0:17 Purpose of the Cyber Security Law
1:20 What Does This Law Involve?
3:15 What is the Potential Impact?
4:50 How Can SMEs Prepare for This Law?
6:12 How Can Data Companies Navigate This Law?
8:40 Transferring Data without Physical Presence in China
If you're a Canadian SME and have questions about doing business in China, please send us your questions by email at SMEGateway@international.gc.ca.
All services of the Trade Commissioner Service are FREE of charge to qualified Canadian clients.
Purpose of the Cyber Security Law
People may think of this before in terms of familiarity with China’s Great Firewall. Great Firewall was designed to keep information out of China. The Cyber Security Law (CSL) has that function but it goes beyond that to keep controls, take controls over information within China in terms of information security but also to prevent information from going out of China, unless it’s already been approved under tight security controls.
(China) It’s a one party system, and it’s a system that increasingly relies upon law. Law provides a degree of stability and uniformity across the country. We’ve seen a National Security Law (NSL), enacted and came into effect in 2015; the CSL was enacted last year and came into effect on June 1 this year; we now have a draft of Intelligence Law. So there’s a whole series of laws in this regard.
What Does This Law Involve?
In terms of the CSL, it actually goes beyond the NSL in an important respect. The CSL seeks to protect Personal Information and Important Information. The concept of Important Information is, not surprisingly, not terribly well defined. Indeed, Personal Information historically in China has not been as well protected, in terms of privacy, as would be the case in many other jurisdictions, but that is increasing, but goes beyond that in terms of identifying who is responsible for this task of protecting such information. The NSL which came first referred to the role of the critical infrastructure information and those who were responsible for maintaining those networks. The CSL goes beyond that and applies to all network operators. That means if you’re engaging in any communication internally within your operations in China, you’re a network, and so to the extent that Personal Information of your employees, your customers, etc., enters into it, then you have an obligation with respect to the Cross-Border Data Flow. If you have, for example, your central offices in Toronto, Montreal, or wherever else and you want to move your information of your employees and customers; you want to analyse the data or want to control how things are done by your subsidiary or your agent or whoever in Canada, then that Cross-Border Data Flow is going to be subject to regulation. If one is a company you have to really look at the regulations overall and determine whether you can comply with them and at what cost.
What is the Potential Impact?
The CSL has the potential to affect all industries, in a sense that if they have content and information on their customers and employees, and to some extent they gather information for their own customers. Part of the CSL is again the restriction of information that goes outside the country. So regardless which industry you’re in, the pending regulations on Cross-Border Data Flow will have an effect on you.
China has historically not had extensive privacy protections, but those are increasing. But the CSL goes beyond the privacy protections which are legitimate, and it goes beyond the protection of the cyber space from unwanted intrusions, whether in terms of espionage or criminal activity, to tightly regulate the content. That’s the biggest category in terms of the breath of companies that are affected. But if ...