The first draft of the network security law in China was already posted on the official website of the National People's Congress for comments from the public until August 5, 2015, and it is expected to become effective at the end of 2015 or beginning of 2016.

It clarifies security obligations of network product and service providers (using, for example, the network owned or managed by others) which shall inform users about risks such as security defects and vulnerabilities and continuously provide security maintenance services. The suppliers of network products and services shall also clearly inform users and get user consent where their products and services have capability of collecting user information.

The draft requires network operators (providing services such as network access, including fixed and mobile phones, or registration of domain names, for example) to take measures such as data classification, backup and encryption of important data to prevent stealing or falsification of network data. It also stipulates an online real name system towards the users to ensure that network information is traceable. Accordingly, the users must provide their ID information at the time of signing contracts with the network operators in order to obtain such services.

Since China does not yet have a comprehensive national data protection law, it is noteworthy that the draft also generally covers the protection of personal information (in particular information that can be used solely or together with other information to identify citizens’ personal identity), privacy and business secrets of users.

However, the draft includes many unclear terms and definitions such as operators of critical information infrastructure or vague legal concepts such as the security review organized by the State-level cyberspace administration authorities (undetermined) together with relevant departments under the State Council (undetermined), so that there is a risk of abuse of the (draft) network security law to promote domestic industries and protect foremost national interests referring to national security. For example, the operators of critical information infrastructure are required to store important data (such as personal information of citizens) within China, and a security review shall be passed where overseas data storage or offering of data to overseas organizations or individuals is required, which certainly restricts free cross-border flow of data.

The upcoming promulgation of the cyber security law and other explosive legal issues of foreign investors in China in this regard, such as internet censorship firewall, restrictions in the telecommunication sector, use of encryption technology, data processing, or cloud computing should be carefully taken into consideration in advance.

Dr. Oliver Maaz , Attorney (Shanghai)