Developments this month continue to signpost a more challenging compliance environment ahead for non-Chinese technology companies and those operating online in China.
The Chinese Government’s continued scrutiny over cyberspace continues apace, with the announcement of a new cybersecurity watchdog. As well as monitoring cybersecurity threats and co-ordinating national cyberspace policy and practices, of greatest significance to organisations operating in China is the watchdog’s proposed role in evaluating non-Chinese organisations’ online products, services and content.
In particular network products and services used within information systems that relate to national security or the public interest will have to pass a security and controllability assessment conducted by the Chinese authorities. Professionals say that the review is not universally applicable – only network products and services purchased by “key information infrastructure operators” (KIIO) (as defined in the new PRC Cybersecurity Law – for further information, click here) that may impact national security have to pass the security review in order for the procurement to proceed. Whether a network product or service purchased by a KIIO may impact national security shall be determined by the Department of Key Information Infrastructure Protection.
It appears that the supervisory assessments will focus on the security and management of the products and services; will look at risks of illegal control, disruption or interruption (such as “loopholes” allowing access by foreign governments and illegal collection of personal data); and also consider potential anti-competitive effects that may be harmful to users’ interests. It has also been suggested that products and services that fail these assessments will be blacklisted from future procurement by KIIOs.
The security review is not mandatory. It can be initiated by notification from the authorities, suggestions by national industry associations, responses from the market and an organisation’s own application, but it will in no way become a kind of routine scrutiny.
Additional challenges may arise through mandatory compliance with new national standards, which are yet to be announced but will be at the discretion of the new watchdog.
These measures were announced through the recent publication for public consultation by the Cyberspace Administration of China of the Measures for the Safety Review of Network Products and Services (Draft for Comment) (Draft Measures). Public consultation on the Draft Measures closes on 4 March 2017. This latest announcement reflects the guiding concept of the recently published PRC Cybersecurity Strategy (for more information click here), namely “Internet sovereignty”, defined as China’s right to police the Internet within its borders and participate in managing international cyberspace.
The Chinese Government has sought to reassure overseas organisations, with officials reportedly saying “the review will not hinder foreign products from entering the Chinese market, but will only to boost confidence in such products and services…. Authorities will treat Internet products and services from home and abroad equally” (according to the official news agency, Xinhua). However, the Chinese market may now become more challenging for overseas providers of online products, services and content. Such organisations are strongly advised to keep abreast of developments in China and start to plan their compliance strategy in anticipation of the new measures coming into force. In particular, it would be sensible to take into account new national standards, and to plan ahead for the likely lead time required to obtain clearances from the new watchdog, for any products, services or content to be launched in China.