China sets out new rules to protect ‘critical information infrastructure’ as it bolsters data security push
- China’s State Council passes long-awaited rules on ‘critical information infrastructure’ as Beijing tightens control of domestic data
- Companies still need to wait to find out which category they fall into and what rules specifically apply to them
China has set out special rules to put companies in the telecoms, energy, transport, finance and defence sectors under closer cybersecurity scrutiny as Beijing seeks to tighten its control of domestic data.
The new regulations, released by the State Council on Tuesday, provide more clarity on Beijing’s thinking around ensuring its critical information infrastructure, a term included in China’s Cybersecurity Law but which lacks specific guidance.
The new articulation comes as Beijing seeks to build a data governance framework to ensure the security of what it deems as important data, putting limits on how businesses collect and use sensitive personal data, while encouraging the circulation of less sensitive data to unleash its economic value.
The new rules “reveal the continuing emphasis that China’s top brass puts on protecting the most sensitive parts of the country’s digital networks,” said Alex Roberts, Linklaters’ TMT counsel in Shanghai.
Under the news rules and the 2017 Cybersecurity Law, it is clear that operators of critical information infrastructure receive special attention from Beijing, as any loss or damage to their systems could “severely endanger” national security, peoples’ livelihoods and the public interest.
When China’s internet watchdog the Cyberspace Administration of China (CAC) last month launched a cybersecurity probe into Chinese ride hailing giant Didi Chuxing, soon after the company went public in the US, many analysts argued that it could be because Didi was being treated as an operator of key infrastructure, which by law means a cybersecurity review due to national security issues.
However, other analysts said the probe was initiated because of how Didi collects and uses the “important data” of consumers.
The new rules require that regulators for specific industries formulate detailed guidance to recognise their respective important operators, then notify them and the State Council accordingly. The public security department, the police, will then take a leading position in ensuring security.
They also give guidance on what government bodies should take into consideration when defining who critical information infrastructure operators are, as well as the responsibilities and punishments for those that fail to comply. Those in breach of cybersecurity rules could face a fine of up to 1 million yuan (US$154,309).
The new rules have been long-expected and many companies have already started preparing for them, some lawyers say, following the release of a draft version from the CAC in 2017. But companies will still need to wait to find out which category they fall into.
“The new rules fail, however, to definitively answer one of the biggest questions for the top management of multinational corporations since the advent of the Cybersecurity Law: Are we a critical information infrastructure operator?” said Linklaters’ Roberts.
Xia Hailong, a lawyer with Shanghai Shenlun law firm, said that many major internet companies could be identified as critical information infrastructure operators, and as a result they will have to make major adjustments to comply with the higher requirements around user data protection, data security and the products they procure.
