The Chinese government is considering an amendment to its existing cybersecurity laws, which could lead to a crackdown on companies that fail to comply. If implemented, fines for companies that violate their cybersecurity obligations could range up to RMB50 million (approximately £5.6 million). Therefore, it's crucial for companies that either operate in China or want to develop stronger ties within the country to be aware of these amendments and take appropriate action.
What China is doing to increase cybersecurity
On September 14, 2022, the Cyberspace Administration of China (CAC) issued proposed amendments to the 2017 China Cybersecurity Law (CCL). The stated aim was to make these amendments consistent with several new laws already enacted in 2017.
The amendments change the severity and scope of the penalties for companies that violate existing provisions, rather than making fundamental changes to the activities or behaviour covered by the CCL. The government wants to improve cybersecurity in the country and enforce legal liability for companies large and small.
There are four fundamental proposed changes to the CCL.
The first one relates to network operations security and adjusts the size of any administrative penalties for acts that violate obligations. The second alters the legal responsibility of those dealing with critical information infrastructure and its security. This section raises the level of penalties for any illegal acts that "critical information infrastructure operators" may perform.
The third amendment adjusts network providers' responsibility to ensure that the information shared within those networks (by companies and individuals) does not violate any Chinese laws. The fourth amendment revises sections of the original CCL to better protect personal information.
Authorities will now have sharper teeth to help tackle cybersecurity violations and protect user's rights. But still, some aspects of the law are rather grey, and there is no clear interpretation of terms like "important data." In addition, the definition of a "critical information infrastructure operator" is rather vague.
The laws also allow Chinese regulators to determine what type of outbound data transfers are necessary, especially if the intent is to move such data overseas. The regulator will be allowed to determine whether a company has "important" data that triggers a further security assessment and may lead to disruption for companies or more negotiation with regulators at the minimum. Again, it's not entirely clear what determines whether the data is important in the eyes of the regulator.
The world's reaction to China's direction
It's worth noting that efforts by the Beijing government are already far more comprehensive than any implemented by either the US or Europe. Some may point to the existing GDPR rules in Europe, but they are more centred on personal privacy than national security or social stability per se.
US politicians have previously opposed some of the CCL laws, with one official calling the legislation the "loaded weapon that the rest of the world should not want to stand in front of." This official believed that the law obliges any companies wishing to do business in China to collaborate with the government on "espionage campaigns."
What this means for companies operating in China
Companies operating in China should be aware of the wide scope of potential obligations and targets and the vague definitions contained within the legislation. They should understand how each element of the legislation governs privacy, cybersecurity, and cross-border data transfers. They should also keep an eye on how regulatory organisations responsible for implementation enforce the laws and how the legislators may operate at the national and local levels. There may be inconsistencies in both the interpretation and enforcement of the law by different administrative bodies.
What does this mean for foreign corporations with strong ties to China?
A sizeable number of UK companies do business with China. In 2021, UK companies imported £63.6 billion and exported £18.8 billion (in goods value) to and from China. During the same year, the UK imported £2.5 billion and exported £8.2 billion in services value. This legislation may pose a significant challenge for these and other organisations. The government may have written the regulations to focus on domestic firms, but international organisations may still need to meet local requirements.
Many international companies will prefer to share information without restriction, but their operational standards or global policies may conflict with Chinese regulatory requirements. These companies may need to consider adding extra resources in China to be ahead of any local regulatory compliance requirements that may pose a high risk.
Furthermore, the legislation does allow the government to inspect and potentially investigate any organisation if they suspect issues with Internet security. Some companies may want to prepare for this possibility and determine whether they are happy that the Chinese government gets access to certain key information. Some of the regulations allow for gathered data to be inspected or investigated. Of course, if the Chinese regulators have access to such data, then the company itself will not have any control over where the data ends up or who has further access to it.
Regulators may place most of their attention on information and systems within the larger government agencies or private enterprises. However, any foreign multinationals should be well aware of the potential of the scrutiny and be up-to-date on the content regulations as they change. They should also remember that the Chinese government can hold both individuals and the firm accountable if an investigation leads to a violation.
Foreign companies should do a comprehensive audit of any data inflows and outflows. They should be aware of where they are getting the data from and where it ends once it's under their control. After all, the government could hold company officials responsible for all the data on the system, regardless of whether they produced it themselves.
How HLB can help
HLB is a global advisory and accounting network that seeks to help companies trading internationally, especially if they have exposure in China. We've produced a cybersecurity report entitled "Uniting People and AI: The Future of Cyber Resilience" and a separate report based on a survey of business leaders in 2023 for additional insight.
If you conduct business within China, contact one of the experts at HLB Global for any advice or help with these cybersecurity regulations.
