On 7 November 2016, the National People’s Congress (NPC) Standing Committee enacted the Cybersecurity Law of the People's Republic of China 2016 (中华人民共和国网络安全法) (2016 Cybersecurity Law), which will take effect from 1 June 2017.

The law was first circulated in draft form on 6 July 2015 (see Article, GC Agenda China July 2015: NPC circulates draft Cybersecurity Law). A revised draft was released on 5 July 2016 (see Legal update, NPC Standing Committee circulates second draft of Cybersecurity Law). The final version of the law includes some changes, but the core principles of the drafts remain. The law imposes various cybersecurity obligations on network operators and more stringent requirements for operators of critical information infrastructure (CII), and also includes data privacy protection requirements. Due to the broad scope of its coverage, the law could potentially impact any company with operations in China, from a business, network infrastructure or data collection and storage perspective.

The enactment of the law follows the broader trend in recent years of national security-related legislation in China, such as the National Security Law of the People's Republic of China 2015 (中华人民共和国国家安全法) (see Legal update, China passes constitutional National Security Law). The new law fits into this framework by promoting the concept of cyber sovereignty (网络空间主权). Safeguarding China's cyber sovereignty is one of the fundamental principles stated in the law.

The 2016 Cybersecurity Law broadly applies to the construction, maintenance and usage of networks within mainland China, as well as cybersecurity supervision and management (Article 2).

Networks are defined as systems comprised of computers or other information terminals and related equipment that follow certain rules and procedures for information collection, storage, transmission, exchange and processing (Article 76). Therefore, any Chinese or foreign company located in or with operations in China is potentially impacted by the 2016 Cybersecurity Law if the entity is involved in any part of the network life cycle.

The 2016 Cybersecurity Law imposes various cybersecurity obligations on network operators. Network operators are broadly defined as "network owners, managers and network service providers", which could include any person in China from an internet service provider to the owner of a commercial website operated through a domestic network (Article 76(3)).

The cybersecurity obligations include a series of requirements designed to protect networks from disturbance, damage or unauthorised access and prevent network data from being divulged, stolen or tampered with (Article 21). For a further discussion of these and other obligations imposed on network operators, see Cybersecurity obligations.

An additional category of requirements is imposed on operators of CII, which is defined as those important industries and sectors that could threaten national security, people’s livelihood and the public interest in case of damage, loss of functionality or data leakage (Article 31). These additional obligations include a requirement to conduct security background checks on key security management personnel (Article 34). For more information on the obligations that apply to CII operators, see Additional obligations for CII operators.

The law also contains various provisions relating to data privacy protection, including restrictions on the collection of personal information and the transmission of the collected information to third parties. For a further discussion on the requirements related to data privacy protection, see Data privacy obligations.

Many of the concepts and terms in the 2016 Cybersecurity Law are defined very generally, and their concrete meaning and actual impact will need to be fleshed out in subsequent regulations to be formulated by the State Council and other governmental authorities.

The 2016 Cybersecurity Law requires the establishment of a comprehensive graded protection regime for cybersecurity, including various general obligations and a number of requirements which specifically apply to network operators.

The obligations relating to security protection measures that apply to network operators include:

Obligations that apply more broadly to providers of network products and network services include:

(Article 22.)

More generally, carrying out activities such as cybersecurity certification, testing and risk assessment, and releasing to the public cybersecurity information such as system vulnerabilities, computer viruses, network attacks and network intrusions, must be done in compliance with relevant national regulations (Article 26).

Critical network equipment (网络关键设备) and dedicated cybersecurity products (网络安全专用产品) must conform to the mandatory requirements of relevant national standards and must undergo safety certification or safety testing by qualified institutions before sale or use. The relevant national authorities will publish a catalogue of certified key equipment and products. (Article 23)

The 2016 Cybersecurity Law imposes an additional set of obligations on operators of CII. The law broadly defines CII to include public communication and information services, energy, transportation, water conservation, finance, public services, e-government and other important industries and sectors that could threaten national security, people's livelihood and the public interest in case of damage, loss of functionality or data leakage. The State Council will promulgate the specific scope and security protection measures of CII (Article 31).

The various obligations imposed on network operators also apply to CII operators. The additional obligations that apply to CII operators include:

(For background information on the Chinese governing regime for the telecoms sector and the regulations of internet content services, see Practice notes, Regulation of telecommunications sector in China: overview and Regulation of internet content services in China.)

The 2016 Cybersecurity Law also covers personal information, which refers to information that by itself or in combination with other information can be used to identify an individual, including name, date of birth, ID card number, biological identification information, address, and telephone number (Article 76(5)). The law requires network operators to keep the user information they collect strictly confidential, and to establish and improve their user information protection systems.

More specifically, network operators must:

(Articles 41 to 43.)

For a general overview of the regulatory environment for data privacy protection in China, see Practice note, Data privacy in China. For a discussion of recent changes to the criminal offences and penalties in the areas of data privacy and cybersecurity, see Legal update, Criminal Law amendment: new individual and corporate offences for data privacy and cybersecurity violations.

In addition, important implications for data privacy exist in the context of state secrets and other protected information. (For more information, see Practice note, State secrets, trade secrets, and confidentiality: China.)

Key changes contained in the final version of the law include:

The 2016 Cybersecurity Law establishes a comprehensive legal framework in China for cyber sovereignty, cybersecurity and data protection. It is sweeping in scope, potentially affecting every company involved in the network life cycle, whether under Chinese or foreign ownership, as even the activities of operating a website, offline network or company intranet would all fall within its scope. With an effective date of 1 June 2017, any company with operations in China should immediately begin to assess the potential impact of the 2016 Cybersecurity Law, both in terms of its business generally and its network infrastructure specifically. A company which is involved in providing internet services and collects customer information, for example, will be more heavily impacted than a company which merely operates an employee intranet.

An impact assessment is especially important if a company is involved in an industry or sector, such as finance, which will cause it to be classified as a CII operator. The obligations imposed on CII operators are more comprehensive and the punishments for potential violations are more severe.

Depending on the scope of a company's operations in China and its interaction with customer or user data, it may also need to assess its data collection and storage policies in light of the data privacy protection provisions. The data privacy provisions likely will also affect companies with employees in China from a human resources perspective, as companies will generally collect and store personal information of their employees.

At the same time, many of the concepts and terms in the 2016 Cybersecurity Law are defined very generally, and their concrete meaning and actual impact will need to be fleshed out during the transition period in subsequent regulations to be formulated by the State Council and other governmental authorities. Therefore, companies with operations in China should continue to closely follow legislative developments in the coming months to have a clearer picture of the steps they will need to take.