Page 402 - 2019 White Paper on the Business Environment in China
P. 402
9 White Paper on the Business Environment in China
urgent, but are of definite long-term importance. These that have passed national security reviews. At the time
norms will serve as legal reference when new issues arise. of this writing, the national security review panel has
The “cybersecurity” in the Cybersecurity Law should be approved six cloud platforms, all of which are operated
understood in the broad sense, which means it includes by Chinese companies. Also, there has been an increasing
not only internet security, but also information security, emphasis on how personal information (PI) is managed.
communication security, computer security, automation, The banking industry became the rare sector to issue its
and control system security. Significantly, the businesses own guidelines for data governance in March 2018. A
affected by the Cybersecurity Law are not limited to statement by the China Banking Regulatory Commission
those in the information technology (IT) industry. linked the need for such measures to the massive amounts
According to Dezan Shira & Associates’ China Briefing, of client data now involved in core functions of financial
businesses will be able to seek much more detailed institutions. Yet, implementation and enforcement of
compliance guidance following the gradual formulation new PI rules is likely to be somewhat ad hoc and subject
and adoption of supportive regulations (Zhao and Xia). to political jockeying, because there is still much debate
China’s cyberspace governance is still evolving more than around data ownership, privacy, and the development of
a year after it took place. emerging technologies like AI (Lu et al).
In policy areas including data localization, “critical Rules that came into effect in November 2018 would
information infrastructure” (CII) protection, and security give Chinese authorities the power to peruse a company’s
reviews for “critical network equipment and specialized records and remotely access corporate networks that
cybersecurity products,” the Cybersecurity Law (CSL) may endanger Chinese national security, public safety,
remains a work in progress. Personal information network security risks or social order. Under the rules, any
protection policies stand out as further along than others, information that is collected during a search is supposed to
but there is still more to do. The events surrounding the be strictly confidential. “The information obtained by the
Chinese telecommunications equipment supplier ZTE public security organs and their staff in fulfilling their duties
and the escalating trade and investment confrontation of internet security supervision and inspection can only be
with the US have convinced Chinese officials that used to maintain the needs of network security and must
cybersecurity and technological development require not be used for other purposes,” the regulations state.
strong and sustained attention. As regulatory and
standards-setting efforts unfold with renewed vigor, But that language probably won’t be enough to
several key areas of regulation have reached significant convince outside companies that Chinese police agencies
milestones, and others have run into bureaucratic and will be safeguarding their proprietary information. Edward
technical challenges. McNicholas and Yuet Ming Tham, both partners at Sidney
Austin who focus on privacy and data security, wrote that
The CSL explicitly requires certain types of data to be China’s new regulations will apply to any company that
stored within mainland China, and it sets up conditions can be defined as a“network operator.”The term, they said,
for transferring some types of data abroad. There are signs casts a wide net and includes “owners and administrators
that restrictions may tighten rather than loosen compared of an information network and network service providers.”
with earlier drafts. Once the review regime for outbound They added that China’s rules differ from the EU’s Genera’
data transfers is complete, companies will have a process Data Protection Regulation primarily because China’s rules
to follow to move data in an approved way, including are built on the “distinct notion of cybersovereignty. The
through internal assessments or hiring outside reviewers, concept refers to the power of the Chinese state to control
for “personal information, and important data” produced the data inside of its country and crossing its borders. “The
by operators of “critical information infrastructure”. There ‘important data’ covered by the law thus includes not only
remains a requirement to at minimum store a copy of personally identifiable information, but also trade secrets
the data in mainland China. The CSL also establishes (often overlapping), and other information that the state
requirements for a regime to review “critical network considers sensitive, such as information on sensitive
equipment and specialized cybersecurity products” cultural and political issues.
for security. Under the CSL, operators of information
systems in a broad and only partially defined array of China’s law is applicable to almost all businesses
sectors designated as “critical information infrastructure” that manage their own email or other data networks,
(CII) may only purchase network products and services and includes “critical sectors” of the Chinese economy,
402
urgent, but are of definite long-term importance. These that have passed national security reviews. At the time
norms will serve as legal reference when new issues arise. of this writing, the national security review panel has
The “cybersecurity” in the Cybersecurity Law should be approved six cloud platforms, all of which are operated
understood in the broad sense, which means it includes by Chinese companies. Also, there has been an increasing
not only internet security, but also information security, emphasis on how personal information (PI) is managed.
communication security, computer security, automation, The banking industry became the rare sector to issue its
and control system security. Significantly, the businesses own guidelines for data governance in March 2018. A
affected by the Cybersecurity Law are not limited to statement by the China Banking Regulatory Commission
those in the information technology (IT) industry. linked the need for such measures to the massive amounts
According to Dezan Shira & Associates’ China Briefing, of client data now involved in core functions of financial
businesses will be able to seek much more detailed institutions. Yet, implementation and enforcement of
compliance guidance following the gradual formulation new PI rules is likely to be somewhat ad hoc and subject
and adoption of supportive regulations (Zhao and Xia). to political jockeying, because there is still much debate
China’s cyberspace governance is still evolving more than around data ownership, privacy, and the development of
a year after it took place. emerging technologies like AI (Lu et al).
In policy areas including data localization, “critical Rules that came into effect in November 2018 would
information infrastructure” (CII) protection, and security give Chinese authorities the power to peruse a company’s
reviews for “critical network equipment and specialized records and remotely access corporate networks that
cybersecurity products,” the Cybersecurity Law (CSL) may endanger Chinese national security, public safety,
remains a work in progress. Personal information network security risks or social order. Under the rules, any
protection policies stand out as further along than others, information that is collected during a search is supposed to
but there is still more to do. The events surrounding the be strictly confidential. “The information obtained by the
Chinese telecommunications equipment supplier ZTE public security organs and their staff in fulfilling their duties
and the escalating trade and investment confrontation of internet security supervision and inspection can only be
with the US have convinced Chinese officials that used to maintain the needs of network security and must
cybersecurity and technological development require not be used for other purposes,” the regulations state.
strong and sustained attention. As regulatory and
standards-setting efforts unfold with renewed vigor, But that language probably won’t be enough to
several key areas of regulation have reached significant convince outside companies that Chinese police agencies
milestones, and others have run into bureaucratic and will be safeguarding their proprietary information. Edward
technical challenges. McNicholas and Yuet Ming Tham, both partners at Sidney
Austin who focus on privacy and data security, wrote that
The CSL explicitly requires certain types of data to be China’s new regulations will apply to any company that
stored within mainland China, and it sets up conditions can be defined as a“network operator.”The term, they said,
for transferring some types of data abroad. There are signs casts a wide net and includes “owners and administrators
that restrictions may tighten rather than loosen compared of an information network and network service providers.”
with earlier drafts. Once the review regime for outbound They added that China’s rules differ from the EU’s Genera’
data transfers is complete, companies will have a process Data Protection Regulation primarily because China’s rules
to follow to move data in an approved way, including are built on the “distinct notion of cybersovereignty. The
through internal assessments or hiring outside reviewers, concept refers to the power of the Chinese state to control
for “personal information, and important data” produced the data inside of its country and crossing its borders. “The
by operators of “critical information infrastructure”. There ‘important data’ covered by the law thus includes not only
remains a requirement to at minimum store a copy of personally identifiable information, but also trade secrets
the data in mainland China. The CSL also establishes (often overlapping), and other information that the state
requirements for a regime to review “critical network considers sensitive, such as information on sensitive
equipment and specialized cybersecurity products” cultural and political issues.
for security. Under the CSL, operators of information
systems in a broad and only partially defined array of China’s law is applicable to almost all businesses
sectors designated as “critical information infrastructure” that manage their own email or other data networks,
(CII) may only purchase network products and services and includes “critical sectors” of the Chinese economy,
402
