China: Micron review highlights importance of national security concerns

China’s^[1] cybersecurity regulatory system encompasses traditional cybersecurity and data security.

Key statutes, regulations and international standards

The Cybersecurity Law (CSL), which came into effect on 1 June 2017, applies to the construction, operation, maintenance and use of IT networks within China, as well as cybersecurity management matters. It primarily applies to ‘network operators’, which covers most business operators in China using the IT network, including network owners and managers and network service providers.

The Data Security Law (DSL), which came into effect on 1 September 2021, serves as the highest-tier legislation for data security supervision in China. It establishes the responsibilities of regulatory authorities and data processors and imposes additional obligations in respect of certain ‘important data’.^[2]

The CSL and DSL are supported by a number of accompanying laws relating to, among other things:

• Multilevel Protection Scheme (MLPS): the MLPS sets out basic obligations that Chinese network operators must comply with, including in relation to the evaluation of their operating systems and the establishment of organisational and technical protection measures based on the level of the operating systems.^[3] The general rules of the MLPS mainly comprise the ‘Guiding Opinions on the Implementation of the Multi-Level Protection Scheme and the Critical Information Infrastructure Security Protection Scheme’ from the Ministry of Public Security (MPS) and the ‘Guidelines for Grading of Classified Protection of Cybersecurity and Information Security Technology: Implementation Guide for Classified Protection of Cybersecurity’.^[4] Specific requirements have been established in some sectors, such as finance.
• Critical information infrastructure (CII) protection: CII refers to key network facilities and information systems in key sectors, which may seriously endanger national security and public welfare if subject to any destruction, loss of function, or data leakage. The key regulation for CII protection is the ‘Regulations on the Security Protection of Critical Information Infrastructure’ along with the national guideline ‘Operation Guide for National Cybersecurity Inspection’. The determination of CII is the responsibility of sectoral regulators. Operators identified as CII operators (CIIOs) receive corresponding notices, which impose additional cybersecurity and data protection obligations.
• Internet information content management: this refers to the management regime targeting information content in cyberspace with the aim of promoting a positive network ecology and disposing of illegal and harmful information. It includes regulations such as the ‘Administrative Measures for Internet Information Services’, the ‘Provisions on the Ecological Governance of Network Information Contents’, the ‘Administrative Provisions on Algorithm Recommendation for Internet Information Services’, the ‘Provisional Measures for the Administration of Generative Artificial Intelligence Services’ and the ‘Administrative Provisions on Deep Synthesis of Internet-based Information Services’. There is a regulatory trend away from solely focusing on information content towards also focusing on the governance of algorithms, which are used to generate information content. This is reflected in recent measures targeting algorithm management, deep synthesis and generative artificial intelligence (AI) technology, such as algorithm security assessments and filing-for-record requirements on algorithms.
• Cybersecurity review: when CII operators procure network products and services, or when network platform operators engage in data processing activities that may impact or potentially impact national security, they must undergo cybersecurity reviews. This is one of the main ways by which Chinese regulators ensure CII supply chain security, cybersecurity and data security and maintain national security. The key regulation in this regard is the ‘Cybersecurity Review Measures’.
• Data security obligations, including the following:
  • Data classification and grading: the ‘Guidelines for Network Data Classification and Grading’ specify methods and measures for classifying and grading core, important and general data. Specific guidelines have been established in sectors such as finance.
  • Identification and protection of important data: important data differs from state secrets and refers to data that, if leaked, could potentially endanger national security and economic operations, among other things. It is, therefore, subject to additional cybersecurity obligations, including the ‘Rules for Identification of Important Data (Draft for Comments)’. Specific criteria for the identification of important data have been established in certain industries such as the automotive industry.
  • Cross-border data transfers: relevant regulations include the ‘Measures for Security Assessment of Cross-border Data Transfer’, the ‘Provisions for Standard Contract for Outbound Transfer of Personal Information’ and the ‘Implementation Rules for Personal Information Protection Certification’. Regarding the cross-border transfer of important data or personal information, there are three main ways to action this: security assessment, standard contracts and certification. Security assessment prevails over the other two (ie, a data processor can only choose the certification or standard contract pathway if the security assessment pathway is not applicable). If a data processor (either a CIIO or a non-CIIO) provides important data overseas, or a CIIO provides personal information overseas, a security assessment must be conducted. In particular, a security assessment must be conducted if the data to be transferred qualifies as important data, regardless of the amount of data or the nature of the data processor. This is because the security assessment is designed to safeguard national security, while important data closely relates to national security, economic operation, social stability, public health and safety, etc.^[5]

The formulation of some national standards or guidelines has taken into account or incorporated relevant international standard requirements. For instance, the ‘Information Security Technology – Terminology’ standard aligns with ISO 27001 and ISO 27002, while the ‘Information Security Technology – Network Data Processing Security Requirements’ have drawn from ISO 20000-1.

Additionally, although international standards are not directly adopted as regulations within China’s network and data regulatory system, holding certifications related to such standards can serve as practical evidence of a company’s considerable level of cybersecurity and data protection.

Regulatory bodies

China does not have a separate and unified enforcement agency specifically dedicated to supervising cybersecurity and data security; instead, enforcement is carried out by different regulatory authorities, as set out below.

• Cyberspace Administration (CAC): the national CAC and its local departments focus on data protection, internet information content management, cybersecurity reviews and cross-border data transfers. For example, they perform enforcement inspections on mobile app data protection compliance and internet information content management, handle applications for cybersecurity reviews and perform security assessments for cross-border data transfers.
• Public Security Department: the Public Security Department, including the MPS, oversees traditional information security, such as the MLPS, CII protection and emergency management of cybersecurity incidents. It also focuses on data security law enforcement work related to preventing and combating telecoms fraud.
• Sector-specific regulators: these include the Ministry of Industry and Information Technology (MIIT), which oversees the telecoms sector, and the People’s Bank of China, which oversees the finance sector. They carry out sector-specific network and data regulation, including enforcement actions related to mobile app regulation and consumer information protection, and identification and protection of important data. Their national and local industry and information technology departments, as well as telecoms departments, are relatively active in enforcement actions, focusing on carrying out cybersecurity and data security supervision work relating to the internet, automotive and telecoms, among other fields.

There are no management relationships between those different authorities except the national and local institutions within the same authority. Relevant enforcement actions may be carried out by single or multiple authorities jointly, depending on factors such as the industries involved, the scale of the enforcement challenge and nature of the issue.

Relevant obligations for companies

The general compliance obligations in the CSL and the DSL apply to ‘network operators’ and ‘data processors’, which are broadly defined. Most enterprises that use information systems or process data in China are likely to be within the scope of those definitions and must meet the corresponding compliance requirements.

All network operators and data processors as defined in the CSL or the DSL must comply with certain cybersecurity obligations; however, heightened requirements apply if the entity is an important data processor or a CIIO. Under the DSL, ‘important data processors’ are data processors involved in processing important data. Under the CLS, CIIOs are the network operators responsible for operating CII.

A company’s obligations to ensure IT system and data security is determined by their role, as shown in the table below:

Effect of local laws on foreign businesses

The CSL and DSL apply to all entities operating within China, regardless of whether they have elements of foreign investment or ownership.

The extraterritorial jurisdiction of the CSL and the DSL is limited.^[6] Generally, they only apply to foreign entities operating outside China if their network or data processing activities within Chinese territory pose harm to national security, public interests or the legitimate rights and interests of Chinese citizens and organisations.

Responsibilities of directors

Failure to comply with the DSL or the CSL may result in regulated entities facing civil, administrative or criminal liabilities, depending on the scenario.

Civil liabilities often arise in cases involving the provision of products or services to enterprises and individuals, such as damages payable to relevant individuals for illegally processing their personal information and for being responsible for losses to users owing to the network products provided not meeting the relevant security protection level.

Criminal liabilities – such as for illegally hacking computer systems, disrupting the functionality of computer information systems and aiding criminal activities on information networks – have the most severe punishments, which are regulated by criminal law, including imprisonment, detention and fines.

Directors will not be liable for cybersecurity or data protection violations of the company unless they are deemed to act as the directly liable person (eg, the officers directly participate in the planning, organisation and implementation of the illegal activities) or the person in charge (eg, the officers accountable for the relevant illegal activities owing to their managerial function). For civil violations, a directly liable person or the person in charge may be penalised with fines or detention in addition to the punishment of the responsible entity. Generally, individuals may face fines ranging from 5,000 yuan to 1 million yuan under the CSL and the DSL.^[7] For criminal violations, the punishment of the directly liable person or the person in charge may include imprisonment, detention and fines.

In September 2022, the regulatory authorities released draft legislation for comments that proposed revising the CSL to allow for, in cases of severe violations, directly liable persons or the person in charge to also be prohibited from serving as a company director, supervisor or senior manager or from working in a key role in cybersecurity management or network operations for a specified period.^[8]

Best practices for responding to breaches

Under the CSL and the DSL, companies must have in place an emergency response plan for cybersecurity or data security incidents. When emergency occurs, companies must immediately initiate their emergency response plan, implement remedial measures and report the incident to regulatory authorities while informing affected users.

In practice, companies should assess how to fulfil their reporting obligations to regulatory authorities and user notification obligations based on the actual consequences of the incident and the remedial actions taken. If the incident results in significant losses, the company should promptly report the incident to the local public security department and relevant regulatory authorities, adhering to the reporting deadlines and methods specified by the relevant local authorities.

Additionally, where an incident leads to the leakage of user data or similar issues that cannot be prevented, the companies should inform the impacted individuals of the incident, as well as the remedial measures that have been taken by the company or that can be taken by the impacted individuals.

Private redress options for unauthorised cyber activity

Both the CSL and the DSL stipulate that those who cause harm to other individuals through illegal means are subject to civil liability. The Civil Code also explicitly states that individuals or entities who negligently infringe the civil rights and interests of others are responsible for the consequences of their actions, which provides a legal basis for individuals to protect their rights through litigation.

A recent case heard by the Shanghai Court involved a homeowner suing a property management company for alleged illegal collection of their facial information. This case is an example of how the available mechanisms^[9] may apply in practice. It confirmed:

• as the subject of the personal information, the homeowner was entitled to protect their legitimate interests by exercising their right to litigation when there was reasonable suspicion of infringement; and
• the property management company could, in turn, provide objective evidence demonstrating the absence of storage and use, as well as subjective evidence proving the lack of intentional collection, and thereby demonstrate that there was no infringement or harm.

Recent trends and updates

Regulatory authorities have remained vigilant on cybersecurity and data security. There have been several recent developments including the following:

• Strengthened management of cross-border data transfers: measures have been implemented regarding the security assessment of cross-border data transfers, the execution and filing of standard contracts for cross-border data transfers of personal information, and the certification of outbound transfers of personal information. Such regulations provide compliance mechanisms for different scenarios involving the cross-border transfer of important data and personal information. Among other things, organisations that transfer important data abroad in the course of their business must undergo a security assessment. The grace period for security assessments ended on 1 March 2023, although there is still an ongoing surge in applications. The grace period for the filing of standard contracts will end on 1 December 2023.
• Strengthened algorithm governance: for activities involving the use of algorithms such as recommendation systems, deep synthesis techniques and generative AI technologies in data processing, entities are required to fulfil obligations such as algorithm filing, security assessment and content review in accordance with the CSL, the DSL and sector-specific rules regarding algorithm governance.
• Accelerating the identification and protection of important data: local regulatory departments in regions such as Shanghai have organised local companies to work on the identification and protection of important data, resulting in several relevant reference cases. In the near future, the identification and protection of important data will be a key focus of regulatory efforts.

Relevant case studies

The recent cybersecurity review case involving Micron Technology has attracted significant attention. In May 2023, Micron was informed of a review decision that stated its products had significant network security vulnerabilities, posing a major security risk to China’s CII supply chain and impacting national security. Consequently, domestic CIIOs were required to stop procuring Micron products.^[10]

This case shows the importance of CIIOs conducting an assessment of potential national security risks when procuring network products and services and deciding whether to apply for a cybersecurity review based on this assessment. Additionally, it is necessary for companies to regularly evaluate whether the network products and services already procured are included in the list of prohibited procurements by the state.

Network product and service suppliers should also pay attention to the possibility of their products and services sold in China posing dangers to China’s national security. This includes conducting all cybersecurity reviews required by the Cybersecurity Review Measures in accordance with applicable requirements and making appropriate and timely adjustments according to the outcome of that assessment.

Actions regarding infringements of user rights and interests by mobile apps is one of the main ongoing enforcement actions carried out by the CAC, as well as other bodies. Taking the enforcement actions of the MIIT as an example, since 2020, the MIIT has released 29 lists of apps and software development kits (SDKs) that violate user rights and interests. The lists include examples of apps and SDKs that collect personal information in violation of the DSL and CSL regimes. Relevant operators of the listed apps and SDKs were required to rectify the issues identified within a limited time. If an operator does not rectify the issue properly, it may be forced to remove the infringing app from app stores.

There have also been enforcement actions regarding the implementation of data protection obligations. Recently, two companies in Hangzhou^[11] and Nanchang,^[12] respectively, faced warnings, corrective orders and fines from the local cyberspace administrations because of their failures to take appropriate measures to ensure data security. These examples illustrate that regulatory focus has penetrated into the daily operational and technical details of security, emphasising the need for companies to effectively manage cybersecurity and data security in their day-to-day operations.

Notes