On November 7, 2016, the Standing Committee of the National People’s Congress of China enacted the final Cybersecurity Law after it held its third reading of the draft Cybersecurity Law on October 31, 2016. The first draft of the Cybersecurity Law was published for comment more than a year ago, followed by the second draft in July this year. The final Cybersecurity Law will apply from June 1, 2017.
Under the Cybersecurity Law, the term “key information infrastructure” generally refers to information infrastructure maintained by certain industry sectors which would seriously jeopardize national security and the public interest should such infrastructures malfunction, or be subject to damage or data leakages. The relevant industry sectors include public communication and information services, energy, transportation, water resources utilization, finance, public service and e-government affairs. The State Council will formulate the specific scope of “key information infrastructure” and the mandatory security protection measures that organizations that operate “key information infrastructure” will need to apply.
Operators of key information infrastructure are subject to a data localization requirement, under which they must retain, within the territory of China, critical and personal information which they collect and produce during their operations in China. They may still be able to transmit this information overseas, but only after undergoing and passing a security review. In addition, when operators of key information infrastructure procure network products or services that may affect national security, a national security inspection is required. Operators of key information infrastructure are also required to undergo a network safety assessment at least once a year.
With respect to the collection and use of personal information, the Cybersecurity Law reiterates the requirements of notice and consent and the principles of legitimacy, rightfulness and necessity. Network operators are prohibited from providing a data subject’s personal information to third parties without the data subject’s consent, except in cases where the personal information is irreversibly depersonalized such that the data does not identify particular individuals.
In addition, a data subject can request a network operator to delete their personal information if he or she discovers that its collection or use is in violation of the law or of a contract between the parties. A data subject can also request a network operator to correct any personal information that is inaccurate.
According to the Cybersecurity Law, network operators must provide technical support and assistance to public or national security agencies when conducting an investigation of a crime. Network operators are required to adopt technical measures to monitor and record their network operations, and to preserve related web logs for at least 6 months. Overseas entities or individuals that attack, invade, interfere with or destroy “key information infrastructure” in China will be subject to legal liability, and public security agencies in China may adopt sanctions against them, including freezing their assets.
The Cybersecurity Law also includes provisions regarding the punishment of cyber crimes, including cyber fraud and the online protection of minors.