China’s New Cybersecurity Law: What You Need to Know

July 9, 2015 Topic: Cyber Security Region: Asia Blog Brand: The Buzz Tags: ChinaCybersecurity LawCyber

China’s New Cybersecurity Law: What You Need to Know

The foreign business community will be reading the law closely, trying to determine how the cybersecurity standards and procurement provisions will be implemented. 

The National People’s Congress posted the draft of a new cybersecurity law (in Chinese) on Monday. The purpose of the law, according the NPC, is to maintain “cyberspace sovereignty.” The law is open for comments until August, and the important questions will be in how it is modified, interpreted, and implemented. But here are some of the key points:

-Government will establish national security standards for technical systems and networks.

-Real name registration to be enforced more strictly, especially with messaging apps where enforcement has been lax.

-Internet operators must provide “support and assistance” to the government for dealing with criminal investigations and national security. Nicholas Bequelin, East Asia Director at Amnesty International, tells Reuters that Article 50 gives authorities the legal power to cut Internet access in to maintain order as Beijing did in Xinjiang in 2009.

-“Timely warning and notification” system for cybersecurity incidents.

-Greater investment in cybersecurity (including subsidies for cybersecurity companies, internet operators, etc.) and cybersecurity education.

-The Cyberspace Administration of China (CAC) will review cybersecurity practices of key telecommunication operators, conduct regular emergency drills, and provide help in implementing the law. Employees must undergo background checks, and the CAC will review procurement.

-User data for the key operators must be stored in China (if there’s a business imperative to store data overseas, they can apply for exceptions).

-Collection and use of user data must “comply with the principles of legality, justice, and necessity” and operators must secure users’ agreement to have their data used. Data collected must be related to the service the Internet operator is providing. Collected user data must have adequate protections and data breaches must be responded to in a timely manner.

The foreign business community will be reading the law closely, trying to determine how the cybersecurity standards and procurement provisions will be implemented. The past few months will not give them great comfort, as Beijing has adopted a national security law and other provisions to make technology used in China “secure and controllable.”

Just weeks after the Strategic and Economic Dialogue ended, and months before President Xi Jinping’s visit to the United States, cybersecurity and information technology are becoming an even greater source of tension in the bilateral relationship.

This piece first appeared in CFR’s blog Net Politics here