China’s New Cybersecurity Law Poses Significant Challenges to Companies
China’s controversial Cybersecurity Law has come into force effective June 1, 2017, bringing uncertainty to companies. The law requires enterprises to store data in servers within China, not offshore, and to get consent before collecting and sharing personal data.
“Companies need to be fully up to speed with [the law’s] requirements, especially network operators managing data,” says Han Lai, the China Country Manager for digital forensics and eDiscovery specialist KrolLDiscovery in Shanghai. “Up until now, its rules have not been clearly defined or regularly enforced, but this new law is looking to change that.”
Most of the law’s provisions apply to entities newly defined as “Key Information Infrastructure Operators” or KIIOs – companies that possess data considered critical to China’s security. They typically belong to industries such as financial services, transportation, healthcare, utilities and telecommunications.
These KIIOs must make sure that the “personal information” and “important data” of Chinese citizens must be stored on servers within China. A company can ask to be exempted, but must undergo a security assessment.
“This will affect the majority of foreign companies that operate in China, in particular those which use their global infrastructure and IT resources to operate their business in China, as the original data collected, including business data and customer data within China will typically be stored directly in the data centres or servers physically located overseas,” says Lai.
“For example many global companies are still using email servers located outside China for their China operations. Companies need to start thinking and planning ahead to restructure their infrastructure to be in line with the new law.”
Chinese authorities has made clear that unauthorized collection, disclosure and receipt of “citizen’s personal information” now constitutes a criminal offense under the PRC Criminal Law.
The range of sanctions will take into account the degree of harm, amount of illegal gains and repeat offenses, among other things, and include fines of up to five times the amount of any illegal gains.
Companies in China should know that: