shutterstock_196544378Cross Posted from Carpe Datum Law.

China has finalized a broad new Cyber Security Law, its first comprehensive data privacy and security regulation.  It addresses specific privacy rights previously adopted in the European Union and elsewhere such as access, data retention, breach notification, mobile privacy, online fraud and protection of minors.

There is plenty in the new law to irritate international businesses operating in China.  It requires in general that Chinese citizens’ data be stored only in China, for starters, possibly requiring global corporations to maintain separate IT systems for Chinese data.  Most of the privacy enhancements benefiting citizens align with those required in the European Union, but it is unclear how the Chinese will expect compliance, particularly since, as with many Chinese laws, its language is vague as to its scope, application and details.  This vagueness leaves interpretation to the State Council, the chief administrative authority in China, headed by Premier Li Keqiang.

The law expands Chinese authorities’ power to investigate even within a corporation’s Chinese data systems, and provides for draconian penalties for non-compliance by business entities or responsible individuals  include warnings, rectification orders, fines, confiscation of illegal gains, suspension of business operations or the revocation of the entity’s business license.

China’s Cyber Security Law goes into effect June 2017.  This leaves precious little time for international organizations operating in China to come into compliance, particularly in cases where companies currently maintain their Chinese data in software from the West, which may not be deemed “secure and trusted” by Chinese authorities come June.  Microsoft and other non-Chinese hardware and software providers must decide whether to share their architecture and source code with the Chinese authorities, and risk their secrets being leaked to Chinese competitors.  Michael Clauss, Germany’s Ambassador to China, was quoted in the Economist that he worries that “security rules might be used to pursue other aims,” including industrial policy favoring Chinese companies.  Foreign companies not deemed to maintain state-approved data systems will need to migrate their Chinese personal data into compliant repositories and workflows in just a little over seven months.

Chinese authorities will not only oversee the hardware and software holding the data of foreign companies, but it can look inside at the data.  The law allows for rapid and intrusive response by the state authorities, who can require network operators to provide assistance and support to accommodate national security and criminal investigation needs — without specifying any limit on those powers. An Economist article referred the new law as “a techno-nationalist Trojan horse.”

For e-discovery, collection of personal data will be more regulated.  The Harvard International Law Journal’s executive editor Christopher Mirasola in reported the law provides substantial individual protections by restricting the amount of personally identifiable information that can be collected, limiting how it can be transferred and giving an individual the right to request information be deleted if mishandled.

“We don’t want to see barriers put up,” said Bruce Andrews, Deputy Secretary of the US Department of Commerce, quoted in Bloomberg.  “Cross-border data flow has become increasingly important to trade and to companies in the way they operate every day.”  The Wall Street Journal quoted a spokesperson for the Cybersecurity Administration of China; who dismissed foreign concerns that Chinese demands for “secure and reliable” or “secure and controllable” technologies could exclude foreign products.  “Whenever we bring up secure and reliable…some of our friends, especially our foreign friends, their heads swell up.  They see it as synonymous with trade barriers,” said Zhao Zeliang, the CAC spokesman.  “This is a misunderstanding, a biased view.”