Cyber Security Law and multinational corporations

The People’s Republic of China Cyber Security Law will take effect on 1 June 2017. It was promulgated in conjunction with the issuance of other important supplementary laws and regulations, including the Public Opinion Draft of the Measures for the Security Review of Network Products and Services released in February 2017, and the Public Opinion Draft of the Measures for Evaluating the Security of Transmissions of Personal Information and Important Data Overseas (Personal Information Transmission Draft) released in April 2017. These recent legislative moves by the PRC government have been closely followed by multinational corporations (MNCs) operating in China. This article provides a brief overview and analysis of three important issues raised by these recent legislative moves.

Application of the Cyber Security Law

The Cyber Security Law applies to the construction, operation, maintenance and use of networks within the territory of the PRC. Without further clarification from PRC legislators, the current scope of application makes it difficult for some MNCs to determine whether they fall under the purview of the Cyber Security Law.

For example, entities engaged in certain services listed in the Catalogue on the Classification of Telecommunication Services issued by the Ministry of Industry and Information Technology are generally deemed as “network service providers”, which is a category of “network operator” (the definition of which is unclear in the Cyber Security Law). If operating within the territory of the PRC, such entities will need to comply with the requirements of the Cyber Security Law. But what about MNCs located outside China that provide such services to China-based users? A concrete example would be an offshore website that provides online shopping services for Chinese users and delivers items to Chinese addresses. If the service in question is technically hosted offshore, is it nonetheless “provided within the territory of the PRC” under the Cyber Security Law?

Currently, there appears to be no clear answer on whether such a company would need to comply with the Cyber Security Law based on existing laws and regulations. For now, MNCs will need to pay attention to further legislative activities and the enforcement practices of relevant authorities to determine whether, and under what circumstances, they need to comply with the Cyber Security Law.

Ben Chai and Cloud Li are associates at DaHui Lawyers