Almost two years after its commencement, China’s Cybersecurity Law remains a frequently discussed topic among business stakeholders inside and outside of China. In addition, companies in the region that have business engagements in the European Union also need to navigate the EU-wide General Data Protection Regulation (GDPR) that was implemented last year. How do the two pieces of legislation compare to one another? What steps do companies need to take in order to comply with both? How does the Cybersecurity Law affect cross-boundary business in the Greater Bay Area? An interview with Mr. Daniel Kwong, Chief Information and Innovation Officer at CITIC Telecom CPC.
Mr. Kwong, you are very familiar with China’s Cybersecurity Law as well as the General Data Protection Regulation of the European Union. What are the key similarities and differences between these two comprehensive data protection reforms?
Daniel Kwong (DK): Both laws reflect the urgency and criticality of data protection and clearly define responsibilities for companies and other organisations to protect users’ personal data.
The GDPR aims to protect the data privacy rights of EU citizens and residents. It introduces terms like ‘data subject’, ‘personal data’ and ‘data subject rights’ and divides regulated subjects into data controllers and data processors. Under the GDPR, data subjects are granted seven data rights: the right to know; to visit; to amend; to delete (right to be forgotten); to restrict processing (right to oppose); to carry; and to refuse. Organisations are required to appoint a data protection officer (DPO) in charge of the overall data protection work.
China’s Cybersecurity Law, on the other hand, aims to enhance national cyberspace sovereignty and national security. It mainly emphasizes the security and monitoring of information, network products, services and operations; early diagnosis, emergency response and reporting requirements.
The Cybersecurity Law defines a number of “personal information rights”, but compared to GDPR, the legislation is less sophisticated, provisions are less detailed, and penalties are less stringent. It needs to be refined by a series of supporting norms or national recommending standards. The Code for Personal Information Security of Information Security Technology, implemented on 1 May 2018, is an important supporting standard for Chapter Four of the Cybersecurity Law. Together, they define seven categories of personal information rights: the right to know; to delete; to correct; to express consent; to visit; to cancel; and to withdraw.
The GDPR can impose a maximum penalty of up to EUR 20 million or up to 4 percent of an organisation’s total global turnover of the previous year. Under the Cybersecurity Law, organisations can be fined up to RMB 1 million for infringement, however they may also be penalised with the revocation of their business license.
How do the two laws differ in their scope?
DK: The Cybersecurity Law covers not only the collection, storage, transmission, exchange and processing of data, but also the construction, operation and maintenance of hardware facilities. Regulated subjects are collectively referred to as “network operators” and divided into critical information infrastructure operators and non-critical information infrastructure operators. Therefore, the scope of “network operators” covers virtually any organisation that has information flow through network equipment and services. Chapter Four, Articles 40-50 specify how “network operators” and the relevant National Bureaus and Ministries should safeguard the users’ personal data.
Along with data protection, the Law requires companies to control uploaded content and filter illegal data transmissions, such as fraud, the production or sale of prohibited articles, controlled articles and other illegal and criminal activities.
In terms of the jurisdiction scope, the Cybersecurity Law only applies to PRC territory. The law affects individuals and entities regardless of their nationalities, as long as they build, operate and maintain network related services and products within the PRC. Meanwhile, GDPR is applicable to personal data processing activities within the EU, including goods or services provided to data subjects in the EU and other activities of data subjects that occur in the EU. The definition of "data subjects within the EU" mainly refers to citizens of EU member states but may also extend to residents. Therefore, GDPR covers a much broader territorial scope than the Cybersecurity Law.
How can companies ensure they are compliant with both the Cybersecurity Law and the GDPR? Do they need to worry about the relationship between the two laws?
DK: First of all, there is no conflict between these two laws. The compliance with one facilitates the compliance with the other. Second, GDPR has cross-border data transferring constraints. Companies that are compliant with China’s Cybersecurity Law can better mitigate the risk of violating GDPR in this aspect.
Organisations that meet international network security standards and other regional data privacy regulations do not need to worry much about compliance with the Cybersecurity Law. However, they should pay attention to the requirements related to sovereignty and security of national cyberspace. The key to ensuring compliance with both laws is to determine what data is collected and processed, how it is being used and stored, and who the upstream providers and downstream data processors are.
In other words, companies need to map out their internal data flows, classify them by the level of protection, verify the security levels of customers and suppliers and, if necessary, sign a data protection agreement to define roles and responsibilities.
General legal education and compliance training should be provided to all staff. For key department staff and positions, designated security and detailed law article training is a must. As mentioned, a DPO should be appointed to oversee data protection and compliance practice. Furthermore, incident response flows should be set up to ensure a smooth reporting channel and enable quick mitigation in case of any data leakage or violation.
For multinational companies with subsidiaries in China, some application systems and network infrastructure may need to be redesigned in order to satisfy data storage and back-up requirements. If data related to EU citizens is being transferred cross-border to China or anywhere outside the EU, standard contractual clauses and binding corporate rules should be considered to meet the GDPR requirements.
What are the best practices for network operators in China to ensure compliance with the Multi-Level Protection Scheme (MLPS) under the Cybersecurity Law?
DK: Article 21 of the Cybersecurity Law states that the country implements the MLPS for network security. Five security levels have been defined, based on the impact of compromised data on national security; legal rights and interests of Chinese citizens, legal entities and other organizations; or social order and public interest. Most private enterprises fall under Levels Two or Three. There are detailed checklists for each level under this scheme.
The first step is to define if a business operates just within a certain part of the country or across the whole country. The government has certified a list of evaluation agencies to examine and score the entire compliance status, but some of these can just offer services within a province or a city whilst others can offer country-wide services.
Then, the company should properly define its level. Once the documentation for the specific level has been reviewed and approved by national security experts, they need approval from the Bureau of Public Security and a registration certificate will be issued to the companies. After that, companies can carry out self-examination and security enhancement based on the checklist for their respective level. They can select an evaluation agency to start the evaluation process whenever they are ready.
It is crucial for companies to assign a specialist to maintain good communications with the Bureau of Public Security and act as the focal point to coordinate internal cooperation with the evaluation agency.
In times of an ever more data-driven global economy, it seems that data breaches through social networks as well as private corporate networks have become more and more frequent, each incident affecting the personal information of millions of people. Has the Cybersecurity Law been effective in containing the risk of data leakage?
DK: I am sure the Law has played an important role since its enforcement. Chapter Four lays out strict personal data protection requirements. For instance, Article 40 states that network operators must keep their collected user information strictly confidential and establish and improve the system of user information protection.
Articles 41 to 44 require network operators to describe the scope, content and purpose of collecting user data and obtain user consent before doing so. Any out-of-scope usage and unauthorised sharing of information to third parties is a legal violation. Furthermore, the Law requires organisations to set up security systems and protect user data. As mentioned earlier, users hold seven data rights. If they find that their personal data is mistreated, they can exercise these rights and require that their data be changed or deleted.
The Cybersecurity Law also requires network operators to implement real-name systems to make user activities traceable and discourage any form of illegal activities on the Internet. Network products must fulfil the requirements of blocking harmful information and data. In case of any violations, besides penalties for the company, the persons directly responsible may face criminal charges and be banned from working in key positions of network security management and network operations. A designated officer or team should conduct security background checks for the personnel responsible for key positions.
More and more companies let their staff attend compliance and security trainings. An increase in awareness and knowledge among staff in China can be observed. Confidential agreements with suppliers and staff, data encryption during storage and transmission are more and more prevalent. Many of our customers are paying more attention to how their data is secured during transmission and consult us for products to let them better monitor the network traffic and control the browsing behaviour of staff.
Since the law enforcement, we have seen the Network Security Department of Public Security Organs issue a lot of warnings and give penalties to companies who did not set up security measures to protect user data. Incidents include schools that did not apply security controls in protecting student personal information, social media companies that did not require their users to register under their real name, as well as companies whose network products have shown vulnerabilities without any detection mechanism in place.
What does the Cybersecurity Law mean for cross-boundary economic engagement in the Greater Bay Area, particularly for HK-based businesses that operate on the Chinese Mainland?
DK: There are pros and cons in this case depending on what business or sectors the companies are in. Under the Cybersecurity Law MLPS, network service and product providers need to be compliant with the requirements of their defined level, which gives a guarantee for HK-based businesses that need to hire suppliers or purchase network products; they don’t need to invest much effort into auditing or even helping their suppliers set up security standards. Due to the Law’s requirements regarding personnel and staff training on security and compliance, the security consultancy sector has been soaring, providing great business opportunities for related companies in HK.
The other side of the coin is that relatively heavy capital investment is required to achieve good compliance with the law. Small and micro businesses are unable to bear these costs. Large enterprises may also become more cautious in carrying out their business.
For HK companies that have been involved in the setup of critical information infrastructure in the Greater Bay Area, the Cybersecurity Law has stricter requirements. According to Article 37, personal information and data of national importance that is collected and generated by operators of critical information infrastructure within the PRC shall also be stored within PRC territory. In this case, companies may need to consider building or leasing data centres within the PRC to store their data. For data transfers abroad, security assessments shall be conducted in accordance with the measures formulated by the State Network Communications Department and the relevant departments under the State Council.
The Personal Data (Privacy) Ordinance, Cap. 486, provides more detailed requirements and guidance for personal data protection in HK. Companies which are compliant with this law should not find it difficult to comply with such provisions under the Cybersecurity Law – and vice versa.
Lastly, companies must bear in mind that although the Greater Bay Area is within one country and the three governments have issued a lot of favourable measures to support the development, legal systems and proceedings are vastly different. Legal experts from both sides should be consulted before engaging a new business or setting foot in a new sector.