16 Jul 2015

Draft of Cyber Security Law Released

On 6 July 2015, the Standing Committee of the National People’s Congress (“SCNPC”) released the Cyber Security Law (Draft) (“Draft”) for public comment. Cyber security legislation has recently become a focus of the PRC government, with provisions on cyber security being incorporated into the National Security Law, the Anti-Terrorism law (Draft) as well as other laws and regulations. Following closely this legislative trend, the Draft more systematically regulates cyber security issues and is likely to significantly impact the development of the Internet industry in China. The main content of the Draft is summarized below.

I. Cyber Security Interests And Main Threats

Article 1 of the Draft stipulates that cyber security interests include the following three items, and the legislative objective of the Draft is to protect such interests:

• National sovereignty in cyberspace and national security;
• The public interest of the society; and
• Legitimate rights and interests of citizens, legal entities and other organizations.

The Explanation of the Cyber Security Law (Draft) released along with the Draft explains that the Draft focuses on regulating the three main threats to such rights and interests, namely:

• Network invasion and attack;
• Illegal acquisition and abuse of citizens’ information; and
• Distribution of harmful information.

II. Application Scope of the Cyber Security Law

Article 2 of the Draft stipulates that the Draft applies to the construction, operation, maintenance and use of networks, and the supervision and administration of cyber security within the PRC territory. Against the backdrop of the boom of Mobile Internet, the Draft defines the “network” as the network and system consisting of computers or other information terminals and relevant equipment which collects, stores, transmits, exchanges and processes information in accordance with certain rules and procedures. Therefore, the Cyber Security Law shall apply to activities relating to the construction, operation, maintenance and use of the Internet within the territory of the PRC.

III. The Responsibilities Of Each Party

The Draft clearly stipulates the duties and responsibilities of the three main groups that participate in the activities related to the Internet, i.e., supervisors, users and operators:

i. Supervisors

Article 6 of the Draft stipulates that the national cyberspace administration authority is responsible for the coordination of cyber security work and the relevant supervision and administration work, while the Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security (“MPS”) and other relevant government departments shall be in charge of the protection and supervision of cyber security within their respective scopes of authority.

Currently, the national cyberspace administration authority consists of the Office of the Central Leading Group of Cyberspace Affairs and Cyberspace Administration of China. Such authority will be the coordinating authority for cyber security in the future, while the MIIT, the MPS, the Ministry of State Securities and relevant ministries and committees will be responsible for cyber security in their own fields.

ii. Users

As for Internet users, the Draft expressly forbids conducting activities related to the three main threats to cyber security, namely:

• Cyber invasion and attack (Article 22);
• Illegal acquisition and abuse of citizens’ information (Article 38); and
• Distribution of harmful information (Article 9).

In the meantime, Article 10 of the Draft stipulates that users have right to report activities that impair cyber security to the relevant cyber security supervisors.

iii. Operators

In the Draft, the definition of network operator (“Network Operators”) is broad enough to include: the owners of network, administrators of network, and service providers who provide relevant services through networks owned or managed by others, including basic telecommunication operators, network information service providers, and important information system operators.

In view of the central role the Network Operator plays in cyber security, the Draft specifies and elaborates on the responsibilities of the Network Operator, which mainly include:

• Responsibility for safeguarding products and services (Article 18): the Network Operators shall not install malware in products and shall inform customers of such risks as security defects and bugs in a timely manner, provide constant security maintenance services and so on;

• Responsibility for maintaining the operation of the network (Article 17): the Network Operators shall adopt relevant administrative measures and technical protection measures in accordance with requirements for classified cyber security protection;

• Responsibility for maintaining data security: abiding by network systems for identity administration, i.e. network real name systems (Article 20); preventing the distribution of unlawful and harmful information (Article 40); prohibiting the release of unlawful information (Article 41); and assisting with the investigation of unlawful activities (Article 23) and so on.

Apart from the abovementioned regulations targeting the overall Network Operators, the Draft strengthens cyber security protection by additionally stipulating many responsibilities for the Network Operators of key information infrastructure, such as the networks related to the energy, transportation, water conservation, finance, power supply, water supply, gas supply and healthcare industries, and social security, military, government organizations and networks with numerous users.

Currently, the Draft is in the process of legislation, and has been initially reviewed by the fifth session of twelfth SCNPC. The Draft is released for public comment between 6 July 2015 and 5 August 2015. Given that the PRC government is putting significant emphasis on the legislation of cyber security, it is predicted that the Draft will be fast-tracked for comments and revision, second or third reviews, and discussion and approval by voting. We would recommend and advise Network Operators to plan ahead by paying close attention to the influence the Draft will have on their business, and be fully prepared for the formal implementation of the Draft.