PRC's 5 Cybersecurity And Data Laws Explained

Executive *******

** ******** ** *** **, **, and *** **, *** *** *** enacted ******** ************* *** **** **** requiring ************* ** "*********, *******, *** assist" *** **********.

*** **** ******* *** ***** "*********" with *** ******, ************, *** ********, leaving *** **** "*********" *********:

• *** ***** "***** *******, ******, *** cooperate **** ******** ************" [******* *, Intelligence ***, ****]:

• *** ***** "*****" ******* ************ ******** access *** "******** ***" ** ***** "communication *****", *********, *** *** "******** files" [******** **-**, ************ ***, ****]
• *** ********* "*****" ******* ******, ********, and ************ "******" [********] **** "********* support *** **********" [******* **, ******** Security ***, ****]

*** **** ******* ******* *** *** any *** **** **** ***** *** internet ** "******** *** ********* ******":

• *** ***** "***** ******* ******** ************ work *******" [******* *, ************ ***], "keep ***** ******* **** ***** ** confidential" [******* **, ******** ******** ***, 2015], "***** ***** *******" [******* **, Data ******** ***, ****]
• *** ***** ****** *** *** ******** to "******** *** ********* ******" ** "endanger ******** *****" [******* **, ************* Law, ****]

*** **** ****** ********** "******** ******** reviews" *** *** ********** **** **** "might ****** ******** ********":

• "******** ********" ****** *** *** ** products *** ******** "**** ****** ** might ****** ******** ********" [******* **, National ******** ***, ****]
• "******** ******** *******" *** *** ********* of ********** ******** ** "******** *********** infrastructure *********" **** "***** ****** ******** security" [******* **, ************* ***, ****]

*** **** ******** ******** *** *** when ***** ******** ***************, ********* ***** be **** ** *** ********** ****** two **** *** ****** ******* ** certain *****:

• *** ***** "*****" **** *** ************* information ** *** ********** "****** *** days"; *** ***** "*****" "********" ****** users ** ******** ********* [******* *, Vulnerability **********, ****]
• *** ***** ****** ******** *************** "****** major ****** **** ** *** *****" "without *************" **** *** ****** [******* 9, ************* **********, ****]

*** **** **** **** *********** *** human ****** ***********:

• "******** ************ *******" ***** "******* *** protect ***** ******" [******* *, ************ Law, ****]
• ************* **** "*** ***** ** ***** criticisms *** ***************" *** "*** ***** to **** **********, *******, ***********" [******* 82, ******** ******** ***, ****]

*** **** ****** ********** **** *****, detention, *** **** **** ***** **** potential *********** ******** ***********:

• ***** ** ** ** ~$***,***, ********* of ** ** ** ****, **** 5 *****' *** ** ******* ** "cybersecurity ********** ** *** ******* **********"; separately, "******** **************" *** ** "*******" [Articles ** & **, ************* ***, 2017]
• ***** ** ** ** $*.* ******* and ******* ************* [******** **-**, **** Security ***, ****]
• ** ** ** **** ********* *** potential ******** *********** [******** **-**, ************ Law, ****]

Comparison ** **/** ****

** *** **, ****-******** ********/********* *** required *** ****** ** ****** **** from**********; ***** ** ** ******* ** state ******* *** ** ********* ** cooperate **** ******. *** ** ********** obtains **** *** ******* ************ ******** through ***************-********** (*** *********)**** ******.*********** ***** ************** ************ *********, ******* ****** ** surveillance ** ** *******/*********, ***** ******** ***, ****** ** ****** ** ****** data ****** ******** **** * *******. The *** (********) **** ************ ******* exposed ** ****** ******* - ***** collected ******** ** ** ********' ***** - ******** ******* **** *********.

** *** **, ******** ************ ** regulated ** *** ******* *****; ** data *********** ********** - ****** *********** *********(*** ******) *** *** **** (*** *********/***********)- **** ** *********** ******** **** police/intelligence. *****'* **** ********* ************ ******** **** ****** ******** from *** ********* ********** ******** ****** being **** ** ****** ******** ** any *********** **************.

** *** *****, ***** *** **** are **** *******-****** **** ***** **/****** counterparts. *** *** **** ** ******* human ****** ***********, ******** ***** ***** in *** ******* ** *** *** ranking **** *** ****** ** ****** indices ******* ******************* *******,**** *** ********* ** *** *** Supreme *************** ******** ************** * "***** ******* ****" *** PRC ****** ****** ***.*% ********** ****.

National ******** *** (****)

******* ******** ******** ***(*******) *** ******* "** ******** ******** security, ** ****** *** ******'* ********** dictatorship *** *** ****** ** ********* with ******* ***************".

*** ******* **, ********* "*****" ******* police, ********, *** ************ "******" [********] with "********* ******* *** **********" ***** "keeping ***** *******" ************:

******* ** ****** ********* "********* ******** security" *** "********* ** ***":

******* ** ******* "******** ******** ******" checks *** *** ** ******** *** services "**** ****** ** ***** ****** national ********":

******* ** ***** *** ********** **** "maintaining ********** ***********" *** ******* * "national ******* *** *********** ******** ********* system":

*** ***** ***** *** ********** *********** means"** ********** *******'* ***** ** ****** its *** ******** ********** *****". *** PRC****** ********* ****** ***** ********* *** **** websites (********* ****).

******* ** ***** *** ***** **** "accelerating" *** *********** ** "************ **********" - **** ********** ** "****** *** controllable" - ******** ************:

******** **-** ***** ************* "*** ***** to ***** ********** *** ***************" *** "the ***** ** **** **********, *******, accusations":

National ******** *** ***************

*** ********** *********** ***** ************ *** ***** **** *** **************** "****************" *** "******** ********* ******** and ****** *********":

********** ********, *** ******* **** ****** its ***********, ** **** ** ******** and *********** *********, *** [...] ** must ****maintain ********* ******** *** ****** ********* [...]

*****’*cybersovereignty ***** ** ********* *** ********** Raising the idea of ‘safeguarding national cybersovereignty’ in the National Security Law is a response to the needs of the development of the Chinese Internet. It provides the legal basis for managing cyberactivity on China’s soil and resisting activities which jeopardize China’s cybersecurity.”

******* ***** **** *** ******************* *** "******** *******" **** *** internet **** "****-******* ****** *** *** exact *******".*** *** **** ***** ************ ******** ***** ********** "****** *** controllable" ********** *** ** ***** **** companies ***** ** ****** ** ***** backdoors:

*** *** **** ***** *** ********** that ******** ******* ******* ** ** “secure *** ************,” * *********** **** multinationals *** ******** ****** *** ***** be **** **force ********* ** ***** **-****** **** ***** - which allow third-party access to systems - provide encryption keys or even hand over source code [emphasis added]

***** ****** ***** ******* ************* **** the *** ***** "******" ** **** to "*******" *******,*******:

**** *** ****** *** ********* *** government ** ***** ******** *** **easily ******* ***** ***** ****, and [the government can] imprison them or fine them or what[ever] they want to do to silence ***** ****** [emphasis added]

National ************ *** (****)

*********** ************ ******* **** ****** ** **** "** strengthen *** ******* ******** ************ ****, safeguarding ******** ******** *** *********" ** the *** **********.

*** **** ****-***** ****** ** ******* 7, ***** ******** **** *** *** people *** ************* "*******, ******, *** cooperate" ************ ******** *** "******* ******** intelligence **** *******":

******* * *** ** *********** *** there ** ** ******* ** ******** or ************ ** * *** ****** refuses. ***** ******** ********* ******* ******, e.g. ******* ** ***** ******** *** right ** "********* *********** ************* **** relevant *********** *** *************":

******* ** **** ****** ************ "*** request" *** "******** [...] ************* *** citizens ******* ********* *******, **********, *** cooperation":

******** **-** **** ************ ******* *** right ** "***** ******** ********** ***** and ******", "******** ******** ************", *** "read ** ******* ******** *****, ********* or *****" ***** **** ****** ****** to ****** "************** ** ************** *****":

*** *** *** *** ******** ******* that "******** ************ *******" ***** "******* and ******* ***** ******", *** ******* explaining *** (******* *):

******* ** ******** ************ ******** **** not "****** ** ***** ***** *********", nor "******* *** ****** ******" ** PRC *******, *** "*** ***** ******** to ********** ******* ********" (*.*. **********):

Intelligence *** ***************

*** ************ ***'* ******* ** "*******, assist, *** *********" ************ ******** ******* strong ******* ** *** ****, **** the** *** ******* * ******** *************** **** ***** *** *** ********** can ***** ********* ** "****** *********" or "***** ******" ** ** *******' data:

* *** ************ ******may ******* **** *** *** **** ** ****** ******** ***** ****** ** * *.*. ******** ** **********’* ****, or otherwise face penalties. In addition, the National Intelligence Law may ****** *** ***** ** ****** ********* and other security vulnerabilities in equipment and software sold abroad so that the PRC government can easily access data not controlled by PRC firms. [emphasis added]

** ********, *** ************** ***** ********* ************ *** "******** *** ******** human ******", ******** ** ******** * and **:

********* ** *****’* ******** ************ ***, organizations *** ******** **** *** ********** to *******, ****** *** ********* **** national ************ ****. ** *** **** time ** ****explicitly ********** **** ************ **** ****** ** ********* ********* ** *** *** ** * *** **** ******** *** ******** ***** ****** and the lawful rights of individuals and organization [emphasis added]

*** ****, ********* *** ***************,******* ******* ***** ****** *********** **** freedom ** ****** *** ********, ******* the *** ********** **** ***** **** last ** ******* ***** ****** ******** (***/*** ** ***** *******,"*** ****" ********* ******,***).

*** ***'****** ******* *** ***** ****** *******, ******* ** ****** ******** ** Tibet******* ******, ****** **** "***** ****** **** ******* ***************" ***** "****** ** *** ********** of *** *****" *** ********** **** "the ***** ** [********] ***********" ** above "*** *** ***** ***** ******".

Cybersecurity *** (****)

** ****, *** *** ******* **************** ***(*******), ***** ** ******** ** "****** cybersecurity" *** "********* ********** *********** *** national ********".

******* ** ****** "*** ****** *** organization ***** ********" "***** [...] ******* public *****, *** ******* ****** ********" and "**** *** *** *** ********" to ******** "******** ********, ******** *****" and **** *** *** ** ** "overturn *** ********* ******":

***** ***** *.*. "******** *****" *** left *********. ******* ** ******** ******* operators "******* ********* ******* *** ********** to ****** ******** ****** *** ******** security ******":

"********* ******* *** **********" ** *** specified. ******* ** ****** "******** ***** or ***************" ** "********" ********* ** users:

******* ** ******** ******** "******** ******** to *** ****** ***** ** ******** published":

******* ** ******* "******** ******** *******" for *** ********* ** ********** ******** and ******** ** "******** *********** ************** operators" ** **** "***** ****** ******** security":

**** ** ******* ** *** **** National ******** ***'* ******* **, ***** creates "******** ******** *******" ** *** networking **** ******** ** ******** ********.

*** ************* ***'* ******* ** ******** that *** **** ******* ** *** operations "***** ***** ** ****** ******** China":

Cybersecurity *** ***************

* ***** ****** *** ** ****** research **************** ****"*** ********* ****** ** *** *** allows *** ********** **** ***** ** request *** ******* ***********". ************* *** firm******** ****** ******* ***'* ********** ** "*********" **** authorities "*** ******" *********' ******** ** PRC ***********, ************ "**** ** ******** segregated":

*** *** *** **** ******* **obligation ** ********* with public and State security authorities to investigate suspicious crimes, which may ****** **************' *** ******* ********* ************' ******* ******* ** *** ***********. It is advisable therefore for a multinational to consider measures to ensure data is properly ********** to avoid inadvertent disclosure to the PRC authorities. [emphasis added]

*** *** ******** *********, *** ********** Administration ** *****,**** *** *********** *** "*******, **** **** ** data" *** "** ******** ** ********* sovereignty ** **********, ******** ********, *** public ********, ** **** ** *** rights *** ********* ** ********".

** **** *** ******** ******* ********* or ***** ********** *** ******** **** entering *** ******* ******, *** **** it ***** ***orderly, **** **** ** ****. China is entitled to make laws and rules to regulate its cyberspace sovereignty following international practice

*** *** ** ******** **safeguard *********** ** **********, national security, the public interest, as well as therights *** ********* ** ********, legal persons and other organizations [emphasis added]

Data ******** *** (****)

******* ******** ***(*******)**** **** ****** ********* *, **** and ********* *** "******** ** ****" within *** *** ** ***** ** "protect ********' *** *************' ****** ******" and "******** ***** ***********" *** ********.

**** ***'* ***** ** ******, **** Article * ********* **** ******** ********** "carried *** ******* *** ********* ** the ***" ** **** *** "******* the ******** ******** ** *** ***":

******* ** ******** *** ***** "*********" with ****** *** "***** ******** ******" who *** "********** ****" ** "******** national ******** ** *********** ******":

*** "**** ******** ********** **** ******* state *******" **** ** ******* ********* to ***** *** *********** *** *** ******** ** "***** state *******":

******* ** ****** *** "**** ******** activities" **** "***** ****** ******** ********" are ******* ** "******** ******** *******" whose ********* *** "*****":

*** ******** ****** "******** ******** *******" mirrors *** ******** ******** ***'* ******* 59 *** *** ************* ***'* ******* 35, ***** **** ******* **** ****** for **********/********** *******.

******* ** ****** ***** "*** ** be ******** ********" ** "**** ******** incidents". **** ** ******* ** *** Cybersecurity ***'* ******* ** ********* **** cyber ******** "******** ******** ** *** public ***** ** ******** *********".

*** **** ******** *** **** ***** the *** *** ***** ** *** "equal ********" ******* *** ****** **** deploy "**************" ** "***********" ******* ******* the ***:

**** ******** ******* ******'* ********-****** ****-********* ******** ****** *** *** ** ******** anyone *** "************" ** ****-*** *********, including ******'* ********.

Data ******** *** ***************

*** ***** ******** ******** ********** **** *** "********** ** **** greater *****" ** *** ***'* ********* toward "********** **** ** ** ********* act", ** ********* ** *** ***'* global ***** ** ******* *:

*** ********* ******** ** *** ******** legal ********* ********** ** **** ******* shift ** *** ***’* ******** **** from ********** ******* **** ******* ** a ********* *********, ***toward ********** **** ** ** ********* ***. The Data Security Law defines 'Data Activities' broadly and with a large scope—to include both activities conducted in China and data-related activities undertaken by organizations and individuals outside of China [emphasis added]

***** ***** ************ ***** ******* *** ******** "****** ***** ******* for ********** *******" *** ****** * PRC ************* ********* ******** *** *** for ******* "*********** ******* *** ********* of ****":

***** **** *****'* ***** ****** **** continue ** ** ******** ** ***** of ******* *** *********** ********, ********* strong *****support *** ********** ******* as well as the safe and healthy development of the digital economy [...] "[the law is] a timely move to curb *********** ******* and spreading of data that is closely linked to national key information and people's livelihoods" [emphasis added]

Vulnerability ********** (****)

************** ** *** ********** ** ******* Product ******** ***************(*******) ** **** ****** ********* *. The *********** ***** ** *** "********* and ******* *********" ** *** *** and *** *********** ******** ** ******* their ***************.

******* * ****** **** "************* ***********" be **** "****** *** ****" ** a ******** *** ** *** ******** of ******** *** *********** ********** ********* key ********* ******* (******** ********, *****, etc):

*** ******** ** *** ******, ******* that ******** ********* *, *** *** government **** **** *** *** ******** of ***** ************* ***** ** *********, Dahua, *** ***** *** *************. ******* 7 **** **** ***** ****** ** "promptly ********" ** *****, ** ** already *** **** ** *** ************* and **** ******** ****:

******* * ******** ******** ************* **********, prohibiting ***** **** ********** "******* ** security *********" *** "************ ************ ******* and *****":

******* * **** ********* ******* *********** product ******** ************* *********** ** "******** organizations" ***** **** "******* ******* *********":

******* * ********* *** ***** **** disclosing ******** *************** "****** ***** ****** held ** *** *****" ******* ********** from *** ***'* *** *********** ********:

*** ** ********** ***** ** ******* US ******* ********* ** *** ********** from *** *** ** ****** ***** of * **** ** ** ******** on **** *.

Vulnerability ********** ***************

******* *** ***, ******** **** ******** on *** ********** ************* ******** ******* in ******* *, **** *** *** of ************* **** *********** **** *************** ******** ******* *** ********** **** "****** *********" use ** *** ********* ********:

*** ********** **** ****** ********* ****** these *************** ** ******* ********** ****** actors

******** **** **** ****** ****** ******, CISO ** ***** ******** **** ****************, that **** ********** ***** "***** ******* disclosures" **** *** *****:

**** *** **** **** ******* *** prior *********** ******** *********** *** *** will ***** **** **** ******* ******** research **** *** ******* ********** *** limit ******* ***********.

**** ***** **** ** ***** ***** coverage ** *** ************* **********.*** ******** ***** *** ********* ********** (***** ***** ****** *******) as ******* "* ****** ******" **** "the ****** ** ******* ******** ** national ******** **** ** ******* ***********. It ** ****** ** ******** *** supervision ** **** *** ****** ******* security."