After months of international consternation, China’s cybersecurity law (CSL) went into effect today. For a deep dive on what foreign companies should expect from the law, see Samm Sacks’s excellent piece posted to Lawfare this morning.
I first wrote about the law in November of last year, concluding that:
“[I]nternet companies operating in China will be subject to a broad and ill-defined array of regulations and potential punishments. Notwithstanding the enhanced individual protections that it provides, the law primarily serves to increase the state’s ability to control domestic Internet activity.”
In mid-April of this year the Cyberspace Administration, a division of China’s central executive body, published a draft guidance that seemed to further expand the scope of data that would need to be saved on servers in mainland China. This move only sharpened already pointed criticism of China’s attempts to protect its “cyber sovereignty” from the international business community. In late breaking news, the Washington Post reported yesterday that regulations on cross-border movement of data have been postponed until December 31, 2018.
Perhaps as a last-ditch effort to address this mounting criticism, the Cyberspace Administration released an extensive question-and-answer yesterday on some of the most controversial aspects of the CSL. Below is a summary of the most important details.
Detailed Regulations Expected Within a Year
One of the most frequent criticisms of the CSL is its lack of specificity. Michael Chang, vice president of the European Union Chamber of Commerce in China, for example, recently stated, “Industry is not ready because the implementation rules are not clear.” The Cyberspace Administration’s response in its question-and-answer: we’re working on it. China’s Law of Legislation requires that implementing regulations be completed within one year of the organic law (here, the CSL) going into effect. By the Cyberspace Administration’s own tally, the relevant departments are currently drafting (1) implementing regulations regarding security assessments for moving personal information and important data out of mainland China, (2) a list of what will be considered critical information infrastructure, (3) regulations protecting critical information infrastructure, and (4) more detailed regulations governing the approval of Internet products and services. A more general guidance document on the regulation of Internet products and services was released in early May, but the Cyberspace Administration did little to reveal what these regulations might entail. It did helpfully suggest, however, that corporations prepare to implement the CSL and independently monitor “relevant internet activity.”
Defining and Protecting Critical Information Infrastructure
The Cyberspace Administration did provide a bit more detail regarding critical information infrastructure, which are subject to particularly stringent regulation but were not clearly defined in the CSL. The administration asserted that relatively few service providers/operators would be included. At the same time, the administration acknowledged that determining what should be deemed “critical” is complicated, depends on the “national situation,” and could change with experience. The administration also stated that it would better secure critical information infrastructure by improving (1) intra-governmental coordination, (2) government supervision, (3) training for those operating critical information infrastructure, (4) preparation for data sharing and emergencies on critical information infrastructure, and (5) international cooperation.
Implementation of the Cybersecurity Law Will Not Impede International Trade
The April draft guidance mentioned above seemed to suggest that all personal information or important data, not just data related to critical information infrastructure, would be subject to restrictions on cross-border movement. Yet yesterday’s question-and-answer appears to refute that interpretation, as it asserts that security reviews are required only for personal information or important data related to critical information infrastructure. The document further qualifies this requirement, stating that the only information of concern is that pertaining to government, not corporate or individual, sensitivities. No guidance is provided as to what these sensitivities might include. Additionally, the document assures that individual consent for personal information to be moved across borders can be assumed in certain situations (e.g., when an individual sends an email, makes a phone call, or engages in international e-commerce). The Cyberspace Administration also reaffirmed China’s commitment to international trade and the free movement of information across borders. For example, the administration asserts that security assessments for Internet products and services will be conducted regardless of the firm’s country of origin.
Restatement of General Principles
Predictably, the Cyberspace Administration reaffirmed that domestic Internet restrictions can coexist with the freedom to move information internationally. More interestingly, the administration also outlined three principles for creating a “safe and trustworthy internet.” First, a safe and trustworthy Internet protects the user’s ability to control his or her own information. Internet service providers should not be able to profit from limiting an individual’s capacity to decide what to do with their own data. Second, a “safe and trustworthy internet” prevents service providers from impairing a user’s ability to control the systems upon which they rely. Third, a trustworthy Internet protects the user’s freedom of choice. Service providers should not be allowed to take advantage of a person’s dependence on a given product or service or inhibit one’s ability to use another system or service. For example, service providers should guarantee a minimum of reasonable security support for old systems and should not force users to upgrade products.
As with the CSL as a whole, the document released yesterday is a mixed bag. For those most concerned with protecting individual data rights against corporations, there may be much to celebrate. But for those concerned about government regulation and government access to personal information, yesterday’s document will do little to allay those well-founded fears. And while there are hints of a more restrained approach to implementing the CSL, much remains uncertain.
One thing that is certain: The next twelve months will be a landmark year for charting the future of “cyber sovereignty” in China.