At this point, the Draft Cybersecurity Law has not yet been finalized. The draft contains, however, a number of provisions that are significant, insofar as they reveal underlying assumptions and priorities that govern the development and promotion of cybersecurity in China. If even a handful of these provisions make their way into the final version, the law could prove itself to be consequential.
One such provision actually manifests in a number of clauses that firmly and clearly establish the government’s leading role in the furtherance of cybersecurity. In the Draft Cybersecurity Law, certain, relevant private firms are referred to as “network operators” and “operators of key information infrastructure.” Regardless of their technological resources and practical experience, these operators are required by the Draft Cybersecurity Law to support and cooperate with the government’s leading role in the furtherance of cybersecurity, rather than exercising a leading role of their own.
Another striking provision is one that would allow government bodies at certain levels to adopt measures to restrict the transmission of information over the Internet in places where public safety “incidents” (referred to somewhat euphemistically as “社会安全事件”) have erupted. This may be done to preserve the national security and public social order. It may become difficult to contact someone via the Internet who is in a place where such an “incident” has recently occurred. Already in practice in affected areas where there has been a “public safety incident,” short messaging services are usually restricted, and ingoing and outgoing telephone calls are strictly supervised.
The Draft Cybersecurity Law also includes a provision that pushes China towards a policy of data localization. Pursuant to this provision, important data (such as the personal information of citizens) must be stored within the territory of the People’s Republic of China. Notably, the restriction appears to be limited and would apply only to operators of key information infrastructure, largely enterprises in heavily licensed and regulated industries such as providers of basic and value-added telecommunications services, energy, utilities and health care services. The provision also appears to allow for cross-border transfers even by operators of key information infrastructure when there is an operational requirement for the transfer, as long as a security assessment has been conducted. The precise requirements of the security assessment, however, are not spelled out in the Draft Cybersecurity Law.
There are many other significant provisions in this potentially impactful draft law, including some that reiterate rules for the handling of personal data by requiring network operators to observe strict confidentiality and to not disclose, falsify, destroy, sell or illegally provide personal information of citizens which they have collected. Another provision requires network operators who collect personal information to do so only in a lawful and proper manner, to collect only what is necessary, to clearly state the purposes, method and scope of the collection and to obtain the consent of the data subject. Many of these provisions overlap with some of the requirements on the handling of “electronic personal information” imposed by the December 2012 Resolutions.