China passes new Cybersecurity Law – you have seven months to comply if you wanna do biz in Middle Kingdom
None of this is good news
On Monday, the Chinese government officially passed its 2016 Cybersecurity Law. From June 2017, all companies doing business in the Middle Kingdom will have to obey the new rules.
The legislation, approved by the National People's Congress, takes away the last vestiges of anonymity for China's 710 million internet users, and ensures that the state has the right to censor certain types of content – or even shut down large sections of the local internet – in the name of national security.
Internet users must not engage in such activities as "the overturn of the socialist system," "disseminating violent, obscene or sexual information," or "disseminating false information to disrupt the economic or social order."
"Despite widespread international concern from corporations and rights advocates for more than a year, Chinese authorities pressed ahead with this restrictive law without making meaningful changes," said Sophie Richardson, China director of Human Rights Watch. "The already heavily censored Internet in China needs more freedom, not less."
But businesses operating in the country will also have to be much more on the ball about online security. All security incidents must be reported to a central government register and users must be told if their data has been hacked. "Persons who are directly in charge and other directly responsible personnel" can be fined up to RMB100,000 ($14,760) apiece for failure to comply.
All network operating companies in China will have to store users' logs for six months and pass a security check if they want to take that data outside national borders. They must also give "technical support and assistance to public security organs and state security organs," when "preserving national security and investigating crimes."
If you're deemed to be running infrastructure judged critical to the Chinese economy (this includes the finance sector), then the demands and penalties are even more onerous. Such companies will have to store all users' data on Chinese servers and give the authorities technical assistance should they wish to investigate.
Critical infrastructure providers also have to buy their equipment from a list that has been government tested and approved. Failure to do so will result in a fine equal to up to 10 times the purchase price of the equipment, and fines of up to RMB100,000 for staff found to be responsible.
In many ways there are a lot of good ideas in the Chinese government's new laws, and ordinary internet users haven't lost more than they all ready had. As ever with legislation, all now depends on how far the government is willing to enforce it. ®
Sponsored: Becoming a Pragmatic Security Leader