The Escalating Cyber Security Obligations and Impact on
The Escalating Cyber Security Obligations and Impact on Your Business Dr. Michael Tan, Taylor Wessing Shanghai Office November 2017
Part I Background and Legislative Development 2
Concern from all around 3
New Agency Rising CPC National Security Commission Various ministries and agencies • National Development and Reform Commission • State-owned Assets Supervisions and Administration Commission • Ministry of Foreign Affairs • Ministry of National Defense • Ministry of Commerce • Ministry of Finance • Ministry of Land Resources • Ministry of Environmental Protection • Ministry of Human Resources and Social Security • … NPC • Cyberspace Administration of China § Cyberspace Administration of China (CAC, 2014. 2. 27) (CAC) • Ministry of Public Security § Ministry of Public Security • Office of State Commercial Cryptography § OSCCA @Lynn, (OSCCA) 全称? Administration § • Ministry and Information Ministryof Industry and Information Technology § • Ministryof of. Culture CPPCC State Council 4
Legislative Development 2015 2016 2017 Jul 1 Mar 25 > SCNPC - National > MIIT - Draft on Security Law (“to Administrative Measures safeguard sovereignty of for the Internet Domain cyberspace”) Names > SCNPC - Cyber Security Nov 7 > SCNPC - Cyber Security Law (First draft) Law (“CSL”) Dec 27 Nov 24 > SCNPC - Counter> MIIT – Draft Notice on Terrorism Law Regulating the Operation Behaviours in the Cloud Service Market 5 Jan 17: MIIT - Circular on Clearing up and Regulating the Internet Access Service Market (VPN) Apr 8: NISSTC - White Paper on Big Data Security Standardization Apr 11: CAC – Draft Measures on the Security Assessment for Personal Information and Important Data April 13: OSCCA - Draft PRC Encryption Law May 2 > CAC - Measure on Safety Review over Network Products / Services > CAC - Administrative Provisions for Internet News Information Services > CAC - Provisions on Enforcement Procedures for Internet Information Content Management May 8 > SPC & SPP - Interpretation on Criminal Cases Re. Infringement of Personal Information May 16 > SPP – Six Typical Criminal Cases of Infringement of Personal Information May 27 > NISSTC –Information Security Technology- Guidelines for Data Cross-Border Transfer Security Assessment (Draft)
More Behind the Scene Strong will > Contest with the US > Global leadership - OBOR strategy > Indigenous and innovation: “de-IOE” campaign (Circular 317) and Made in China 2025 Bargaining power > The emerging TMC sector creating a strong market position for China > Less focusing on FDI Experience of legislators and regulators > Private right vs. national security: ISPs to enable invasive audits by government agencies (Counter Terrorism Law) > CSL and data export control 6
Part II Issues and Implications • Who • What • How 7
Issues and Implications – CIIO and data export > CIIO to be especially protected but no definition Exemplary industries • public communication and information service • energy • water conservancy and hydraulic • transportation • financial • public services • e-government affairs or, with features that in case of being destroyed, loss function, or data leakage - will result in serious damage to the • national security • national economy • people's livelihood • public interests. 8
Issues and Implications – CIIO and data export > Local storage and export control (Article 37) • CIIO shall store personal information and important data gathered and produced during operations within PRC. • Where export is indeed necessary due to business demand, security assessment shall be conducted according to measures formulated by CAC and other ministries, unless otherwise stipulated by laws and regulations > (Draft) Measures on the Security Assessment for Personal Information and Important Data to be Transmitted Abroad, published by CAC on April 11, 2017 soliciting public comments • Supposed to take effect as of June 1, 2017, but now offering grace period until end of 2018 9
Issues and Implications – CIIO and data export > Much of a surprise > Expanded scope • CIIO • network operators which is defined to be network owner, network administrator and network service provider • other individuals and organizations with local storage becoming a general obligation. > Expanded scope of data subject to export clearance by administrative authorities • data involving over 500, 000 individuals • data size exceeding 1, 000 GB • sensitive data (relating to nuclear facilities, biochemistry, national defense and military, demographics and health etc. ) • cyber security information about system vulnerabilities and security protection of CIIO • exporting data by a CIIO • other circumstances, as deemed necessary by regulators. 10
Issues and Implications – CIIO and data export > Much of a surprise > Data not allowed to leave China • personal data without no prior consent for export or an export might infringe upon personal right and interest [new: deemed consent in case like calls, mails, skype and shopping initiated by data subject] • data of which the export brings risk to national security or public interest • data of which an export is barred by administrative authorities like the CAC, police authority and national security authority. • new: those of which the export does not satisfy requirements of laws, regulations and rules (�章 ). > Practical issues 11
Issues and Implications – CIIO and data export > Assessment Procedures Self-assessment Administrative-assessment • at least annually • filing with industrial watchdogs • re-assessment in case of major change (purpose, scope, quantity, type, breaches) • criteria (see the next slide) • by industrial watch-dog • to be done within 60 working days • result to be notified to applicant, and filing with CAC > Information Security Technology- Guidelines for Data Cross-Border Transfer Security Assessment (Draft) on May 27, 2017 by NISSTC 12
Issues and Implications – CIIO and data export > Main aspects of assessment • business demand for export [new: legitimacy (合法性) and propriety (正当 性)] • quantity, scope, category and sensitivity of the concerned data including consent for export where applicable • security level and competence on the data recipient’s side, recipient country cyber security situation • data breach risk • risks to national security, public interest, and individuals > Practical issues 13
Issues and Implications – Cloud and Encryption > Circular on Clearing up and Regulating the Internet Access Service Market by MIIT on Jan. 17, 2017 Foreign Players • Brand • Customers • Technologies Local Partner • IDC License • Facilities > “Sub-leasing or transferring” prohibited: IDC license holder must not provide qualifications or resources to any unlicensed enterprise in the name of technical cooperation. 14
Issues and Implications – Cloud and Encryption > More detailed not-dos by IDC license holder under MIIT Draft Notice on Regulating the Operation Behaviours in the Cloud Service Market published on Nov. 24, 2016 • allowing its foreign partner to conclude a service contract directly with cloud service customers • delivering services to customers only using the trademark and brand name of the foreign partner • illegally providing users’ personal information and network data to the foreign partner > Practical implications 15
Issues and Implications – Cloud and Encryption > Use of VPN Prohibited are • without approval, conducting cross-border business operations by setting up on its own or leasing private leased circuits including VPN and other information channels. • Use of VPN to connect onshore and offshore data centers or business platforms to carry out telecom business operations. Allowed are • use of VPN by international companies for their internal business purposes > Practical implications 16
Legal Consequences of Violation > Criminal (refusal to perform security obligations) • jail up to three years or detention • Fine >> Interpretation on Criminal Cases Involving the Infringement of Personal Information, SPC&SPP on May 8, 2017 >> Six Typical Criminal Cases of Infringement of Personal Information, SPP on May 16, 2017 > Administrative • warning, being ordered to correct • Monetary (up to RMB 1 million) • revocation of license, operation shut-down > Civil? • If there are damages to individuals / enterprises 17
Part III Our Suggestions 18
Protection of business vulnerabilities (examples) Use of Internet and VPN • service providers • GFW impact on virtual corporate IT environment • encryption solutions Cloud solutions (industrial 4. 0) • role and positioning on value chain (Paa. S or Saa. S) • IT architect and data flow • Requirements at home Contingency management • policy transparency and administrative discretion • blackmailing threat • absence of process Internal control • cultural difference • KPI v. s. compliance • hard technologies and “soft” aspects 19
Suggestions Awareness raising and close eye on further development Join force in lobbying and rule influencing Internal process to be prepared and implement the new obligations • Log recording • VPN use monitoring • Data export assessment • IT compliance policy and implementation • Supply chain audit: your partners Resources and external support: get engaged instead of just watching by The positive side • New business opportunities and ecosystem • Still an important and still fast growing market • Globalization and liberalization 20
Issues and Implications – Others Below are some recent articles we wrote on this topic and pertinent topics relating to business • An Overcast Outlook: Cloud Services in China • Use of VPN Facing New Challenges in China • China Cyber Security Update - How Do the Recent Regulations Impact Your Business? • CAC to Regulate Data Export https: //www. taylorwessing. com/globaldatahub/index. htm https: //china. taylorwessing. com/ 21
Speaker > China > TMC and Data Protection > Corporate Dr. Michael Tan Partner, Shanghai Arbitratior of SHIAC Michael has more than 10 years of experience advising multinational companies in their investments and operations in China. His experience includes advising on the establishment of foreign investment enterprises in various industries, M&A, restructuring and liquidation of foreign investment enterprises. He advises international clients in various industries including automotive, aerospace, general machinery, new energy, infrastructure and logistics. At the same time, Michael supports Chinese companies in their “going abroad” activities, including business expansion and IPOs in Europe. In 1997, Michael was admitted to the Chinese bar. After practicing in domestic law firms, he worked in the Beijing office of a major international law firm from 2000 to 2002. In 2002, he joined Taylor Wessing in the Shanghai office. As of 2007, he has been appointed as a senior counsel of Taylor Wessing. Michael speaks Mandarin, Fujian dialect as well as English fluently. Besides his expertise regarding the general foreign investment corporate matters, he specializes in IT regulatory, data protection issues and other new technology driven sectors. He is familiar with the rapidly developing TMC sector in China. He quite often publishes articles and frequently comments on IT and data protection related legal topics. Michael also serves as an arbitrator of the Shanghai International Arbitration Center. Find my We. Chat Contact Details T: +86 21 6247 7247 22 E: m. tan@taylorwessing. com
Our international offices and network We have a selected network of partner law firms with whom we have worked for many years on cross-border transactions and projects in all important jurisdictions. Austria Vienna I Klagenfurt* Belgium Brussels Czech Republic Brno* l Prague France Paris Greater China Beijing * I Shanghai * I Hong Kong Germany Berlin l Dusseldorf l Frankfurt l Hamburg l Munich Hungary Budapest Indonesia** Jakarta Netherlands Amsterdam l Eindhoven Poland Warsaw Saudi Arabia ** Jeddah I Riyadh Singapore Slovakia Bratislava South Korea** Seoul UK Cambridge I London Ukraine Kiev UAE Dubai USA* Menlo Park I New York Taylor Wessing offices Taylor Wessing expert teams and country groups respectively * Representative offices ** Associated office Partner law firms via international networks 23 Vietnam Hanoi l Ho Chi Minh City
Amsterdam 003 Parnassusweg 823 1082 LZ Amsterdam The Netherlands T. +31 88 0243 000 Beijing * Unit 2307&08, West Tower, Twin Towers, B-12 Jianguomenwai Ave, Chaoyang District CN-Beijing 100022 T. +86 10 8587 5886 Berlin Ebertstraße 15 DE-10117 Berlin T. +49 30 88 56 36 0 Bratislava Panenská 6 SK-81103 Bratislava T. +421 2 5263 2804 Brno * Dominikánské námĕstí 4/5 CZ-602 00 Brno T. +420 543 420 401 Brussels Rue de Livourne, 7 Box 4 B-1060 Brüssel RPR/BCE 0877. 631. 254 T. +32 2 290 0339 Budapest Dorottya u. 1, III. em. HU-1051 Budapest T. +36 1 327 04 07 Cambridge 24 Hills Road GB-Cambridge, CB 2 1 JP T. +44 1223 446400 Dubai 26 th Floor, Rolex Tower, Sheikh Zayed Road, P. O. Box 33675 AE-Dubai T. +971 4 309 1000 Düsseldorf Benrather Straße 15 DE-40213 Düsseldorf T. +49 211 83 87 0 Eindhoven Kennedyplein 201 5611 ZT Eindhoven Netherlands T. +31 88 0243 000 Frankfurt Thurn-und-Taxis-Platz 6 DE-60313 Frankfurt a. M. T. +49 69 971 30 0 Ho Chi Minh City RHTLaw Taylor Wessing Suite 1101, 11 th Floor, Sofitel Central Plaza 17 Le Duan Boulevard VNM-District 1 T. +84 8 38206 448 Hanoi RHTLaw Taylor Wessing Unit 1501 B, 15 th Floor Charmvit Tower 117 Tran Duy Hung Street VNM-Cau Giay District T. +84 4 3974 8881 Hamburg Hanseatic Trade Center Am Sandtorkai 41 DE-20457 Hamburg T. +49 40 36 80 30 Hong Kong 21 st floor 8 Queen’s Road Central HKG T. +82 3700 4099 Jakarta ** HPRP Wisma 46 Kota BNI, 41 st floor Jl. Jend Sudirman Kav 1 ID-Jakarta 10220 T. +62 21 570 1837 Jeddah ** Al Sulaim Al Awaji & Partners King Tower - Flooe 31 - King Abdulaziz Road P. O. Box: 1512 SA-Jeddah 21441 T. +966 12 616 3939 Kiev Illinsky Business Center vul. Illinska 8 UA-04070 Kiew T. +38 044 369 32 44 Klagenfurt * Alter Platz 1 AT-9020 Klagenfurt T. +43 463 51 52 27 London 5 New Street Square GB-London EC 4 A 3 TW T. +44 20 7300 7000 London Tech City Shoreditch Business Centre 64 Great Eastern Street GB-London EC 2 A 3 QR T. +44 20 7300 7000 Munich Isartorplatz 8 DE-80331 München T. +49 89 2 10 38 0 New York * 41 Madison Avenue, 31 st Floor New York US-NY 10010 T. +1 650 617 3336 Paris 42 avenue Montaigne FR-75008 Paris T. +33 172 74 03 33 Prague U Prašné brány 1 CZ-110 00 Prag 1 T. +420 224 81 92 16 Riyadh ** Al Sulaim Al Awaji & Partners 29 Prince Mamdouh bin Abdulaziz Street - Al. Sulaimanya P. O. Box: 22166 SA-Riad 11495 T. +966 11 462 8866 Seoul ** DR & AJU International Law Group 7/11/12/13/15 F, Donghoon Tower 317 Teheran-ro Gangnam-gu KR-Seoul T. +82 2 3016 5200 Shanghai * Unit 1509, United Plaza No. 1468, Nanjing West Road CN-Shanghai 200040 T. +86 21 6247 7247 Silicon Valley * 1550 El Camino Real, Suite 275 Menlo Park US-California, 94025 T. +1 650 666 8403 Singapore RHTLaw Taylor Wessing Six Battery Road #09 -01, #10 -01 SG-Singapore 049909 T. +65 6381 6868 Vienna Schwarzenbergplatz 7 AT-1030 Wien T. +43 1716 55 Warsaw ul. Mokotowska 1 PL-00640 Warsaw T. +48 22 584 97 40 * Representative offices ** Associated office 24
25
- Slides: 25