Client Alert on Cybersecurity Law
I. Legislative Activities
The Cyber Security Law (“CSL”) which came into effect on 1 June 2017 leaves blank certain important issues to its implementing rules. In the last two months, there have been intensive legislative activities regarding cross-border data transfer, cyber security products and services, CII security protection etc.
Information Security Technology-Guidelines for Data Cross-Border Transfer Security Assessment (Draft)
On 27 May 2017, the National Information Security Standardization Technical Committee of China released the Information Security Technology-Guidelines for Data Cross-Border Transfer Security Assessment (Draft) ( in Chinese “《信息安全技术 数据出境安全评估指南（草案）》”) (the “Guidelines”). The Guidelines is applicable to Network Operators for conducting security assessments of cross-border transfers of personal information and important data, and it sets forth the procedures, principal assessment concerns, and methods for cross-border data transfer security assessments.
The Catalog of Critical Network Equipment and Specialized Cybersecurity Products (First Batch)
On 1 June 2017, the Ministry of Industry and Information Technology, Ministry of Public Security, Certification and Accreditation Administration and Cyberspace Administration of China jointly released theAnnouncement on Releasing the Catalog of Critical Network Equipment and Specialized Cybersecurity Products (First Batch) ( in Chinese “《网络关键设备和网络安全专用产品目录（第一批）》”) (the“Catalog”). The Catalog identifies equipment and products that are subject to mandatory cybersecurity review under CSL. It is reasonably expected that there will be further equipment and products to be added to the list going forward.
The Critical Information Infrastructure Security Protection Regulations (Opinion-seeking Draft)
On 10 July 2017, the Cyberspace Administration of China (“CAC”) released the Critical Information Infrastructure Security Protection Regulations (Opinion-seeking Draft) (in Chinese “《关键信息基础设施安全保护条例(征求意见稿)》”) (“CII Protection Regulation”) for public comments. As one of the most important implementing rules under CSL, the CII Protection Regulation further specifies the scope of critical information infrastructure, the powers and responsibilities of relevant administrative authorities, and the regulatory obligations of CII operators.
II. Law Enforcement Cases
The CSL implementing rules are being released at a fast pace. In the meantime, law enforcement agencies reportedly are actively enforcing the CSL and related laws.
Tech company in Shantou City of Guangdong was warned for the failure of performing cybersecurity stratified protection obligations according to CSL.
On 20 July 2017, a tech company in Shantou City of Guangdong province was found not regularly conducting evaluations on the security grade status of the information system which violated Article 14.1 ofAdministrative Measures for Hierarchical Protection of Information Security ( in Chinese “《信息安全等级保护管理办法》”) and Article 21 of CSL. The company was warned and ordered to make corrections by Shantou Internet police pursuant to Article 59 of CSL.
Website Operator in Sichuan was fined for the failure of performing cybersecurity protection obligations.
On 22 July 2017, a website in Sichuan province was found not performing its cyber security protection obligations under CSL, including setting up cyber security stratified protection system and formulating contingency plans for cybersecurity incidents. The company that operates the website and its legal representative was respectively fined by the local Internet police for such non-compliance practice.
Tech company in Chongqing was warned for the failure of retaining user login records according to CSL.
On 1 August 2017, the Chongqing internet police, during its routine law enforcement inspection, found that a company failed to retain user login data pursuant to CSL while providing internet data center services. Pursuant to the relevant provisions under CSL, the company was warned and ordered to rectify its practice in 15 days.
Chinese Internet authorities investigate Internet giants for violation of CSL.
On 11 August 2017, Chinese Internet authorities opened cases to investigate three social media platforms -- Tencent Wechat, Sina Weibo and Baidu Tieba, which are suspected of violating the CSL as they failed to stop illegal Internet content from being published and disseminated on their platforms.
BOSS Zhipin was warned for the failure of performing security management obligations according to CSL.
On 11 August 2017, BOSS Zhipin was found having provided information publication services to the users who did not provide authentic identity information in violation of Article 24 of CSL. In addition, BOSS Zhipin did not fulfill the security management obligations, resulting in malicious information spread through the network, which violated Article 47 of CSL. BOSS Zhipin was ordered to strengthen the management of the information released by the users, require the users to provide authentic identity information, and clear up the malicious information in accordance with Articles 61 and 68 of CSL.
Five website operators were warned for the failure of performing cybersecurity obligations according to CSL
On 17 August 2017, Zhejiang Cyberspace Administration found that: (a) some stores on Taobao were selling tools that could destroy information system, banned items or controlled items, illegal VPN articles, network accounts; (b) there is malicious information on the Tonghuashun Finance website (http://data.10jqka.com.cn) and Peiyinxiu website (http://peiyinxiu.com); (c) there are some illegally registered accounts on Mogujie (http://www.mogujie.com) and Xiami website (http://xiami.com). These five website operators did not fulfill their responsibilities to manage the content released by the users. They were ordered to conduct corrections pursuant to CSL, Administrative Measures for Internet Information Services ( in Chinese“《互联网信息服务管理办法》”), and Administrative Provisions on the Account Names of Internet Users ( in Chinese“互联《网用户账号名称管理规定》”) etc.
Huarui company in Suqian City of Jiangsu province was warned for accessing illegal websites according to CSL.
The company in Suqian was found accessing illegal websites during providing network services which violated Article 47 of CSL. The company was warned and ordered to rectify its practice by Suqian Internet police according to Article 68 of CSL.
A public institution in Xinzhou of Shanxi Province was warned for SQL injections according to CSL.
The public institution was continuously informed by the Network and Information Security Information Reporting Center of China because there are SQL injections in its website and a loophole, by which attackers can directly access database and seriously threaten network security. The public institution was warned and ordered to correct its practice by the relevant internet police pursuant to Article 21 and Article 59 under CSL after the internet police conducted an on-site inspection.
Under CSL, personal information and important data collected and generated by CII Operator during their operations within the territory of the People’s Republic of China shall be stored within China. Some companies have made the first step towards the data localization in China.
Apple is going to locate its data center in Guizhou by cooperation with Guizhou provincial government.
On 12 July 2017, Apple Inc. executed the agreement with Guizhou provincial government and decided to locate its new data center in Guian New Area, Guiyang, the capital of Guizhou province in southwest China. The new data center will be operated by Guizhou-Cloud Big Data Industry Co., Ltd. Apple will establish a company in Guizhou to help build this data center and offer technological support.