New China Cybersecurity law comes with data protection fangs
On June 1, 2017, Chinese consumers and businesses, including financial institutions, will wake up to a more stringent set of rules regarding the creation and use of personal data. The new PRC Cybersecurity Law was passed after a third deliberation suggesting the extent to which the government sees the important of the Internet while recognizing the real threat posed it.
According to Scott Thiel, a partner at DLA Piper and Carolyn Bigg (photo right), Of Counsel for the same law firm, the new law targets online fraud and is aimed to protect China against Internet security risks.
It imposes new security and data protection obligations on “network operators”; puts restrictions on transfers of data outside China by “key information infrastructure operators”; and introduces new restrictions on critical network and cybersecurity products.
One of the new provisions calls for personal data and “important data” gather and produced by “key information infrastructure operators” (KILO) during operations in China must be kept within the country’s border. While there is provision for the potential of such data to leave the country, a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws permit the overseas transfer.
This may be nothing new as according to Bigg, organizations operating in many regulated sectors in China are already required to keep certain personal data of their customers within the People's Republic of China ("PRC").
“For example, banks regulated by the China Banking Regulatory Commission (CBRC) must already keep their customers' "personal financial information" within the borders of the PRC and are subjected to data breach notification requirements. So the new PRC Cybersecurity Law will in some ways have less practical impact on many within the financial services sector as compared to non-regulated businesses.
“That said, for those regulated businesses who are deemed to be "key information infrastructure operators" under the new law, the data localization rules will now extend to "important data" as well as customers' personal data,” she explained.
Denis Suslov (photo left), a consultant at Shanghai-based Kapronasia noted that multinational financial institutions will be impacted as the new rules will mean these companies will not be able to move Chinese citizen's data overseas. Another repercussion comes in the form of additional IT staffing requirements for report network events to the regulators, which will inevitably mean increased operating cost.
Things will get a little bit more interesting though with the new guidelines as the new PRC Cybersecurity Law does represent significant strengthening of the data protection and data security compliance environment in China.
“In particular, the new law introduces, amongst other measures, enhanced security obligations and data breach monitoring and notification requirements, and additional data subject rights. Compliance teams within banks and insurers, therefore, need to understand the implications of the new rules, and ensure that their China compliance programs are duly updated before 1 June 2017,” elaborated Bigg.