Understanding the Impact of China's Far-Reaching New Cybersecurity Law

According to Article 18 of the Draft CII Regulations, a network facility or information system would constitute critical information infrastructure if it is operated or managed by any entity in a greatly expanded list of industries and sectors, including finance, transportation, telecoms, internet,...

Full description

Saved in:
Bibliographic Details
Published inIntellectual property & technology law journal Vol. 30; no. 2; pp. 15 - 23
Main Authors Huang, Ling, Ilan, Daniel, Carroll, Katherine Mooney, Zhou, Zheng
Format Journal Article
LanguageEnglish
Published Clifton Aspen Publishers, Inc 01.02.2018
Subjects
Access control
Certification
Compliance
Computer crimes
Cybersecurity
Data security
Information services
Information systems
Infrastructure
Internet
Laws, regulations and rules
National security
Personal information
Provisions
Public interest
Regulation
Security management
Sovereignty
China
Online AccessGet full text
ISSN1534-3618

Cover

More Information
Summary:According to Article 18 of the Draft CII Regulations, a network facility or information system would constitute critical information infrastructure if it is operated or managed by any entity in a greatly expanded list of industries and sectors, including finance, transportation, telecoms, internet, cloud computing and big data services, provided that the "serious endangerment" test set forth in (2) above is met. [...]the Measures appear to expand the scope of Article 37 by setting forth requirements for local data storage and cross-border data transfer that apply to any network operator rather than just to operators of critical information infrastructure. [...]the CCL has not identified what form of consent would meet the requirement to obtain a person's consent for the cross-border transfers of personal information. [...]covered entities should consider a conservative approach with respect to obtaining such consents and monitor CCL- and privacy-related case law, as it may provide future insight as to what constitutes sufficient user consent. According to Article 8, a security assessment (including self-assessment) should focus on the following areas: necessity of data export; amount, scope, type and sensitivity of the personal information involved and whether the subject of the personal information has consented to such data export; amount, scope, type and sensitivity of any important data involved; security protection measures and capability of the data recipient, and the general environment for network security in the recipient country/region; risk of leak, destruction, abuse and tampering after data export; and risk to national security, public interest and personal rights imposed by data export and accumulation of data overseas. 8. https://docs.wto.org/dol2fe/Pages/FE_Search/FE_S_S009-DP.aspx?language=E&CatalogueIdList=238967,235083,234683,234548,233628,233629,232625,229594,229263,228945&CurrentCatalogueIdIndex=0&FullTextHash=&HasEnglishRecord=True&HasFrenchRecord=True&HasSpanishRecord=False.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:1534-3618