Compliance assessment for China Cybersecurity Law

Clearer definitions of the articles, penalties and compliance measures are expecFour months after the new China Cybersecurity Law (CCL) took effect on June 1, a vast number of Hong Kong companies with operations in the mainland have no clear idea how the new regulation will impact their organization.

This was one of the key takeaways at the China Cybersecurity Law workshop organized by JAS Consultant Limited in Hong Kong.

“Many Hong Kong-based companies are still not aware or fully aware of the new law and its implications. Many are adopting a wait and see approach to see what further guidelines will be issued by the authorities before they would take action or consider taking action,” noted Dominic Wai, partner, ONC Lawyers.

But even a number of companies who have been closely following the development of the new legislation are unsure whether their organizations are affected by the CCL – and, if they are covered by the law, they don’t know exactly what to do to comply.

I think the biggest hurdle is to assess what and how much data would be caught by the new law and if so, how much they should spend on ensuring that the use and operation of such data comply with the new law,” Wai said.

He added: “The exercise of ascertaining what amount of data that is kept in China for business operations and use that was generated in China would take time and costs, and might interrupt business. Some companies are waiting to see how serious the authorities are in terms of enforcement before they put money into compliance.”

Industry insiders say these uncertain reactions are not surprising given that the wide-reaching law lacks the finer details.

“The CCL is the basic level law and there are subsequent laws and regulations to be released by authorities. The challenge is how to execute the law and we hear from regulators that they will have more details by the end of November. By then, we will have clearer definitions of each of the articles, penalties and compliance measures and so on,” said Thomas Lee, partner, risk advisory, Deloitte China.

An all-encompassing law

The CCL standardizes the collection and usage of personal information, with companies being asked to put in place data protection measures. For instance, sensitive data – information on Chinese citizens or relating to national security – must be stored on domestic servers.

In some cases, firms will need to undergo a security review before moving data out of China. One of the challenges, however, is that the government has been unclear on what would be considered important or sensitive data.

Companies covered by CCL primarily falls under two categories: CII (critical information infrastructure) operators and network operators.

A network operator is one who owns and manages a network and provides services through a network, including through the internet (e.g. website) and systems that support its services (e.g. production control systems). Furthermore, companies that sell network products and services and those that provide cybersecurity certification or risk assessment services are classified as network operators.

A CII operator runs key infrastructure such as public communications and information service, energy, transportation, water conservancy, finance, public service and e-government. The CLL also classifies other companies as CII operators if a breach of their information infrastructure would result in serious damage to China’s national security, national economy and people’s livelihood and public interests.

“The identification of key information infrastructure usually consists of three steps: determine the industry that you operate in; determine the key systems that support your infrastructure; and, determine the risk indicators that will help you assess the impact of a breach,” Lee said.