As Cybersecurity becomes a prominent global issue for nation states, governments consider options to curb their nation’s digital vulnerability. On July 6th, China, an undisputed major player on the global digital frontier, released the Cyber Security Law of the People’s Republic of China (“CSL”) for public comments. The CSL will, among other things, encourage education and training in cybersecurity related fields, establish new protections and rights for personal and sensitive data, and create government set standards for information technology hardware and software. Once adopted, the CSL will be the first Chinese law that exclusively focuses on cybersecurity.
The CSL is comprised of seven chapters and 68 articles with a broad scope of applicability for both Chinese and international interests. The CSL’s draft comes on the heels of the newly promulgated National Security Law of the People’s Republic of China (“NSL”). But, the NSL does not address cybersecurity or the digital frontier, an area now addressed by the CSL. The CSL illustrates that the Chinese government considers cybersecurity a crucial component of China’s overall national security.
Article 16, for example, mandates an increase in education and training for cybersecurity professionals. The CSL does not outline the practical expression of this mandate—there are no specifics about how much, and where, money will be spent—but presumably this article will improve cybersecurity. Additionally, Articles 35, 36, and 37 require network operators who handle or use consumer or user data to only use that data within the scope approved by the user. Article 37 empowers users who suspect someone has misused their information to ask network operators to delete their data.
However, other provisions serve only the interests of China’s legislators, members of the National People’s Congress of the People’s Republic of China. Some of the CSL’s provisions create a rather protectionist cabin industry for IT software and hardware, as well as for domestic Chinese data centers. The CSL establishes government review and approval procedures for information technology hardware and software. Such provisions will likely exclude, or at the very least discourage, the use of foreign IT software and hardware suppliers in China. Additionally, Article 31 would require companies to exclusively store “important data,” a term conspicuously left undefined, within mainland China.
Overall, the CSL deserves significant attention from international players within and outside of China. While the final version of the CSL has not been promulgated by the People’s Congress, the United States could take some cues from China’s legislative efforts. Specifically, the CSL’s provisions on increased cybersecurity education, and its provisions on personal data protection, are worth considering given Americans’ increased concerns over digital security. American businesses with Chinese interests or Chinese prospects should closely follow the CSL’s progress as it will broadly impact doing business in China.
Image Source: http://www.kean.edu/cyber-security-summit.