Legislative protection for key information infrastructure

Key infrastructure is vital to national security, as well as the economic and social development of a nation. Countries around the world pay special attention to key infrastructure when formulating cyber-security strategies and promulgating legislation. As early as 2003, China began putting forth the concept of “emphasis on guaranteeing the security of basic information networks and vital information systems”. In recent years, cyber and national security have become a key focus in China, with consistent legislative efforts to strengthen the protection of key information infrastructure.

Key information infrastructure

The Cyber Security Law (Draft), promulgated in July 2015, was the first piece of legislation to define “key information infrastructure” by listing four categories: (1) basic information networks for public communications, broadcast television transmission and other services; (2) important information systems for vital industries including energy, transportation, water conservation, finance, and public service sectors including power, water and gas supply, medical services, public health and social security; (3) military and administrative networks for municipal-level government authorities; and (4) networks and systems owned or managed by network service providers with large user bases (a specific definition of which has not been established).

In addition to the main categories above, key information infrastructure that may be relevant to the TMT (telecoms, media and technology) sector could include networks and systems that overlap with vital industries and public service areas but do not necessarily have large user bases, such as those for online finance, cloud computing or online medical services.

Place of storing information

As a measure to protect key information infrastructure, the Draft Cyber Security Law provides that the operators of key information infrastructure must store citizens’ personal information and other important data that are collected and generated during its operations within the territory of the People’s Republic of China. In case such data need to be stored overseas or be provided to overseas organizations or individuals, the operator must conduct a security evaluation in accordance with the rules formulated by the Cyberspace Administration of China in conjunction with the relevant departments of the State Council. If specific laws or administrative regulations (such as industry-specific regulations) provide otherwise, these provisions will apply.

While it may be necessary, from a national security perspective, to require key information to be stored within the PRC, it could also present challenges for multinationals when designing their global hardware infrastructure. In general, Chinese laws lack unified provisions on prohibiting the cross-border transmission of personal information and other data, and only have piecemeal provisions for certain industry sectors such as public health and finance.

However, recent regulations have initiated a more cohesive regime. For example, the Rules on Map Administration, implemented on 1 January 2016, require internet map service entities to store map data within the PRC, and the Rules on the Administration of Online Publication Services, implemented on 10 March 2016, require relevant servers and storage devices of online publishing service providers to be maintained within the PRC. Based on these trends, it appears that the cross-border transmission of personal information by enterprises in some subsectors may become subject to more specific regulations, with compulsory storage of relevant personal information within the PRC becoming a requirement across industries.

Future legislation

Current legislation related to the protection of key information infrastructure in the TMT industry has already set out some basic principles and requirements. However, these regulations are relatively scattered and not specific or thorough enough. For instance, in 2000 the Standing Committee of the National People’s Congress issued the Decision on Internet Security Protection, which stipulates the requirements for operational and information security of the internet. In 2015, the State Security Law explicitly required information systems and data for key infrastructure and important sectors to be “safe and controllable”.

Major issues relating to the protection of key information infrastructure that should be resolved through future legislation include:

1. Expressly defining the scope of “networks and systems owned or managed by network service providers with large user bases”. For instance, the formal legislation of the Cyber Security Law could specify whether “key information infrastructure” covers networks and systems in connection with microblog services, instant messaging and other public information services;
2. Establishing detailed rules with respect to the protection of key information infrastructure, such as formulating specific and practical protection systems based on the nature and significance of different infrastructure. In this connection, the Draft Cyber Security Law provides that the State Council is responsible for setting out measures on protection of key information infrastructure. These important measures, upon official promulgation, will significantly impact the protection of key information infrastructure;
3. Exploring and establishing specific security measures regarding products and services related to key information infrastructure. For example, following up on the Guidance for the Application of Safe and Controllable Information Technology to Strengthen Cyber Security and Information Construction in the Banking Industry (circular 39 issued by the China Banking Regulatory Commission), China could specifically include security measures for the regulation and planning of the banking industry, and set out practical standards and codes of practice for implementing security measures;
4. Establishing a unified regulatory authority for the protection of key information infrastructure in order to improve the current regulatory system, which is scattered among multiple authorities. For example, the Office of the Central Leading Group for Cyberspace Affairs was set up in 2014 to, among other tasks, improve laws and regulations regarding key information infrastructure. In the future, such a unified regulatory authority for protecting key information infrastructure may formulate laws, regulations and implementation rules across industries, and at the same time may effectively avoid having various authorities using inconsistent methods to implement security systems for key information infrastructure.

Ben Chai and Cloud Li are associates at DaHui Lawyers