China’s new cybersecurity regulation, Regulation on the Internet Security Supervision and Inspection by Public Security Authorities (the “Regulation”), takes effect today. The Regulation, issued by China’s Ministry of Public Security, allows China’s law enforcement (Public Security Bureaus, commonly referred to as “PSBs”) to enforce China’s Cybersecurity Law (“CSL”) by conducting onsite or remote inspections. Although the asserted intent of the Regulation is to protect consumers from data breaches due to company negligence, it also provides PSBs with sweeping authority to access companies’ information technology and proprietary information, raising concerns among foreign corporations.
The Regulation applies to all “internet service providers,” which include businesses that provide internet access, content distribution, domain name services, and data center services; providers of internet information services; providers of public internet access; and providers of other internet services. It also applies to “entities that use networks for their operations.” Although “entities that use networks for their operations” is not defined, the phrase has been interpreted to include entities that connect and use the internet internationally for their own business purposes. Local PSBs are provided broad discretion to determine whether an organization is subject to the Regulation, including the ability to interpret the meaning of “other internet services.”
Unannounced Onsite Inspections and Remote Inspections Permitted
The Regulation authorizes PSBs to dispatch at least two PSB officers to enter an organization’s physical premises to conduct an unannounced onsite inspection. During an onsite inspection, PSB officers can enter any network equipment rooms and offices, interview company executives and require them to explain any items of interest identified by the officers, and review and copy relevant documents and information.
PSBs are also authorized to conduct remote inspections to assess an organization’s network and data security vulnerabilities. For remote inspections, PSBs must provide prior notice outlining the time and scope of the inspection and ensure that the inspection does not interfere with the organization’s operation.
Purpose of Inspections
Inspections are conducted to confirm compliance with requirements under the Regulation. These requirements include filing with the PSB as a “network-using entity,” implementing internal cybersecurity programs, appointing an officer in charge of cybersecurity, recording and retaining registration information of users, implementing technical measures to prevent computer viruses and cyberattacks, implementing measures to prevent the transmission and publication of illegal content, and taking measures required by China’s Cybersecurity Multi-Level Protection Scheme to protect networks based on their relative impact on national security, social order, and economic interests should the system be damaged or attacked.
Corporate Representative or Officer Must Sign the On-Site Inspection Record
After an inspection, the PSBs prepare an inspection record that must be signed by the PSB officers conducting the inspection. For an on-site inspection, the company representative or officer in charge of cybersecurity also signs the record. While the representative may express any objections to the inspection or offer explanations for disagreements, any refusal to sign the inspection record will be noted in the inspection record itself.
Potential Consequences if Violations of CSL or China’s Counterterrorism Law Found
If an inspection finds minor administrative violations, PSBs are authorized to request the organization remediate the violation and undergo another inspection. For more substantive violations, the Regulation provides a variety of penalties under the CSL and China’s Counterterrorism Law, including monetary fines on the organization and on the responsible individual(s), shutting down the organization’s website and revoking its business permit, confiscation of illegal gains derived from illegally obtained or sold personal information, and detainment for five to 15 days.
Concerns about Governmental Access to Corporate Data
Though the Regulation does not impose wholly new obligations, but rather codifies existing practices, it has faced criticism from the public. The Regulation’s lack of guidance regarding how remote inspections are to be conducted, what information and documents are “relevant” such that PSBs may inspect and copy them, and what companies fall into the Regulation’s purview have raised concerns regarding governmental access to confidential corporate data. Non-Chinese corporations have expressed concern that the Regulation could be used by the Chinese government to gain access to source codes or other confidential information under the guise of a compliance inspection, and then leak the information to domestic competitors.
As William Zarit, the chairman of the American Chamber of Commerce in China, stated, the Regulation “justifies for the authorities the right to basically copy or access anything.”
Governmental access to company data may also bring additional business and legal risks to companies, ranging from harm due to the government’s access to corporate trade secrets, to lawsuits from corporate clients and partners whose confidential data was accessed and copied, to potential claims from data subjects whose personal information was accessed without their knowledge or consent. Compounding the problem is the fact that there are little to no remedies available to companies whose data is seized by PSBs. In light of the potential expansive application of the Regulation, companies operating in China should seek professional advice tailored to their specific operations and needs to prepare for and respond to any potential government investigations of their cybersecurity practices.