On 7 November 2016, the Standing Committee of the National People's Congress has formally passed China's first comprehensive privacy and security regulation for cyberspace. Since the new Cyber Security Law (CSL) will come into effect on 1 June 2017, technology companies that are operating in or planning to expand to the Peoples Republic of China (PRC) are well advised to adapt their IT infrastructure and data architecture to the new law. Violations of the law may, at worst, lead to high fines, website shutdowns or license revocations. Some of the most significant changes brought about by the new law are briefly outlined below.

Who Is Affected and What Is New?

The CSL applies to operators of Critical Information Infrastructures (CIIs) and network operators. A network operator is defined as an operator of basic telecommunication networks, internet information service providers and key information systems. However, it is not clear which companies qualify as operators of CIIs. The exact definition of CIIs was left to the State Council of the PRC. So far, the Council has not given any specifications.

The new law includes several important and consumer protection provisions, but also some very controversial ones affecting technology companies.

Some provisions of the new law have aroused particular criticism. For example, instant messaging services and other companies qualifying as CIIs are only allowed to provide users with their full service if the users have registered under their real identities. In addition, CIIs are under an obligation to remove "prohibited content" from their service. In case of non-compliance with the latter requirement, CIIs are liable for a fine or worse. These requirements are believed to potentially restrict anonymity on the internet and to encourage self-censorship for online communication.

Under another controversial provision, companies are required to report to the relevant authorities any cyber security incident and vulnerabilities that they have experienced and to technically support and assist the authorities on national security matters and crime investigation. However, the nature and scope of the required technical support and assistance have not been defined. Thus, it is not clear whether the process might entail the provision of confidential information.

Among all the changes, the most significant change might be the so-called Data Localization Requirement. Under that provision, CIIs are required to store personal data and other important information within mainland China. However, it is not clear whether this provision only applies to personal data of Chinese citizens or to any personal data, including those of foreigners. In the first case, companies might be required to separate the personal data of Chinese citizens from the personal data of other individuals.

A Look Ahead

The CSL brings a lot of changes in the fight against cyber security threats. However, the law should be criticized for its lack of legal certainty, mostly resulting from overly broad formulated terms. As the CSL comes to effect in less than three months, technology companies are allowed little time to adapt to the new provisions. Compliance may in particular be of crucial importance for multinational companies with regard to the Data-Localization Requirement, as cross-border data transfer may be daily business. It remains to be seen whether the legal uncertainties will somehow be eliminated by the relevant authorities. Until then, affected companies need to be very cautious.

Originally published March 15, 2017

Visit us at www.mayerbrown.com

Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2016. The Mayer Brown Practices. All rights reserved.

This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein. Please also read the JSM legal publications Disclaimer.