China Cybersecurity And Data Protection: Review Of 2020 And Outlook For 2021.
Legal News & Analysis - Asia Pacific - China - Cybersecurity
21 January 2021
2020 has been an active year for developments in China’s cybersecurity and data protection regimes. In this e-bulletin we highlight the major regulatory and enforcement developments during the year in three key areas:
· Security protection, where continuous regulatory efforts have been made to supplement technical standards in order to progress the establishment of the multi-level protection scheme (MLPS), with the police taking a more active approach to inspecting compliance with the MLPS regime.
· Data protection, where two milestone pieces of legislation, the Personal Information Protection Law and the Data Security Law, started their progress through the legislative process, and important standards on personal information protection and risk assessment were updated or released; and
· Supply chain security, where developments have focused on establishing the regulatory framework for commercial encryption and the supply chain security of Critical Information Infrastructure.
Further details are set out below. In each case we set out a reminder of the obligations under the Cyber Security Law and provide a brief summary of the main developments during this year.
For a more regular update on the latest developments, please see our monthly e-bulletins (click here for the most recent one).
Reminder of legal obligations
Under Article 21 of the Cyber Security Law, network operators are required to implement the multi-level protection scheme for network security. Under this scheme, each network operator must be assessed and graded according to the security protection level applicable to it. This will determine the set of security protection obligations that it must comply with.
A network operator’s security obligations include, among others:
In particular, Articles 31 to 39 impose more stringent obligations, including a data localisation requirement, on selected network operators of critical importance to state security or the national economy or public interest. These are known as critical information infrastructure (CII) operators. In July 2017, the Cyberspace Administration of China (CAC) published draft regulations on the protection of critical information infrastructure, which have yet to be enacted (please click here for our analysis on the draft regulations).
Under Articles 56 and 59, in the event of a breach of the security protection obligations, the competent authorities may (i) demand a meeting with the legal representative of the network operator; (ii) order rectification; (iii) issue warning letters; and (iv) impose a fine on the network operator and the person directly responsible for the breach. In serious cases, criminal penalties could arise. The Ministry of Public Security, namely the police, and its cyber police arm are charged with enforcing the regulations.
The authorities have yet to make any further progress in clarifying the protection regime governing CII. The guidance opinion urges the relevant ministries to draft rules for identifying CII in their respective industries or sectors and to take charge in identifying the CII and filing details with MPS. MPS’ role includes designing, implementing and establishing the overall protection scheme.
Whilst historically penalties for failing to implement the MLPS were usually triggered by investigations into security breaches (such as hacker intrusion), in 2020 we saw cases where the police conducted routine checks resulting in penalties for entities that had not implemented the MLPS. Inspection activities by local police relating to the MLPS have also been increasing.
Outlook for 2021
Establishing the framework for MPLS standards has cleared the obstacle preventing large-scale implementation of the scheme. We expect implementing regulations for the MLPS to be published in 2021, which will likely be coupled with more wide-sweeping enforcement campaigns. Whilst is unclear whether the authorities will offer more clarity on CII regulation, it is now clear that the industry and sector regulators will be responsible for drafting the rules. It remains to be seen which regulator will be the first to do so. Before that, however, we expect the long over-due regulations on the protection of CII to be published.
For further information, please contact:
James Gong, Herbert Smith Freehills