The impossibility of compliance?
China’s much-anticipated Cyber Security Law (CSL) finally came into effect on 1st June, 2017. While technology companies have long felt pressure stemming from China’s national security concerns, the CSL actually impacts a wide swath of industries. Carly Ramsey, regulatory risk specialist, and Ben Wootliff, head of cybersecurity, Asia, for Control Risks, explain that the move by China to beef up its laws and regulations governing cyber activity is leaving companies unsure as to how they can comply with this vague and potentially onerous law.
Who will be captured by this law?
It is very likely that many multinational companies (MNCs) will feel the heat. The brunt of the CSL currently falls on “critical information infrastructure” (CII) operators. The broad definition of CII encompasses not only traditional critical industries such as power, transport and finance, but also other infrastructure that could, as outlined in the law, harm “people’s livelihoods”. This means that any foreign company that is a key supplier to a ‘critical’ sector, as well as any company that holds significant amounts of information on Chinese citizens, could become a prime target for regulators seeking to enforce the CSL.
The lack of clarity in the definition of CII is significant because of the potential obligations for these companies, for example, localising data to China and undergoing intrusive onsite inspections of cybersecurity systems and procedures. Certain technologies must pass a “national security review” to ensure they cannot be illegally controlled or interfered with before CII operators are able to use them. The CSL gives broad authority to the Cyberspace Administration of China, China’s powerful cyberspace watchdog, and other industry regulators to conduct these reviews.
What is covered by the law?
There is a particular focus on “personal information” and “important data”, both of which are vaguely defined. This is significant as network and CII operators will be required to localise this information to China, and a security self-assessment or approval from the relevant regulator will be required before transferring this data abroad.
Under the CSL, personal information is defined as information that, taken alone or with other data, is sufficient to ascertain an individual’s identity, including birth dates, phone numbers, addresses and identity card numbers. Other personal information guidelines indicate that regulators consider political, religious and genetic information to be sensitive. Similar to the State Secrets Law, the definition of ‘important data’ is extremely vague; it is described as data closely related to national security, economic development and social public interests. Regulators will likely focus on whether companies have any data that could contradict official numbers, such as industry or population health statistics.
What are the risks for MNCs?
The sheer scope of the CSL is mind boggling. And, as mentioned, it is also extremely vague. This means that it is currently impossible to be ‘compliant’, and companies will need to focus on how the CSL will be enforced by regulators. From a resource perspective, regulators will need to prioritise certain sectors, aspects and companies over others, with those priorities changing over time. Moreover, the presence of multiple industry regulators will result in patchy interpretation, conflicting signals and unpredictable enforcement.
Overall, MNCs are experiencing progressively active and often aggressive regulatory enforcement in China across several areas, including pricing, corruption and product quality. These enforcement actions are a result of China’s increasingly sophisticated bureaucracy, industrial policies that aim to change the market and geopolitical disputes. While the CSL will certainly be applied for legitimate cybersecurity concerns, including protecting key domestic infrastructure from internal and external cyber-attacks, foreign companies need to be aware that the CSL will be another tool in the enforcement toolbox and could be utilised for reasons only tangential to cybersecurity.
Companies should also be aware that the CSL potentially provides the government with the legal ability to obtain intellectual property and a view into an organisation’s cyber gaps and vulnerabilities. The operational costs and risks of localising data to China are likely to be significant for most MNCs, particularly the loss of the ability to conduct global big data analytics if the China data has to be housed separately. There is also significant risk that foreign technologies that are uncertified under the CSL could be shut out of the China market in order to benefit domestic versions, impacting companies that currently rely on them.
How can companies prepare to be compliant with a moving target?
Companies need to ask themselves if they are an enforcement target for regulators: Is my company critical in keeping certain sectors running? What is the extent of my view into the lives of Chinese citizens? Do I have a strong domestic competitor that will seek to use this law to their advantage?
Here are some practical steps that companies can take today to answer these questions and mitigate the impact of this law:
- Understand: Overlay your business against government priorities for network operators and CII, including suppliers, distributors, competitors, and technology vendors. Map your data to learn what could be considered personal and important to regulators.
- Prepare: If your business or data is an enforcement priority, prepare for key CSL provisions, including data localisation and the national security review. In addition to assessing gaps in cyber policies and procedures vis-à-vis the CSL, preparing for the investigator’s unique methods and motivations will be key to mitigating risks from the review process.
- Engage: Regulators across industries are currently developing rules that will put flesh on the bones of the CSL. What are you doing about it? Applying strategic and targeted government engagement strategies will help mitigate impact of the CSL on your business.
Carly Ramsey is a regulatory risk specialist with a decade of experience in China advising multinationals how to engage government in order to mitigate the commercial impact of policies that restrict growth. Ben Wootliff is head of Control Risks’ Cyber Security practice in Asia. Ben manages cyber security projects for clients and develops methodologies and product offerings.
Control Risks is an independent, global risk consultancy specialising in helping organisations manage political, integrity and security risks in complex and hostile environments. Control Risks provides strategic consultancy, expert analysis and in-depth investigations, handling sensitive political issues and providing practical on-the-ground protection and support. Visit www.controlrisks.com.