China Cyber Security Law: Update On Enforcement.
Legal News & Analysis - Asia Pacific - China - Cybersecurity - Insurance & Reinsuranceity
19 January, 2018
China's Cyber Security Law (CSL) came into force on 1 June 2017. In this e-bulletin we highlight the post-enactment developments on enforcement cases. For a general overview of the CSL, please see our earlier e-bulletin (click here)
I. Breach of security protection obligations
Under the CSL (Article 21), network operators are required to implement the multi-level protection scheme (MLPS) for network security. Under this scheme, each network operator should be accessed and graded according to the security protection level it is required to comply with.
A network operator's security obligations include, among others:
- Formulating internal security management systems and operation manuals, appointing personnel responsible for network security, and discharging network security protection responsibilities;
- Taking technical measures to prevent acts that could harm network security, hacking and viruses;
- Monitoring and recording the operational status of the network and network security incidents, the log document for which must be kept for no less than six months; and
- Taking data classification, backup (for important data) and encryption measures.
Under Articles 56 and 59 of the CSL, the competent authorities may (i) demand a meeting with the legal representative of the network operator; (ii) order rectification; (iii) issue warning letters; and (iv) impose a fine on the network operator and the person directly responsible for the breach.
In the recently reported cases, we have seen penalties being imposed for breaches of each category of security obligations listed above. This shows that breach of any security protection obligations in the CSL carries the risk of penalties. Similarly, the enforcement measures and penalties imposed have spanned the available range. We note that the authorities have fined the individuals who have been designated by the network operators as responsible for cyber security. Where the network operator has failed to appoint such an individual, the legal representative has been fined. The authorities have also ordered meetings with legal representatives to discuss matters, even where the legal representative was not directly responsible for the noncompliance. Network operators should be aware of the individual liability of their legal representatives and the persons designated with responsibility for cyber security.
The reported cases have mainly targeted schools, internet companies and government-funded bodies. It is worth noting that the authorities imposing the penalties in the reported cases are the cyber security branches of the local police. It appears, therefore, that the cyber police remain the main authority responsible for enforcing cyber security protection obligations.
II. Breach of the obligation to manage online information
Article 47 of the CSL requires that network operators manage information published by their users and take measures to cease transmitting prohibited information, prevent further dissemination, maintain records and report relevant matters to the competent authorities.
Breach of this obligation carries more serious consequences. The penalties can include not only an order for rectification, a warning, confiscation of income and a fine, but also suspension of the network operator's operations or business, closure of its website, revocation of its operation permit or even its business license.
The reported cases have seen smaller Internet companies, as well as biggest names in the Internet industry in China, being penalized for not fully discharging their obligation to manage online information. The business operations of the penalised Internet companies cover e-commerce, fin-tech, social networking, online forums, live broadcasting, Internet forums, and online recruitment.
The authorities imposing the penalties have been mainly the local offices of the Cybersecurity Administration of China (CAC). It seems that CAC will continue performing its function of regulating content on the Internet under the CSL. We note that the cyber police and the local office of the Ministry of Industry and Information Technology (MIIT) have also issued penalties in some cases. The penalties handed down have mainly been warnings, orders for rectification and fines. We have not seen the authorities impose the more serious penalties so far.
III. Breach of obligations of real-name registration and verification
The CSL (Article 24) provides that all network operators require their users to provide their real identity before providing services. This requirement carries similar penalties as those for breaching the obligation to manage online information. The local offices of CAC and MIIT have imposed penalties on Internet companies for breaches targeting companies engaged in businesses including cloud computing, VOIP services and online music.
IV. Breach of personal information protection
The CSL requires that network operators should adhere to the principles of legality, legitimacy and necessity in dealing with personal data and imposes a series of data protection obligations on network operators.
In September 2017, the CAC, MIIT, the Ministry of Public Security (MPS), and the Standardization Administration of China (SAC) jointly reviewed the privacy terms of ten mainstream network products and services, such as WeChat, Taobao, Alipay, and JD.com. The regulators concluded that the privacy terms of the products and services had improved in respect of data protection. In particular, the terms:
i. make public the rules for collecting and using personal data;
ii. obtain express consent of the users;
iii. prompt the users regarding the privacy terms and offer more options;
iv. allow the users to visit, delete or correct the personal information and cancel their personal accounts online.
The companies whose privacy terms were reviewed also signed a manifesto on personal information protection. Under this they undertook to respect the right of their users to know about collection and use of personal information and to control their personal information, to respect users' authorizations, to guarantee security of their personal information and to ensure that their products and services are secure and trustworthy.
It has been reported that, in December 2017, the Consumer Protection Committee of Jiangsu Province initiated a public interest law suit against Baidu on the ground that the Mobile Baidu Browser illegally collects personal information without informing the users of the purpose of the collection or obtaining their consent. It is claimed that the collection of personal information is not necessary for its service and the scope is not justifiable, which has breached the Consumer Protection Law and the CSL. The case is yet to be decided.
In January 2018, Alipay and its affiliate Sesame Credit caused a controversy during the New Year. Users wishing to check their 2017 spending report on Alipay had to consent to the service terms of Sesame Credit (Service Terms) by ticking a box on the page of the Alipay app. However, the box was included in a line of small print and checked by default.
Alipay claimed that the intention was to obtain authorization from the users to allow the spending report to display certain personal credit information recorded by Sesame Credit. However, the incident has given rise to a widespread backlash online, and Alipay had to make a public statement to admit it was wrong do so.
In the Service Terms, users consent to, among other things, (i) collection and storage by Sesame Credit of personal information of the users from third parties (such as financial information, e-commerce companies, telecom operators, etc); and (ii) use of credit information of users by third parties. Apparently, the scope of the Service Terms is much wider than the scope of authorization intended by Alipay. The CAC and MIIT each ordered Alipay to meet with officials and rectify its violation of data protection laws and regulations.
MIIT has also ordered a meeting with Baidu and Toutiao and ordered rectification of alleged infringements of user privacy by apps operated by these companies.
Interestingly, both Baidu and Alipay were signatories to the manifesto on personal information protection in September 2017 and were praised by the authorities for their improvements in privacy terms. It seems that compliance with data protection laws proves to be a challenge even to leading Internet companies that have acted well ahead of others.
The recent controversies involving data protection and big Internet names have attracted huge media coverage and great attention from the government and general public, and will no doubt raise the awareness of data protection across Chinese society. With the CSL and other laws on data protection being enacted and implemented, we expect data protection to receive even greater attention in 2018. Companies should take action as early as possible to ensure full compliance.
For further information, please contact:
Karen Ip, Partner, Herbert Smith Freehills