Progress, Pauses, and Power Shifts in China’s Cybersecurity Law Regime

China’s Cybersecurity Law (CSL) has a remarkably wide reach in Chinese society, serving as the centerpiece of perhaps the most comprehensive cyberspace governance regime in the world. Still, more than a year after official implementation on June 1, 2017, a great deal of the regulatory and standards-setting work needed to give the law true force remains incomplete.

In policy areas including data localization, “critical information infrastructure” (CII) protection, and security reviews for “critical network equipment and specialized cybersecurity products,” the CSL regime remains a work in progress. Personal information protection policies stand out as further along than others, but there is still more to do.

Passage of the CSL in November 2016 should therefore be seen not as an end result but as a major milestone in the broader “cybersecurity and informatization” push that the Xi Jinping leadership embarked on in 2014. The law enshrined high-level concepts and formulations, addressed turf battles among government offices, and put domestic and foreign stakeholders on notice that a broad definition of cybersecurity was a top Chinese government priority.

Amidst delays, top leaders appear to be demanding progress. In April, Xi personally chaired a national work conference on cybersecurity and informatization, where he gave a speech (coverage translated by DigiChina) that reiterated the Party’s commitment to cybersecurity regulation and digital-driven development while clarifying some bureaucratic roles in the sector.

Moreover, the international circumstances China faces have changed considerably. The events surrounding the Chinese telecommunications equipment supplier ZTE and the escalating trade and investment confrontation with the United States have convinced Chinese officials that cybersecurity and technological development require strong and sustained attention. (Late last week the U.S. Commerce Department lifted a denial order on ZTE, which had prevented the company from purchasing hardware and software from U.S. suppliers.)

As regulatory and standards-setting efforts unfold with renewed vigor, several key areas of regulation have reached significant milestones, and others have run into bureaucratic and technical challenges.

Data Localization Rules Stall After U.S.- and Japanese-Led Pressure Campaign

The CSL explicitly requires certain types of data to be stored within mainland China, and it sets up conditions for transferring some types of data abroad. Two major draft regulatory documents released last year raised the specter of pervasive limits on cross-border transfer of data out of China. The draft documents—“Measures”  and “Guidelines” on security reviews required for outbound transfer of “personal information” and “important data”—generated intense debate and international opposition.

Beginning in October 2017, the United States and Japan led a multilateral campaign against these draft rules at the WTO Council for Trade in Services, requesting that China refrain from issuing or implementing final measures until concerns were addressed and the draft regulations were fully consistent with the WTO General Agreement on Trade in Services. Under pressure from a broad coalition of trading partners, authorities suspended development of the Measures before U.S. President Donald Trump’s November 2017 China visit, and they postponed work on the Guidelines in April 2018.

Though the final resolution is uncertain, and the reviews for outbound data transfer are not slated to go into effect until the end of 2018, there are signs that restrictions may tighten rather than loosen compared with earlier drafts. The April Big Data Security Standardization White Paper 2018 included language that, if made binding, would expand the scope of checks on outbound data transfers to include datasets covering 500,000 people’s data overall, rather than 500,000 per year.

Once the review regime for outbound data transfers is complete, companies will have a process to follow to move data in an approved way, including through internal assessments or hiring outside reviewers, according to the draft Measures. Regardless, for “personal information and important data” produced by operators of “critical information infrastructure” (see below), there remains a requirement to at minimum store a copy of the data in mainland China.

Review Regimes Head Toward Greater Coordination

The CSL establishes requirements for a regime to review “critical network equipment and specialized cybersecurity products” for security. In June, China’s top certification organization, the Certification and Accreditation Administration of China (CNCA) announced 22 organizations in two lists as responsible for testing and certification in these areas. For the most part, these organizations are the designated testing or certification bodies in existing processes: for network access licenses under the Ministry of Industry and Information Technology (MIIT), for sales licenses or information security products under the Ministry of Public Security (MPS), etc. The approved bodies include a range of organizations with significant technical chops and experience reviewing foreign equipment.

A new name on the list comes in the form of the newly renamed China Cybersecurity Review Technology and Certification Center (CCRTCC), whose director Wei Hao has played a public role in explaining the review process. Wei has said that review and certification efforts should be integrated to prevent duplication between existing processes and the new regime called for in the CSL, according to a WeChat post by the Critical Information Infrastructure Technology Innovation Alliance. In that post, Wei further described a national “data security review and certification system,” and he separately described CCRTCC’s responsibilities as covering “important IT products and services, Party and government cloud services, big data, etc."

Wei described the issuing of a catalog of “critical network equipment and specialized cybersecurity products” last year as the beginning of implementation of a national cybersecurity review system, and suggested that much more work needs to be done to clarify responsibilities and develop the new, more unified system.

‘Critical Information Infrastructure’ (CII) Rules Vague in Early Drafts, but More Details Expected

Under the CSL, operators of information systems in a broad and only partially defined array of sectors designated as “critical information infrastructure” (CII) may only purchase network products and services that have passed national security reviews that at present are set forth in trial measures. So far the national security review panel has approved six cloud platforms, all of which are operated by Chinese companies.

What sectors are to be covered by these rules remains unclear. In July 2017, the CAC published draft CII Security Protection Regulations for comment. That draft suggested a broad definition of CII, covering many sectors, but raised more questions than answers because it was not comprehensive. In a November 2017 meeting with global industry stakeholders, CAC Cybersecurity Coordination Department Director General Zhao Zeliang said he believed the scope of CII should be narrow, applying only to a small fraction of all information systems. Still, CAC would not set a deadline to finalize the definition of CII. An updated version of the draft regulations is expected in the coming weeks or months.

Advantage CAC in Jurisdiction Overlap with Ministry of Public Security

Even six months after CSL implementation, major questions remained regarding overlapping jurisdiction. (See DigiChina’s earlier outline of six emerging systems.) The law set forth a new system for protecting CII, but it also reaffirmed an existing and inescapably overlapping system run by the MPS—the Multi-Level Protection Scheme (MLPS).

According to industry sources, MPS has been advocating that CAC repurpose the MLPS’ cybersecurity requirements, rather than establishing a parallel regime for CII. CAC has insisted that its new system would not “conflict with, duplicate, modify, or lower the requirements set forth by the MLPS Baseline Requirements Standard.”

Recent events suggest CAC’s authority is increasingly clear in this area. On June 27 the MPS released the draft Cybersecurity Multi-Level Protection Regulation (MLPS 2.0 for short), an upgraded replacement of the original 2007 MLPS measures. The new document assigns primary regulatory leadership to the Central Commission for Cybersecurity and Informatization, CAC’s recently elevated parent, seating it above MPS, which is designated a “competent authority.” This proposed language suggests CAC will have the upper hand in settling divergent views regarding the boundary between rules for CII and the evolving MLPS.

Substantively, the draft MLPS 2.0 document would potentially cover companies that did not previously fall under the scope of MLPS by expanding the scheme to cover all network operators rather than just key industry systems or government agencies. In addition, it lowers the threshold for Level 3 status in the graded ranking, a level where requirements including enhanced monitoring by the MPS, third-party certification, and annual reviews kick in. There is an apparent shift toward more audits rather than self-reporting by companies.

Protecting Personal Data a Particular Priority

There has been an increasing emphasis on how personal information (PI) is managed in the year since the CSL took effect. The government has issued its first standard with granular rules for how personal data is collected, used, processed, and shared—the Personal Information Security Specification. The standard, though officially nonbinding, has already been cited by authorities targeting violations by major companies, including the Alibaba-linked Ant Financial.

The banking industry became the rare sector to issue its own guidelines for data governance in March. A statement by the China Banking Regulatory Commission linked the need for such measures to the massive amounts of client data now involved in core functions of financial institutions. Even the new MLPS 2.0 regime now stresses the importance of PI protection with seven separate articles addressing network operators who illegally leak, sell, or share PI without authorization.

Together these developments underscore a growing recognition that China needs some framework for personal data as part of the broader effort to govern China’s digital economy and address citizen concerns about privacy.

Yet, implementation and enforcement of new PI rules is likely to be somewhat ad hoc and subject to political jockeying, because there is still much debate around data ownership, privacy, and the development of emerging technologies like AI. This debate was on display recently at the Global Mobile Internet Conference in Beijing, where Chinese and foreign experts held a roundtable devoted to “the contradiction between data sharing and privacy protection.”

These and other developments in Chinese cyberspace and digital economy regulation represent a broad effort to manage the challenges and opportunities posed by digital technologies, a task that will never be fully complete. New America’s collaborative DigiChina project, now more than a year old, will continue to monitor trends, controversies, and key texts in this crucial area of governance for China and the world.