CAC Speaks About PRC Cybersecurity Law

Following the National People's Congress (NPC) press conference on November 7, Cybersecurity Administration of China (CAC) Cybersecurity Bureau Director-General Zhao Zeliang further spoke about the newly-adopted PRC Cybersecurity Law on November 11 in response to several key public concerns regarding the final text. The concerns are mainly with regard to personal information protection, real name registration and the national security review.

Specifically, Zhao stressed that the new law laid primary obligations of personal information protection on network operators aka information collectors, regulating their behaviors of personal information collection, storage, processing, use and transfer. Accordingly, CAC is drafting a standard on personal information collection norms, which is expected to be released for comments before the end of this year. In terms of questions about the real name strategy, Zhao stated that the goal of such implementation is to better combat against cyber crimes with possible location of online subjects. Finally, Zhao equated the three terms "secure and reliable", "secure and trustworthy" and "indigenous and controllable", and explained that all are requirements only for cyber enterprises, products and services that would sell into critical information infrastructure and potentially have impact on national security, with the point made again that neither the national security review or the three terms are intended to create trade barriers for foreign companies, and that China market is completely open with equal treatment for domestic and foreign products. However, industry concerns remain on the extreme broad scope of these rules and closed setting process with involvement of mostly Chinese government and local firms, which are defacto discriminatory against foreign enterprises.