heavily controlled sovereign Chinese cyberspace. Businesses are a key target of this regime. The government is concerned that firms hold a vast amount of the nation's data resources and exerting government control over this data is a key priority. This goal seems at odds with China’s push for a world-leading high-tech economy, but China’s leadership sees potential for information technology – particularly the information that flows through technology – to undermine its authority over the country’s political and economic development.
China is also unique in the challenges it faces domestically. A low level of cyber security maturity and rampant online fraud in China has affected a very large number of Chinese government organisations, businesses and individuals, leading to widespread anger from Chinese citizens. The CSL is a much-needed attempt to bring attacks and fraud under control by developing a regulatory framework for organisations and companies to adhere to.
Compliance as a journey, not a destination
For companies operating in China, compliance should be as much a fluid process as a defined function. The CSL has an extremely wide scope of potential targets and obligations, and it is often vague on details, including definitions, requirements and regulators’ roles and responsibilities (although these are becoming clearer as the rules develop). This means that it is impossible to be certain of full compliance with the law; rather, companies will need to focus just as much on how regulators enforce the CSL.
Regulatory organisations responsible for implementation and enforcement are at both the highest levels of the Chinese government (the Cyberspace Administration of China) and the most local levels (local internet police). The patchwork of multiple industry regulators and third-party review organisations will result in inconsistent interpretation, conflicting signals and unpredictable enforcement.
Moreover the relevant regulations are not limited to the CSL itself. There are complementary standards governing privacy, cross-border data transfers and even industrial control systems, further complicating enforcement and compliance.
Key challenges for multinationals
This environment is a challenge for international organisations. The letter and spirit of regulations focus on domestic firms, making it difficult for international operations to fit into local requirements. Chief among those concerns is the requirement for data localisation by critical information infrastructure (CII) operators. CII or not, concerns are already growing that cross-border data transfer restrictions may result in de facto localisation requirements.
This alignment problem between an international company’s global policies and operational standards and China’s regulatory requirements is likely to grow as the CSL is fully implemented. Most international firms provide technology services on a global, shared services basis. Similarly, global compliance and governance programmes may not have the China resources to support vague, but high risk, local regulatory compliance requirements.
Added to these problems is the more mundane, but no less concerning, problem of intellectual property protection. The CSL provides the government with the legal authority to inspect and investigate an organisation for regulatory and enforcement purposes. This may entail mandating third-party inspections and technical remediation. While regulations specifically mandate the security and integrity of data gathered in an inspection or investigation, firms should be conscious that once the information has been removed, they have no control over who has access to it.
Where is China going?
Over the next one or two years, China will continue to exert control over information and technology via the CSL and associated regulations. Data localisation, particularly for “important” data, will be required for all companies operating in China. Regulators will also mandate the use of technology that meets their requirements to be “secure and controllable” (such as encryption).
Enforcement actions will largely continue to focus on systems and information held by Chinese government agencies and state-owned and private enterprises. However, foreign multinationals should expect more scrutiny, particularly if an incident such as a data breach should occur or there is a violation of online content regulations. Regulators will hold both individuals and firms accountable when investigating these incidents.
Control Risks is seeing cases emerging where foreign companies are being held responsible for the data that they get from partners (such as research firms) or other data providers (such as marketing firms). Foreign multinationals should do a complete audit of data inflows as well as outflows: they should know where they are getting their data as well as where it is going, once they have it. Again, if investigated, companies will be held responsible for all the data they have on their systems, even if the company did not produce the data themselves.
Chinese regulators have said that for China, “data is more valuable than oil”. The China CSL effectively politicises the data that companies have and use, making it fair game for an investigation by Chinese authorities and severe penalties should they discover an issue. The CSL is still frustratingly vague – some would even say deliberately so – so absolute compliance should be not be the goal; rather, companies should be directionally compliant while very closely monitoring how the CSL is enforced in China broadly and more specifically in their sector.