Cyber Security and Data Protection
An Overview on the New Regulations and Implications for Companies in China
China has the largest online population with about 710 million in 2017 (+10,6% respect to 2015). More remarkable though is the fact that there is another half a billion people in China that have not yet joined the internet community. Access to personal information can present enormous business opportunities in the Big Data era. This has led to an increasing concern for data privacy and data protection among businesses and individuals.
European Union’s General Data Protection Regulation (GDPR)
Non-EU companies are subject to the European Union’s General Data Protection Regulation (GDPR) if they target EU residents by profiling, or providing products or services. The deadline for compliance is May 25, 2018. Under the GDPR, data processors will be obligated to: Obtain unambiguous consent when collecting personal information from EU citizens; allocate individuals the right to delete information or request a copy of all automated data that a company possesses.
The GDPR creates as well new obligations in areas such as data anonymization, compulsory breach notifications and the appointment of Data Protection Officers, requiring organisations handling EU citizens’ data to make major changes to the way they operate (non-compliance would cost 4% of a company’s annual turnover or CNY 2.5 million, whichever is higher). Processing personal data is allowed if a legal basis is in place: contractual obligation; required by law; necessary for the legitimate interest, which outweighs the privacy rights of individuals; consent.
China Cyber Security Law
For companies wondering how the new Cyber security Law will affect their China business, the law does not provide a clear sense of its own practical application. It is full of subjective terms such as important data, and the two most important terms, Network Operator and Critical Information Infrastructure (CII), lack of a clear definition.
The most stringent security obligations are reserved for CII operators. The law states that CII includes sensitive sectors such as public telecommunications and information services, energy, transportation, irrigation, finance, public services, e-government, but it also includes any other area that may “harm national security, the economy and the public interest”. Furthermore, the law also encourages network operators outside of CII to voluntarily participate.
The law includes five main aspects: data localisation (important data must be stored in China unless transfer has been authorized); personal information protection (network operators will be limited in collecting data); compulsory security certification requirements; Cooperation with public security bodies (provide technological support and assistance to public security and national security bodies); National security review (network operators will be subject to a multi-level protection scheme where they are grade).
Challenges for companies
Lacking a clear roadmap, foreign companies can start preparing themselves by paying close attention to their cyber security practices and upgrading where appropriate. Companies seeking to build and maintain an effective and compliant data privacy programme may consider the following best practices: review data transfer agreements and data privacy programmes to ensure compliance; monitor third-party service providers if it is in outsourcing; provide data privacy training to internal teams and key stakeholders to improve data awareness; formulate procedures for handling possible data breaches.
The Cyberspace Administration of China (CAC) is going to provide more details on how it plans to evaluate whether foreign countries, organisations or individuals are willing and capable of safeguarding Chinese citizens’ personal information. The CAC is expected to issue an implementing regulation in the next months to offer more guidance on the scope of CII.
The initial reception of these regulations proved negative, especially from multinational corporations, which typically rely on cross-border flows of business data. Furthermore, the new Chinese law will require domestic and international, software companies, network-equipment manufacturers and other technology suppliers to disclose their proprietary source code to prove that their products cannot be compromised by hackers. China appears to have adopted a shelter mentality, concerned more with domestic protectionism than actively reassuring cyber defences and rooting out cyber criminals, a position that lends itself poorly to cross-border cooperative security operations and efforts.
Luca Masoero