On 1 November 2018, China's new Regulation on Internet Security Supervision and Inspection by Public Security Bureaus ("Regulation") came into effect. The Regulation grants broad powers to the Public Security Bureaus ("PSBs") to closely scrutinise internet service providers and network users to ensure that they are compliant with their cybersecurity obligations.
China's Cybersecurity Law ("CSL"), which came into effect on 1 June 2017, has introduced stringent requirements on network operators and operators of critical information infrastructures in relation to cybersecurity and data protection. This includes an obligation on network operators to provide technical support and assistance to PSBs to help protect national security and investigate crimes; implement technical measures to prevent cyber attacks, unauthorised access, viruses or other actions that may endanger their network's security; implement internal security management systems and operating rules; appoint personnel who will be responsible for maintaining the network operator's cybersecurity; and so on.
The Regulation was established under the CSL and other related legislation, in order to clarify the PSBs' powers to carry out cybersecurity inspections.
The Regulation grants PSBs the right to inspect any internet service providers or network users who provide any of the following services ("Providers"):
- internet access, data centres, content distribution or domain name services;
- internet information services;
- internet access to the public; or
- other internet services.
The application of the Regulation, in line with other regulations issued under the CSL, is quite broad. The PSBs retain the discretion to determine what would amount to "other internet services". The Regulation therefore has the potential of covering any company that simply operates a website, regardless of their industry or sector
The Regulation states that the inspections and oversight by the PSBs are for the purpose of ensuring a Provider's compliance with the following obligations imposed by the CSL and other related laws:
- recordal requirements with the PSBs by networkusing Providers;
- implementation of cybersecurity management and operating rules, and appointing personnel responsible for cybersecurity;
- implementation of technical measures to legally record and store users' registration information and internet access logs;
- implementation of technical measures to prevent computer viruses, cyber attacks, network intrusions, and so on;
- in relation to the provision of public information services (e.g. public websites, etc.), implementation of measures to prevent the publication or transmission of information prohibited by laws and administrative regulations;
- provision of technical support and assistance to PSBs in accordance with the law, in relation to the protection of national security, prevention and investigation of terrorist activities or crimes; and
- implementation of measures consistent with the cybersecurity multi-level scheme pursuant to laws and administrative regulations.
The PSBs' inspections and oversight can be carried out either on-site at the Provider's premises or remotely. If remote access will be used, then the PSBs must give the Provider advance notice of the time and scope of the inspection. However, how much advance notice needs to be provided is not specified, and a public announcement would be sufficient.
By contrast, no prior notice is required for on-site inspection, and PSBs can exercise any of the following powers:
- enter business premises, server rooms or work places;
- require the person in charge of the Provider or the cybersecurity management personnel to provide any explanations on matters that are the subject of the PSBs' oversight or inspection;
- inspect and take copies of any information related to matters that are the subject of the PSBs' oversight or inspection; or
- . check the operation of the technical measures put in place to maintain network and information security
If the PSB finds any failure by a Provider to comply with its cybersecurity obligations, then it has the power to issue rectification orders for minor violations, or to issue harsher warnings, fines or order the imprisonment of responsible individuals pursuant to the CSL and China's Anti-Terrorism Law.
Confidential and Proprietary Information
Major concerns have been raised regarding the level of access that PSBs will have to confidential information and trade secrets of a Provider. Furthermore, PSBs have the right to use third party service providers who have the technical capabilities to provide support in order to help the PSBs carry out any on-site or remote inspections ("TSP"). In theory, this could mean that competitors of a Provider could be appointed as a TSP, thereby providing the competitor with back-door access to the confidential and proprietary information of the Provider.
To try and minimise these concerns, the Regulation imposes an obligation on the PSBs and their staff to strictly maintain the confidentiality of all personal information, trade secrets, state secrets and private information which they learn during the course of their inspections and oversight. They are also prohibited from selling, disclosing or illegally providing such information to anyone, and can only use it as necessary for the purposes of protecting network security.
TSPs are also prohibited from disrupting the normal operation of the Provider's network, from stealing any network data, or otherwise illegally obtaining, selling or providing any personal information acquired during the conduct of their services for the PSBs.
Whether or not the above restrictions can or will be actively enforced against the PSBs or TSPs still remains an area of concern for many companies.
The CSL, amongst other laws and regulations, already grants PSBs with broad powers of scrutiny, which the authorities have already been utilising since the CSL came into force in June 2017. For example, in August 2018, the Ministry of Industry and Information Technology ("MIIT") announced that it would be inspecting the networks and systems of organisations in the telecommunication and internet industry to ensure compliance with the CSL. This resulted in MIIT issuing an order on 27 November 2018 against 7 network organisations requiring them to take rectification steps. Some of the deficiencies found by MIIT included a failure to implement cybersecurity management and operating rules, and a failure to carry out cybersecurity emergency drills. What the Regulation does is provide further details on the range of powers available to PSBs. As with the CSL, the Regulation is broad and vague, which unfortunately means a degree of uncertainty on exactly how the PSBs will exercise their powers. Given the amount of ambiguity that still remains with the CSL, and the number of draft measures that have yet to be finalised, companies are left in the tricky position of needing to ensure compliance with the CSL, without knowing the extent of their obligations.
The Regulation cannot be taken as anything but a clear indication that the Chinese authorities are planning on upping their enforcement actions in the coming year. For now, companies operating in China need to take heed of this Regulation, and continue to seek to navigate the unclear path of the CSL to ensure they do not fall foul of their obligations under the main law and/ or the complex web of subsidiary regulations.
Visit us at www.mayerbrown.com
Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2018. The Mayer Brown Practices. All rights reserved.
This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein. Please also read the JSM legal publications Disclaimer.