China’s much-anticipated Cyber Security Law (CSL) will come into effect on 1 June 2017. The new law is the first comprehensive law to address cyber security concerns at the national level and to some extent consolidates cyber activities captured in other laws and regulations. The move by China to beef up its laws and regulations governing cyber activity is not dissimilar to what is happening around the globe. However deciphering exactly who is captured and what is covered is leaving companies unsure as to how they will comply with this vague and potentially onerous law.
Who will be captured by the law?
It is very likely that many multinational companies (MNCs) will feel the heat. The brunt of the CSL currently falls on “critical information infrastructure” (CII) operators. The broad definition of CII encompasses not only traditional critical industries such as power, transport and finance, but also other infrastructure that could, as outlined in the law, harm the “people’s livelihoods”. This means that any foreign company that is a key supplier to a ‘critical’ sector, as well as any company that holds significant amounts of information on Chinese citizens, could become a prime target for regulators seeking to enforce the CSL.