1 / 45

Cybersecurity and Data Protection in China

Explore the development, implementation, and challenges of China's Cybersecurity Law, including legal issues, data localization, and personal data protection. Discover the impact on network operators and critical infrastructure.

mariasellers
Download Presentation

Cybersecurity and Data Protection in China

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybersecurity and Data Protection in China Seminar aus Internetrecht Sommersemester 2018 Law Faculty, The University of Vienna Jyh-An Lee Faculty of Law The Chinese University of Hong Kong June 4, 2018

  2. Introduction • Background & Foundation of Cybersecurity Law • Legal Issues • Assessment of the Cybersecurity Law • Conclusion

  3. Introduction • While posing cyber threat to the US and many other countries, China has claimed to be a victim of cyberattacks and endeavored to strengthen its own cybersecurity • The new Cybersecurity Law • went into effect in June 2017 • the first comprehensive law at the national level to address cybersecurity issues.

  4. Introduction • 1st draft released in July, 2015; 2nd draft released in June 2016. • Significant opposition from foreign business. In August 2016, a letter sign by more than 40 business groups from the US, Europe, and Japan to Chinese Premier Li Keqiang.

  5. Introduction • The legislature passed the law on November 7, 2016 without substantial revision. • In May 2017, a coalition of business lobby groups representing European, American, and Asian companies called on the government to delay the implementation of the law. • The government decided to delay the implementation only of the regulations governing cross-border data flow to the end of 2018.

  6. Introduction • Main criticism • (1) vagueness and ambiguity • (2) political agenda behind the law

  7. James Zimmerman, chairman of the American Chamber of Commerce in China: • the law is “a step backwards for innovation in China that won’t do much to improve security” and • being too “vague, ambiguous, and subject to broad interpretation by regulatory authorities.”

  8. Introduction • Background & Foundation of Cybersecurity Law • Legal Issues • Assessment of the Cybersecurity Law • Conclusion

  9. Background & Foundation • Background • Snowden case • President Xi Jinping: • “Without cybersecurity, there is no national security” • “Cybersecurity is the precondition for Internet development” • Cybersecurity and Informationization Leading Group chaired by President Xi Jinping (2014) • National Security Law (2015), Counterterrorism Law (2015)

  10. Background & Foundation • Cyberspace Sovereignty • Is cyberspace a borderless space? • Fundamental principle for Cybersecurity Law and other Internet-related policies • Art 1 : • legislative purpose is “to protect cybersecurity, to safeguard cyberspace sovereignty, national security and the societal public interest, to protect the lawful rights and interests of citizens, legal persons and other organizations, and to promote the healthy development of economic and social informatization.”

  11. Background & Foundation • Cyberspace Sovereignty • The Internet in China white paper (Chinese State Council Information Office 2010) • Within Chinese territory the Internet is under the jurisdiction of Chinese sovereignty. The Internet sovereignty of China should be respected and protected. Citizens of the People’s Republic of China and foreign citizens, legal persons and other organizations within Chinese territory have the right and freedom to use the Internet; at the same time, they must obey the laws and regulations of China and conscientiously protect Internet security.

  12. Introduction • Background & Foundation of Cybersecurity Law • Legal Issues • Assessment of the Cybersecurity Law • Conclusion

  13. Issues • Network Operators • Critical Infrastructure • Data Localization • Security Certification, Inspection, and Review • Personal Data Regime

  14. Network Operators • Art. 76: “network owners, managers, and Internet service providers” • Criticism: too broad • Obligation: • formulate internal security management systems and operating rules, determine personnel responsible for network security, and implement network security protection responsibility; • to adopt technological measures to prevent computer viruses, network attacks, network intrusions and other actions endangering network security;

  15. Network Operators • Obligation (cont’d): • to adopt technological measures for monitoring and recording network operational statuses and network security incidents, and follow relevant provisions to store network logs for at least six months; • to adopt measures such as data classification, back-up of important data, and encryption; and • other obligations provided by law or administrative regulations

  16. Network Operators • Art. 28 • Network operators should provide technical support and assistance to public security agencies to preserve national security and to investigate crimes. • Concerns: • Government agencies may mandate Internet companies to provide access or decryption assistance to obtain users’ private confidential information, even without a warrant, subpoena, or any type of court order.

  17. Network Operators • Penalty • Business: A fine between RMB 10,000 and 100,000 • Management personnel: A fined between RMB 5,000 and 50,000 • Continuous control of license • Revocation of license (§§61, 62, 64, 66, 68…) • Website shutdown

  18. Issues • Network Operators • Critical Infrastructure • Data Localization • Security Certification, Inspection, and Review • Personal Data Regime

  19. Critical Infrastructure • Critical infrastructure refers to the facilities, systems, and networks that are socially and economically crucial to the functioning of a country in terms of how the goods or services provided therein are essential to national security, economic vitality, and citizens’ health and safety. • A wide variety of sectors, including banking, agriculture, food, water, energy, communication, transportation, health. Etc. • Critical infrastructure is vital to a nation’s survival

  20. Critical Infrastructure • Regulatory Difficulty • Mostly owned by private entities • Regulatory Approach • Voluntary approach: • US: NIST Framework, Best practice • Mandatory approach • China

  21. Critical Infrastructure • Definition of critical infrastructure • Art. 31: • “the destruction, dysfunction, and data leakage of that which “might seriously endanger national security, national welfare and the people’s livelihood, or the public interest.” • “includes, but is not limited to, public communication and information services, energy, transportation, water conservation, banking and finance, public services, and electronic government.” • Concern: Too broad

  22. Critical Infrastructure • Heavier obligation than network operators • conduct security background checks on responsible personnel in critical positions • carry out cybersecurity education and technical training • implement disaster recovery backups • conduct inspections of their network security on at least an annual basis

  23. Critical Infrastructure • Mandatory Approach (China) • Too heft obligations on the private sector • Ambiguous definition of critical infrastructure operators • Voluntary Approach (US) • Insufficient incentives for the private sector to take appropriate measures • Public-Private Partnership (PPP) Approach • North American Electronic Reliability Corporation (NERC) • Not working

  24. Issues • Network Operators • Critical Infrastructure • Data Localization • Security Certification, Inspection, and Review • Personal Data Regime

  25. Data Localization • Policies requiring companies to store data on users but only on servers within the jurisdictional borders. • International practice • Limited scope of financial data: • Belgium, Denmark, Finland, Germany, Russia, Sweden, and UK • Health records: • Australia and UK • Existing practices in special laws in China • Banking data (2011), credit data (2013), health information (2014)

  26. Data Localization • Art. 37: • critical information infrastructure operators are obliged to store personal information and other important data in China, and a security assessment or approval from relevant regulators is required before transferring this information or data abroad. • Liability: a warning, or face possible website shutdown, license revocation, and fines ranging from between RMB 50,000 and 5,000,000 for businesses and RMB 10,000 and RMB 100,000 for the person in charge

  27. Data Localization • Purpose • Promoting domestic economy and technology • Avoiding foreign surveillance • Facilitating domestic law enforcement • Protecting users’ privacy

  28. Data Localization • Criticism • Unnecessary costs for the private sector • No proof on economic and technological returns • Industrial policy and protectionism • Enforcement problem • More risk for cyberattack and trade secret leakage • Government surveillance • Trade barrier?

  29. Data Localization • Jack Ma of Alibaba: • data localization regulations may create “major problem for Chinese Internet companies expanding overseas…ultimately leading to the fragmentation of cyberspace.”

  30. Issues • Network Operators • Critical Infrastructure • Data Localization • Security Certification, Inspection, and Review • Personal Data Regime

  31. Security Certification & Review • Art. 23 • critical network equipment and specialized network security products shall follow the national standards and mandatory requirements, with the security level certified by a qualified institute or confirmed by security inspection. • Art. 35 • the network products and services purchased by critical information infrastructure operators that might affect national security are required to undergo a “national security review” by the government.

  32. Security Certification & Review • The United States Trade Representative (USTR)’s 2017 Special 301 Report raised concerns over new Cybersecurity Law • “mandated security inspection, certification, and review may create more opportunities for the leakage of trade secrets and other confidential information regarding information security.”

  33. Security Certification & Review • CAC released the “Measures on the Security Review of Network Products and Services (Interim)” (Interim Measures) [网络产品和服务安全审查办法(试行)]on May 2, 2017 • the scope of security review also includes “risks that could harm national security.” • Review standard: the focus of the security review is whether the products and services are secure and controllable

  34. Security Certification & Review • Criticism • This broad statement could be a catch-all provision which government can use for political purpose. • unclear in substantive criteria and procedure in the security review process. • Each of these requirements may be used for political purposes to delay or block market access to industries that are defined as critical infrastructure.

  35. Issues • Network Operators • Critical Infrastructure • Data Localization • Security Certification, Inspection, and Review • Personal Data Regime

  36. Personal Data Protection • Individuals over Businesses • §§40~50: operators’ confidential obligation, consent for personal data processing… • Government Supremacy • Government can easily get personal data for broad cybersecurity purposes mentioned previously • Real-name registration rules

  37. Introduction • Background & Foundation of Cybersecurity Law • Legal Issues • Assessment of the Cybersecurity Law • Conclusion

  38. The Chinese Version of Cybersecurity • The law seems to have extended beyond the aim of ensuring cybersecurity (surveillance, block market access, etc.) • Common perception: • The Chinese government uses Cybersecurity Law to fulfill its political agenda rather than protect its cybersecurity.

  39. The Chinese Version of Cybersecurity • My argument • China’s conception of cybersecurity differs from that of the western world. • The western idea of cybersecurity places a greater emphasis on technical threats, whereas the Chinese notion of cybersecurity prioritizes ideological threats. • In addition to the security of networks and information systems, China’s cybersecurity policy also covers censorship and “properly guiding Internet opinion.” • A review of policy papers, speeches, China’s proposals in UN…in the past 20 years

  40. Rethinking the Role of Market in Cybersecurity • Market intervention in Chinese Internet • Great firewall, laws, policies… • Market competition enhances cybersecurity protection as businesses also care about cybersecurity

  41. Rethinking the Role of Market in Cybersecurity • Policy Concerns: • Businesses evaluate the factors that affect the level of cybersecurity differently than governments. Businesses sometimes fail to seek higher levels of cybersecurity because of cost, profit, or other commercial concerns. • Anti-competition policy is sometimes desirable because homegrown technologies are perceived as being more trustworthy than foreign ones, especially in the context of cybersecurity.

  42. Digital Human Rights with Chinese Characteristics • Although the law provides citizens with unprecedented protection of their data privacy, it also creates numerous opportunities for the government or third parties to infringe upon citizens’ privacy. • My argument • the fundamentals of China’s human rights are different from those of the western world. • In the western world, human rights were designed to protect individuals from state power from the beginning. • China has viewed human rights as derivative from the state, which reigns supreme over the individual. Therefore, human rights are never considered to represent an individual’s rights over those of the state. • Previous research on online speech

  43. Introduction • Background & Foundation of Cybersecurity Law • Legal Issues • Assessment of the Cybersecurity Law • Conclusion

  44. Conclusion • Global internet, local networks • Cybersecurity Law should be understood from the perspective of China’s unique conception of cybersecurity, which is much broader than the western world’s definition. • Cybersecurity Law’s treatment of personal information and privacy mirrors China’s perceptions of human rights: human rights are protected under the law, but they must yield to government power. Government supremacy is an essential part of Chinese human rights philosophy.

More Related