The National People's Congress (NPC) released a second draft revision of the Cybersecurity Law (Chinese only) on July 5 and is accepting public comments on the draft through August 4, 2016. To view the Cybersecurity Law in Chinese, click the “Read More” below. AmCham Shanghai is working with AmCham China and the U.S. Chamber to provide the NPC with a joint submission. Our Chambers submitted a joint comment to the first draft of the law in July 2015.
Please submit any input or comments to Vivie Zhang at Vivie.Zhang@amcham-shanghai.org by COB Thursday, July 14th. Please submit your comments in English; bilingual comments are also welcomed.
The draft law will heavily impact not only the information communications technology (ICT) community, but also other industries reliant on information technology and data storage and transfer.
AmCham Shanghai is still reviewing the text. However, according to U.S. Chamber colleagues there are a number of concerning provisions in the text. For example:
Data Localization/Data Transfer: The second draft appears to expand data residency requirements while narrowing the scope of data transfer. Article 35 now provides that "all citizens' personal information and important business data collected or created by core information infrastructure operators during operations within China should be stored in China." Article 35 now only allows data to be provided across borders -- but not stored outside China's borders as provided in the first draft -- following a security review.
Critical Information Infrastructure: The definition of "critical information infrastructure" remains unclear in the second draft, and a definition of the term is not provided. Rather, the second draft's Article 29 now provides that "the State Council will formulate the specific scope and security protection measures for critical information infrastructure." In the interim, regulators responsible for telecommunications, banking, insurance, healthcare, and housing, among others, have issued regulations that promote the "secure and controllable" requirements tied to protection of national security, including critical infrastructure. Development plans, including the Information Security Industry 12th Five-Year Plan (FYP), also called for secure and controllable information security products and services in e-commerce, energy, financial services and other areas. The Information Security Industry 13th FYP has yet to be released.
Standards and "Secure and Reliable": Article 15 provides that the State Council and local/provincial governments should "promote secure and reliable network products and services"; however, the draft does not provide any definition of what products and services constitute "secure and reliable." This is a new addition from the first draft, and supports growing concerns about China using technology standards to discriminate against foreign ICT suppliers.