Zhao Zeliang’s Readout of the Cybersecurity Strategy

After the release of the country’s first National Cybersecurity Strategy, Director-General Zhao Zeliang of the Cyberspace Administration of China (CAC) Cybersecurity Bureau delivered a readout of the new strategy during an interview. He reemphasized the importance of personal information protection, plans for regulating cross-border data flow, and the strategy for the cybersecurity review regime.
 
One of the main goals is to increase safety and security of all personal information collected. Network operators must ensure the highest level of security for all personal information collected. Additionally, CAC will continue to improve information protection policy as laid out in Article 22 of the Cybersecurity Law. Zhao pointed out that the personal information protection laws are equally applied to both companies and government agencies and that the government will also be held accountable.
 
Zhao also discussed the issue of cross-border data flow, echoing the requirements in Article 37 of the Cybersecurity Law. He said that the CAC is currently drafting measures to establish an auditing regime for cross-border data flow. These measures will require all personal information and important data collected or generated by operators considered CII to be stored with China’s borders. Should said data need to be transferred cross border, the operator must undergo an audit of the data leaving the country, highlighting China’s concern about data security once it is no longer in their possession. Mr. Hong Yanqing, a distinguished research fellow at Sichuan University’s Cybersecurity Research Center, clarified that CII is not determine based on company status, meaning that it does not discriminate based on if the company is private versus state-owned or domestic versus international. CII status is determined by functions and evaluated by the severity of consequences should the data be destroyed, leaked, or no longer performing its function. He explained this within the context of online car-hire services and e-commerce saying that these platforms hold billions of points of user data and payment data and that it would harm society and public interests if the data were to be leaked or destroyed. These are examples of the types of services that are considered CII.
 
Lastly, Zhao addressed the Cybersecurity Review Regime for the procurement of critical IT products and services in the government and key sectors. He said that this review regime would only apply to products that are a question of national security and the safety of citizens as specified in Article 35 of the CSL. They have already begun to draft a cyber product catalog (Article 23 of CSL) as well as a user guide. Companies that provide cloud services to the party and government departments have already undergone the cybersecurity review.
 
We can expect to see a series of implementation measure to support and supplement the release of the CSL from now until the law takes effect on June 1, 2017. We have already seen a large number of TC 260 security standards released for public comment, and it is evident that the government is accelerating the pace that they release implementation details.