New security-related developments in China signal the continuing challenges for companies seeking to do business globally. The People’s Republic of China’s “Cybersecurity Law” came into force on June 1, 2017. The law is expected to have a significant impact on multinational companies doing businesses in China including imposing new security requirements, data localization, new certifications or adherence to localized security standards and monetary penalties for non-compliance.
Highlights of the Cybersecurity Law
- New Network Security Requirements: “Network operators” (a broadly and vaguely defined term) must provide internal security management systems that meet the requirements of a “graded protection system for cybersecurity” (to be specified in further implementation measures).
- Data Localization (More than Just “Personal Information”): Personal information or important data collected or produced by “key information infrastructure operators” (also vaguely defined) during their operations in China should be kept within China or be assessed (according to further specified implementation measures) before being transmitted abroad.
- Pre-Sale Security Requirements for Network Products: Prior to being sold or produced in the Chinese market, network products and services will be required to meet mandatory requirements under national standards, or to obtain a government certification. For network products or services having user-data-gathering function, users’ prior consent to such function shall be obtained.
The law also imposes penalties for noncompliance with these new requirements. Depending on the nature of noncompliance, they include a warning, payment of fines (ranging from RMB 10,000 to RMB 1,000,000 (US$15,000 to US$150,000) depending on the nature of noncompliance), suspension of businesses, shutting down of websites, confiscation of income, and even cancellation of business licenses. So businesses that do not address the requirements face real risks to their ability to do business in the PRC.