作者：陈际红 吴佳蔚 薛泽涵

With the implementation of Cyber Security Law (《网络安全法》, “CSL") on June 1, 2017, the year of 2018 is called as “The First Year of Data Compliance" of China by the Industry. Cyber security and data protection have become focuses of concerns for lawyers and data practitioners throughout the Year. In this regard, we think it is necessary to review the legal environment of cyber security and data protection in China, including the status of legislation and law enforcement, and to provide an outlook of the future of legislation trend, which is of reference value to the data compliance of enterprises.

As the basic legal framework of cyberspace security management of China, CSL has stipulated several related systems. The implementation of those systems requires the legal basis from the supporting laws and regulations of CSL. However, the speed and complete of legislation of these supporting laws and regulations on some important systems are not satisfactory. For example, in terms of data cross-border transfers, the regulating laws and regulations have not yet come into force even after several round of legislative discussions; and for critical information infrastructure security protection systems, the scope and recognition procedures of critical information infrastructure still need to be further clarified.

According to the Report on the Law Enforcement Inspection of Cyber Security Law and Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection by the Law Enforcement Inspection Team of the Standing Committee of the National People’s Congress （《全国人民代表大会常务委员会执法检查组关于检查<中华人民共和国网络安全法><全国人民代表大会常务委员会关于加强网络信息保护的决定>实施情况的报告》）2017, the administrative law enforcement of CSL is still performed by different departments on their own. The Cyberspace administration of China, the authority in charge of telecommunication, the public security authority and other relevant authorities of the State Council all could take charge of protection, supervision and administration of cyber security, which leads to the existence of the problem of unclear power and responsibility and cross law enforcement among aforesaid administrative law enforcement authorities.

From Amendment IX to the Criminal Law (《刑法修正案（九）》), which took effect in November 2015, to the Guidelines for Procuratorial Organs on Handling of Criminal Cases Involving Infringement of Citizens’ Personal Information (《检察机关办理侵犯公民个人信息案件指引》) issued in November 2018, the state has been paying increasing attention to cracking down on criminal cases infringing citizens’ personal information. According to relevant statistics, there is an obvious growth trend in the number of crimes during 2016-2018 involving infringement of citizens’ personal information prosecuted by procuratorial organs.

The enterprises are not entirely immune from the criminal risks of company data. Once a well-reputed large enterprise has loopholes in its management system, it may fall into the criminal trap. Since the criminal risks are too heavy to bear, so the enterprises need to draw a red line in their own compliance system.

China has always been a practitioner and beneficiary of economic globalization, and the correlation between Chinese enterprises and the outside world has become more and more close. Considering that the data legislation of various countries around the world is one after another, many of which have the effect of extraterritorial jurisdiction, the economic development of China, in the process of embracing globalization, has to take into consideration the impact of foreign data legislation on enterprises.

In European Union, General Data Protection Regulation (GDPR) was formally implemented on May 25, 2018. With its long-arm jurisdiction principle and strict legal liabilities, the impact of GDPR on Chinese companies is greater than previously thought.

And in America, with the CLOUD Act of the United States and Foreign Investment Risk Review Modernization Act of 2017 coming into effect gradually, it has increased the strength of the censorship of foreign investment, servers and expanded the ability of U.S. law enforcement authorities to access to global data.

Many countries along the “One Belt and One Road" area have enacted or are drafting data protection laws. According to Russian law, for example, organizers and operators of Internet information dissemination are required to store and process data locally and the receiving country must have the same level of information protection in case of data cross-border transfers.

In 2017 and 2018, National Information Security Standardization Technical Committee formulated a series of national recommended standards for regulating information security technology. This series of standards or guidelines are not national mandatory standards, and the regulatory authorities cannot take this as a direct legal basis for law enforcement as well. However, considering that CSL is a framework legislation, many legal requirements prescribed by it are not very clear. Thus these standards and guidelines are of great importance in guiding and referring to corporate compliance and law enforcement management.

For enterprises, it takes determination to make a complete enterprise data compliance, which means the input of resources and the change of business. Thus, there are four elements in a data compliance project (organization, process, rules and training) and go through three stages (due diligence and gap analysis, risk identification, compliance advice and the implementation and optimization of compliance scheme), which constitute a complete enterprise data protection system construction process.

In 2019, we think:

• The supervision plan for data cross-border transfer will eventually come out. For international enterprises, to build a compliant global IT architecture and design legitimate data localization and cross-border transfer plan are of their priorities. Based on the current information, personal information and important data security assessment will be separated, and the legal scenarios for data exit will be enriched.

• The supporting laws and regulations on the security protection of critical information infrastructure will be promulgated and come into force. Thus, the identification of critical information infrastructure will have its legal basis, and the implementation of cyber security protection obligations of network operators will be further strengthened;

• Multi-level Protection Scheme (“MLPS") 2.0 system will be implemented and the public security organs will further strengthen the management and implementation of inspection on MLPS;

• The administrative law enforcement is still active in various competent authorities, and the protection of personal information, the implementation of MLPS and the supervision of data cross-border transfer will become their focuses. The amount of criminal cases related to personal information and cyber security will continue to grow rapidly;

•  After the implementation of general laws, various industry sectors, especially sensitive industries such as finance and medical and health care, will draft detailed legislation and conduct law enforcement within the industry;

• Data compliance will become a commonly accepted concept for enterprises, and the concept of data compliance will be further promoted from single compliance to data asset management.

Read More