China CSL Overview Flashcards
Name the two categories of operators that are subject to the CSL’s requirements
The CSL applies to “Network Operators” and operators of “Critical Information Infrastructure” (CII).
What does the term “Network Operators” actually include?
The term “Network Operators,” defined to include “owners, operators, and service providers of networks”, may actually capture any companies providing services or operating business through a computer network, such as company intranets absent from further clarifications from the authority.
What does the term “CII Operators” actually include?
However, the scope of CII is equally broad, including companies in critical sectors such as radio, television, energy, transport, water conservancy, finance and public service, or other critical information infrastructure that “will result in serious damage to state security, the national economy and the people’s livelihood and public interest if it is destroyed, loses function or encounters data leakage.”
True or False: CII Operators are subject to more stringent requirements versus regular Network Operators.
True. CII are companies that operate in critical sectors and are thus subject to more stringent requirements under the CSL.
What are the data localization requirements that CII Operators are subject to under the CSL?
“Personal information” and “important data” collected or generated by CII operators in China must be stored in China.
Do network operators have the obligation of data localization?
No explicit requirement.
Are both network operators and CII operators subject to the requirements re cross-border transfer of personal information?
Yes. The June 13 2019 CAC draft measures on transfer of personal information
What is the procedure that a network operator must follow when transferring “personal information” or “important data” overseas?
When a Network Operator needs to transfer such data overseas, it must demonstrate the necessity of data export, and conduct a self-security assessment or submit to an official security assessment when a threshold test is met.
Are Network Operators also subject to data localization requirements under the CSL?
No. However, new draft measures address security assessments for “Network Operators”, seemingly subjecting to not only CII Operators but also Network Operators to the security assessment requirement.
True or False: (CSL requires CII operators to undergo a national security review when purchasing network products and services that may impact national security.
True [Note: The term “secure and controllable” has not been formally defined, but appears to be understood by commentaries to mean preference of domestic products with backdoor access to the government over foreign products and technologies. Sector regulators will assess supply chain security risks associated with all stages of the life cycle of products, and their key components.]
How is “personal information” defined in the Personal Information Security Specification?
“All kinds of information, recorded by electronic or other means, that can be used, alone or combined with other information, to identify a specific natural person or reflect activities of a specific natural person.”
True or False: Important network products and services that may implicate China’s national security and their supply chain will be subject to a security review by the sector regulator to ascertain whether they are “secure, controllable, and transparent.”
True. [Note: The term “secure and controllable” has not been formally defined, but appears to be understood by commentaries to mean preference of domestic products with backdoor access to the government over foreign products and technologies. Sector regulators will assess supply chain security risks associated with all stages of the life cycle of products, and their key components.]
What are Network Operators required to do to protect network security under the CSL?
- Designate security personnel – Appoint personnel responsible for network security (Article 21)
- Implement security protocols – Establish internal security management systems according to a tiered network security protection system guideline (to be released by the State Council) (Article 21)
- Adopt appropriate technological measures – Adopt appropriate technologies to investigate, prevent and combat cyberattacks (Article 21)
- Establish complaint-reporting procedure – Disclose how a security complaint can be reported, establish and implement the reporting procedure (Article 49)
What are Network Operators required to do to protect personal data under the CSL?
- Consent – Obtain consent before collecting personal data, the collection of which must be related to the services of the Network Operator (Article 41)
- Notice – Explicitly state the purpose, means and scope of the collection and use of personal data (Article 41)
- Breach notification – In the event of a data breach, notify the affected individuals, report the breach to the relevant government departments and take remedial actions (Article 42)
- Data access – Delete or amend personal data on users’ request (Article 43)
What are Network Operators required to do to protect personal data under the CSL?
- Monitor user content – Monitor content published by users (Articles 46-47)
- Remove illegal content – Remove unlawful user content (Article 47)
- Record and report – Report unlawful content to authorities and keep records (Article 47)
