Chinese law may require companies to disclose cyber-security preparations outside China

Companies with Chinese operations may have to disclose information about the security of their networks in other countries under China’s draft data security law

Companies with operations in China could come under greater pressure to have their cyber security preparations reviewed and certified under a draft law expected to be enforced next year.

China’s draft data security law may also require companies to disclose details about network security in their operations outside China.

China aims to protect what it calls “important data” which, if leaked, may directly affect the country’s national security, economic security, social stability or public health.

The law, published yesterday by the Standing Committee of the National People’s Congress of China, is understood to be the first time that China has attempted to exercise legal authority on companies outside its jurisdiction.

“China is considering allowing the law to have an extra-territorial effect that we have not seen before,” said Yan Luo, partner in law firm Covington & Burling in Beijing. “They want to counteract the extra-territorial effect of US law.”

The draft law is likely to change significantly between now and when it is finally enacted in 2021.

Companies with operations in China can already be required to have their cyber-security operations certified by government-appointed certification bodies.

Under the proposed law, firms with operations in China may also be asked to disclose details of their network security overseas in order to qualify for a certificate.

The draft law will give Chinese central and regional government bodies powers to define what they regard as “important data” for different regions and industries.

Organisations that process this data will be required to comply with higher standards of security.

Companies may be fined

Chinese police will have powers to issue fines of $150,000 on companies that are in violation of Chinese cyber-security laws and could potentially close organisations down that fail to comply.

China is expected to go beyond a technical audit of a company’s cyber security and to consider whether, for example, overseas firms are complying with US sanctions that could damage China’s national security.

“It’s not just a technical review of what protections you have put in place, it could be political elements,” said Luo.

The draft law includes a provision that allows China to take retaliatory action against any country that acts in a discriminatory manner against China over data-related trade or investment.

One clause says that organisations and individuals outside China that conduct activities which may harm China’s security, national security or public interests may also be subject to the draft law.

It is not clear how China would take enforcement action against an organisation outside its borders that is deemed to be damaging the country’s national security.

Other clauses require individuals and organisations to comply with requests for data from law enforcement agencies when required to investigate crimes or for national security reasons.

When data requests are made by foreign governments to Chinese organisations, the law will require the Chinese company to report the request and seek approval from a Chinese regulator.

A translation of the text says: “To the extent that China participates in international treaties which include provisions for foreign law enforcement access to data, that data shall be disclosed in accordance with such treaties.”

The draft law covers data that may be important to critical industries, but excludes personal data on individuals, military information or state secrets.

However, the draft law is likely to change significantly as it undergoes review. “This law, from now until its implementation, is going to become a very different law,” said Luo. “A lot of people will submit comments.”

Read more on IT legislation and regulation

Data Center
Data Management