Annual Reviews on Cyber Security Law 2018
作者:陈际红 吴佳蔚 薛泽涵
With the implementation of Cyber Security Law (《网络安全法》, “CSL”) on June 1, 2017, the year of 2018 is called as “The First Year of Data Compliance” of China by the Industry. Cyber security and data protection have become focuses of concerns for lawyers and data practitioners throughout the Year. In this regard, we think it is necessary to review the legal environment of cyber security and data protection in China, including the status of legislation and law enforcement, and to provide an outlook of the future of legislation trend, which is of reference value to the data compliance of enterprises.
I.The Supporting Regulations are Wildly Anticipated but still Unborn
As the basic legal framework of cyberspace security management of China, CSL has stipulated several related systems. The implementation of those systems requires the legal basis from the supporting laws and regulations of CSL. However, the speed and complete of legislation of these supporting laws and regulations on some important systems are not satisfactory. For example, in terms of data cross-border transfers, the regulating laws and regulations have not yet come into force even after several round of legislative discussions; and for critical information infrastructure security protection systems, the scope and recognition procedures of critical information infrastructure still need to be further clarified.
For further information on the development of relevant laws, regulations and normative documents of Cyber Security Law, you could read our Review on the Supporting Laws, Regulations and Normative Documents of Cyber Security Law.
II. The Administrative Law Enforcement of CSL is still Performed by Different Departments on their own
According to the Report on the Law Enforcement Inspection of Cyber Security Law and Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection by the Law Enforcement Inspection Team of the Standing Committee of the National People’s Congress (《全国人民代表大会常务委员会执法检查组关于检查<中华人民共和国网络安全法><全国人民代表大会常务委员会关于加强网络信息保护的决定>实施情况的报告》)2017, the administrative law enforcement of CSL is still performed by different departments on their own. The Cyberspace administration of China, the authority in charge of telecommunication, the public security authority and other relevant authorities of the State Council all could take charge of protection, supervision and administration of cyber security, which leads to the existence of the problem of unclear power and responsibility and cross law enforcement among aforesaid administrative law enforcement authorities.
III. Criminal Risk is Similar to the Sword of Damocles
From Amendment IX to the Criminal Law (《刑法修正案(九)》), which took effect in November 2015, to the Guidelines for Procuratorial Organs on Handling of Criminal Cases Involving Infringement of Citizens’ Personal Information (《检察机关办理侵犯公民个人信息案件指引》) issued in November 2018, the state has been paying increasing attention to cracking down on criminal cases infringing citizens’ personal information. According to relevant statistics, there is an obvious growth trend in the number of crimes during 2016-2018 involving infringement of citizens’ personal information prosecuted by procuratorial organs.
The enterprises are not entirely immune from the criminal risks of company data. Once a well-reputed large enterprise has loopholes in its management system, it may fall into the criminal trap. Since the criminal risks are too heavy to bear, so the enterprises need to draw a red line in their own compliance system.
For more detailed information on relevant enforcement actions and cases carried out by China authorities in accordance with Cyber Security Law and its supporting regulations including administrative law enforcement and criminal crackdown, you could read the Report on Cyber Security Law Enforcement Cases 2018.
IV. The Influence of Foreign Legislation on Chinese Enterprises cannot be Ignored
China has always been a practitioner and beneficiary of economic globalization, and the correlation between Chinese enterprises and the outside world has become more and more close. Considering that the data legislation of various countries around the world is one after another, many of which have the effect of extraterritorial jurisdiction, the economic development of China, in the process of embracing globalization, has to take into consideration the impact of foreign data legislation on enterprises.
In European Union, General Data Protection Regulation (GDPR) was formally implemented on May 25, 2018. With its long-arm jurisdiction principle and strict legal liabilities, the impact of GDPR on Chinese companies is greater than previously thought.
And in America, with the CLOUD Act of the United States and Foreign Investment Risk Review Modernization Act of 2017 coming into effect gradually, it has increased the strength of the censorship of foreign investment, servers and expanded the ability of U.S. law enforcement authorities to access to global data.
Many countries along the “One Belt and One Road” area have enacted or are drafting data protection laws. According to Russian law, for example, organizers and operators of Internet information dissemination are required to store and process data locally and the receiving country must have the same level of information protection in case of data cross-border transfers.
V. Standards and guidelines - Guiding the Data Compliance for Enterprises
In 2017 and 2018, National Information Security Standardization Technical Committee formulated a series of national recommended standards for regulating information security technology. This series of standards or guidelines are not national mandatory standards, and the regulatory authorities cannot take this as a direct legal basis for law enforcement as well. However, considering that CSL is a framework legislation, many legal requirements prescribed by it are not very clear. Thus these standards and guidelines are of great importance in guiding and referring to corporate compliance and law enforcement management.
VI. Compliance is the Key
For enterprises, it takes determination to make a complete enterprise data compliance, which means the input of resources and the change of business. Thus, there are four elements in a data compliance project (organization, process, rules and training) and go through three stages (due diligence and gap analysis, risk identification, compliance advice and the implementation and optimization of compliance scheme), which constitute a complete enterprise data protection system construction process.
VII. Outlook for 2019
In 2019, we think:
The supervision plan for data cross-border transfer will eventually come out. For international enterprises, to build a compliant global IT architecture and design legitimate data localization and cross-border transfer plan are of their priorities. Based on the current information, personal information and important data security assessment will be separated, and the legal scenarios for data exit will be enriched.
The supporting laws and regulations on the security protection of critical information infrastructure will be promulgated and come into force. Thus, the identification of critical information infrastructure will have its legal basis, and the implementation of cyber security protection obligations of network operators will be further strengthened;
Multi-level Protection Scheme (“MLPS”) 2.0 system will be implemented and the public security organs will further strengthen the management and implementation of inspection on MLPS;
The administrative law enforcement is still active in various competent authorities, and the protection of personal information, the implementation of MLPS and the supervision of data cross-border transfer will become their focuses. The amount of criminal cases related to personal information and cyber security will continue to grow rapidly;
After the implementation of general laws, various industry sectors, especially sensitive industries such as finance and medical and health care, will draft detailed legislation and conduct law enforcement within the industry;
Data compliance will become a commonly accepted concept for enterprises, and the concept of data compliance will be further promoted from single compliance to data asset management.
Read More
1
Review on the Supporting Laws, Regulations and Normative Documents of Cyber Security Law
Long press on the QR code to read more.
2
Report on Cyber Security Law Enforcement Cases 2018
Long press on the QR code to read more.
特别声明:
以上所刊登的文章仅代表作者本人观点,不代表北京市中伦律师事务所或其律师出具的任何形式之法律意见或建议。
如需转载或引用该等文章的任何内容,请私信沟通授权事宜,并于转载时在文章开头处注明来源于公众号“中伦视界”及作者姓名。未经本所书面授权,不得转载或使用该等文章中的任何内容,含图片、影像等试听资料。如您有意就相关议题进一步交流或探讨,欢迎与本所联系。
作者简介:
陈际红 律师
合伙人 北京办公室
业务领域:知识产权, 反垄断与竞争法, 科技、电信与互联网
长按识别图中二维码,可查阅该合伙人简历详情。
输12
吴佳蔚 律师
北京办公室 知识产权部
薛泽涵 律师
北京办公室 知识产权部
作者往期文章推荐:
《实施半年后再修订:<信息安全技术个人信息安全规范>应时而变》
《致敬数据合规元年 | 表析《网络安全法》配套法律法规和规范性文件》
《致敬数据合规元年 | 2018《网络安全法》执法案件大盘点》
《他山之石 | 从全球数据跨境流动监管政策看我国相关制度发展》
点击“阅读原文”,可查阅该专业文章官网版。