China’s cybersecurity and cross-border data transfer regimes

China enacted the CSL on November 7, 2016. The CSL came into force on June 1, 2017, with the goal of establishing a uniform regulatory regime for cybersecurity and data protection in China.

Multiple government agencies are involved in implementing the CSL, including:

• Cyberspace Administration of China (CAC) and its local offices
• Ministry of Public Security (MPS) and local Public Security Bureaus
• Ministry of Industry and Information Technologies (MIIT) and local Telecommunication Bureaus
• Other sectoral regulators, such as:
  • Ministry of Science and Technology (MOST)
  • National Energy Administration (NEA)
  • China Banking and Insurance Regulatory Commission (CBIRC)

The CSL is currently being enforced in the following ways:

• It imposes baseline data protection and cybersecurity obligations on network operators, including compliance obligations with Multi-Level Protection Scheme (MLPS) rules
• It provides a regulatory framework for critical information infrastructure (CII) operators
• It establishes a cybersecurity review mechanism for network products and services that may put China’s national security at risk
• It establishes pre-sale certification requirements for critical network equipment and network security products
• It imposes requirements to protect data collected in the operations of networks
• It stipulates a wide array of sanctions and penalties for non-compliant companies

The Multi-Level Protection Scheme (MLPS) refers to the system of classification for all networks in China (except those for personal use and household purposes) and the requirements for cybersecurity protection and supervision. MLPS does not apply to networks with servers located outside China.

The MLPS classifies networks from level one to level five based on:

• the functions of the networks
• the scope and target of services
• the type of data being processed

Level one is the least critical and subject to the least security requirements, while level five is the most critical and subject to the most security requirements. Depending on the classification level, which is determined after a self-assessment by operators, the operators may need to arrange an expert review or obtain the approval from their industrial regulators on the classification results before they file the results with the MPS. Canadian companies that own networks in China should consult with experienced service providers to determine the level of their networks.

All network operators, regardless of their MLPS classification, must take the following general cybersecurity measures: 

• personnel management and training related to cybersecurity measures  
• managing data rooms, servers and devices 
• preventing malware and cyber-attacks 
• monitoring and logging the network status
• data backup
• reporting security incidents to the MPS

There are additional requirements for networks classified as level three and above, such as:

• Monitoring the network status, network traffic, user behaviour, security incidents, and connecting the monitoring networks with MPS networks.
• Formulating cybersecurity emergency plans and regularly carrying out cybersecurity emergency response drills.
• Using network products and services that match their classification levels by procuring products and services certified by the MPS.
• Using encryption technologies, products and services approved by the State Cryptography Administration (SCA).
• Conducting technical maintenance of networks within China. If, for business reasons, it is necessary to perform remote maintenance outside of China, it is important to conduct a cybersecurity assessment, and implement risk management measures.

Critical Information Infrastructure (CII) broadly refers to important network facilities and information systems in China that, in the event of damage, loss of function, or data leak, may seriously damage national security, national economy, people’s livelihood or public interest in the sectors of:

• public communications and information services
• energy
• transportation
• water conservation
• finance
• public services
• e-government
• defense technology industry
• other critical industries and fields

The Chinese sectoral regulators are responsible for formulating CII identification rules by taking into account the following three broad factors:

• the importance of network facilities and information systems to the core business of the industry or field
• the level of harm that may be caused if network facilities and information systems are damaged, disabled or have data leak
• the potential associated impact on other industries and fields

Sectoral regulators designate CII according to their rules, notify the results to CII operators and file the results to the Ministry of Public Security (MPS). CII excludes networks whose servers are located outside of China.

There is no explicit timeline for the identification of new CII. In the event that an already identified CII operator makes a major change to CII, the operator must report the change to the regulator; the regulator can take up to 3 months to reconsider if the networks are still CII or not.  

CII operators must follow stringent cybersecurity requirements and conduct cybersecurity protection activities similar to those required of networks classified at MLPS level three and above. In addition, operators must meet the following requirements:

• Establish a special security management office in charge of CII’s security protection
• Conduct a security assessment for third-party-developed systems and software before the networks goes online
• Store personal information and important data collected and/or produced during the course of their operations in China. If cross-border transfer of such information and data is required for business reasons, the operators must pass a mandatory security assessment by CAC
• Pass the cyber security review before the operators procure a wide range of network products and services that may negatively impact national security in China. The operators’ procurement agreements must explicitly state that the suppliers will assist with the cybersecurity review and commit to not engage in illegal activities
• Sign security confidentiality agreements with supplies of network products and services, and such agreements must specify the suppliers’ obligations on technical support and security confidentiality

Important data refers to the kind of data that if leaked, may negatively impact:

• national security
• economic security
• social stability
• public health
• public security

Examples of important data could include unpublished government information and large volumes of data relating to population, genetics, healthcare, geography and mineral resources.

Companies’ operational and administrative data and personal information are not generally considered to be important data. 

If network operators collect important data for operational purposes, they must file their data collection practices with the local Cyberspace Administration of China (CAC) offices. The filing materials should include information on the purpose, Volume, method, scope, type and retention period of important data collected.

Operators must designate responsible persons who have data protection knowledge and experience to lead the security of important data they collect. Among their responsibilities, such persons must report data protection practices and incident responses to CAC and other relevant government agencies.

Personal information refers to information that identifies a person either by itself or in combination with other information. Examples of personal information include a person’s:

• name
• address
• telephone number
• date of birth
• identity card number
• biometrics

Network operators cannot collect personal information that is not relevant to the services they offer. Prior to collecting personal information from individuals (the data subjects), the operators must notify the individuals via clear and easily accessible language, and obtain consents from the individuals. No operators may collect personal information of children under 14 years old without the consent of their parents or custodians.

Network operators must keep users’ personal information in strict confidence. This includes an obligation to implement technical measures to monitor and record the operational status of their networks and any cybersecurity incidents. Operators must designate responsible persons who have data protection knowledge and experience to lead the security of personal information collected by operators.

If network operators collect sensitive personal information for operational purposes, they must file their data collection practices with the local CAC. Sensitive personal information refers to personal information that, if leaked or abused, might:

• endanger personal and property security
• damage personal reputation and physical and psychological health
• lead to discriminatory treatment

Examples of sensitive personal information are:

• ID card numbers
• biometrics
• bank accounts
• personal communications
• credit records
• geolocation data
• health data
• personal information of children under 14 years old

In most of the circumstances, prior to sharing personal information with third parties (whether in or outside China), network operators must assess the security risks associated with such data sharing and obtain consents from the data subjects.