Insights into Editorial: China’s First Cyber Security Law
In line with President Xi Jinping’s concept of an “overall national security outlook”, China recently brought it’s first National Cyber Security Law. This marks another step in the direction of increased oversight over the use of internet in China. China has justified its move as the objective need for national security considering its huge IT infrastructure and vulnerabilities associated.
Cyber law is a recent phenomenon at the level of governance, both in China, and globally. The need for cyber laws to provide a regulatory legal framework has been felt in the last decade with the onset of the Internet revolution, and its deep penetration into all aspects of the economy, society and governance of China.
The law was required for the following reasons:
- Cyber security is of critical concern to the Chinese leadership with regard to its impact on social stability, political control and national development in China. There are frequent complaints of network intrusions and cyber attacks in China posing threats to the domestic critical information infrastructure.
- There are concerns also over the use of ICT (Information Communication Technology) for terror activities and anti establishment activities, particularly in the Xinjiang province of China.
- Other important ICT areas like cloud computing, big data, new technology and application development are making the cyber security environment more complex in China. There is also concern over illegal acquisition and disclosure of personal information, concern over infringement of intellectual property rights and rights of legal person or entity.
Key provisions in the new law:
- The law basically focuses on three specific themes for the evolving cyber security regulatory framework in China. This includes cyber attacks or intrusions, illegal acquisition or disclosure of personal information and dissemination of information promoting or supporting terrorism or extremism.
- The law also makes specific references to technology regulation, data localisation and cooperation with authorities. Article 19 of the law refers to the development of “national internet information department” in China as a nodal center for preparation of a catalogue on the likely list of equipment and products to be sold in China.
- The law also defines ‘key information infrastructure’ noting any damage, malfunction or data leakage to it that would seriously jeopardize national security in China. It requires a security review for data and information technology equipment used in areas like ICT services, transport and finance.
- The law grants public security agencies in China power to take necessary measures, including the freezing of assets, against overseas individuals or organisations that “attack, intrude, interfere with or sabotage the nation’s key information infrastructure”.
- The law calls for ‘better protective measures’ for key industries including public communications and information service, energy, transportation, finance and e-government service.
- The new law makes ‘network operators’ subject to strict monitoring and increases state control over flow of information and technology equipment in China, raising concerns among foreign companies operating in the mainland.
- Under ‘data localisation’ provisions, the law disallows storage of personal information abroad. Foreign business operatives must store within China their critical and personal data information which they collect in course of their stay and activity.
- The security law also brings within its ambit the domain of ‘personal data information’, which till now was more the subject to administrative rules and guidelines in China. Any and all personal data collection by the operators and service providers must be done in conformity with the principle of prior ‘notice and consent’ to the users. In addition, any case of breach in data privacy of users must be reported with the authorities.
- The new law also disapproves of disclosure of anyone’s personal information to a third party by the network operator or any service provider in China. It also allows a data subject or user to request for deletion of personal information available with the service provider if its custody amounts to violation of law.
- The new law also makes necessary provisions for ‘security certification’ for important network equipment and software companies. It also makes clear that certain entities operating in ‘key industries’ like energy, transportation and finance will be subject to very specific requirements. They are required to keep a record of related web logs for at least six months.
- The new law calls for service providers in ‘key infrastructure facilities’ to clear a security assessment test conducted by the government according to the rules issued by Cyberspace Administration in China (CAC). (The CAC was established in 2014 to ensure better state control over cyber security network and Internet services in China.) This basically applies to service operatives whose services may affect national security in China. CAC along with other governmental agencies may conduct tests on network products and services that involve national security, to be carried out on an annual basis.
- Moreover, the law also calls for unspecified necessary “technical support” to security agencies by firms operating in China. Network operators must provide technical support and assistance to public or national security agencies in China if required.
Concerns raised over the new law:
Many foreign business organizations have raised deep concerns over the strict provisions of new cyber security law in China.
- They are particularly concerned with provisions related to data localisation and security review by state agencies subject to CAC rules.
- Similarly, lack of clarity in law on what exactly constitutes ‘key information infrastructure’ leaves larger scope for relating any service network to national security in China and mandating security tests for the same. This might impede their commercial interests and possible loss of competitive advantage.
- The security test might involve disclosure of their source code and other business secrets to the Chinese state security agencies, which many foreign business operatives will not find acceptable.
- Similarly, provisions related to ‘data localisation’ disallow cross border data transfer for service providers in China even if it is commercially viable.
- All these issues create operational challenges for service providers in China in future. However, China has defended the law as being in consonance with international trade and practices.
What can India learn from this?
In view of the several hacking incidents in the country by the so-called hacker group ‘Legion’, the ministry of electronics and IT recently ordered a series of measures including audit of the financial sector starting immediately with the National Payment Corporation of India (NPCI), review of the IT Act to make it stronger and setting up a crack team to respond to unusual incidents on a war footing.
However, this is not enough. Entire IT infrastructure of India should be reviewed. The need of the hour is “hardening” of the security wall. There is huge traffic flowing through the IT platforms and if there is any mishap, the systems have to be resilient and security agencies should be in a position to take appropriate measures.
While China maintains that the new rules are necessary for national security, there are valid concerns from trading groups and commercial enterprises over cross-border data flows, protection of user privacy and excessive control over the Internet in China. While China has defended it as a ‘basic law’ which strikes a balance between privacy and security, the legal language has led to fears that it might increase protectionism in trade and tighten even more the already strict censorship. Nevertheless, the long ‘grace period’ till June 2017 for its implementation might provide time to facilitate some changes in response to the dissenting voices.