- China Adopts the New National Security Law - A Top Legislative Effort to Control Cybersecurity
- September 10, 2015
- Law Firm: DLA Piper (Canada) LLP - Vancouver Office
On 1 July 2015, the Standing Committee of the National People's Congress, China's top legislature, approved the new National Security Law of the People's Republic of China (the "New Law") which became effective on the same day. This New Law is very high-level in its nature, covering a wide range of areas from the military, wider economy and natural resources to environment, religion, food security, cybersecurity and space exploration. The most significant aspect of this New Law in relation to cybersecurity is the fact that it was issued by China's top legislature, indicating the importance being placed on cybersecurity at the highest level of China's legislative system.
The New Law provides for a general legislative framework to control cybersecurity which includes the following:
- The state should develop its ability to protect against cyber and information security risks, and to ensure that the core cyber and information technology, key infrastructure, information system and data in important sectors are secure and controllable.
- The state should set up a national security review and supervision system and should conduct national security reviews of any foreign investment, key technologies, Internet and information technology products and services and other important matters and activities that impact or are likely to impact national security.
- The state should actively develop independent controllable key technologies in important sectors and strengthen the application of intellectual property.
As this New Law is newly promulgated and is very general in its nature, there is considerable ambiguity which may be clarified by subsequent guidance. In particular:
- The New Law does not provide specific requirements as to how to ensure that IT systems are secure and controllable. The term "secure and controllable" is also used in the CBRC Guidelines that DLA Piper reported on earlier this year. Although the CBRC Guidelines set out specific requirements to implement "secure and controllable" information technology products in the banking sector, we understand that the implementation of such rules are still pending.
- Although the New Law requires a national security review system, it does not provide any details of the practical implementation of such rules. For example, which authority will conduct such a review? What are the specific criteria to determine whether a technology product will impact or is likely to impact national security? What will the review process be?