In the final days of 2017, the vice chairman of the Standing Committee of China’s National People’s Congress (NPC) submitted a report to the Standing Committee of the NPC detailing the Network Security Law enforcement inspection project that began earlier in the year. This inspection had focused on five key points under the government’s overall data protection strategy:

  • Legal education
  • Supporting laws and regulations
  • Protection of critical information infrastructures and the application of graded protection for network security
  • Illegal network information
  • Personal information protections

The inspection team was led by six vice chairmen of the Standing Committee of the NPC, and conducted on-site inspections in Heilongjiang, Inner Mongolia, Henan, Chongqing, Fujian and Guangdong. In addition, the inspection team conducted a survey with more than 10,000 participants, focusing on the public interest as it relates to network security.

As a result of those combined efforts, the report that was issued provides significant insights into a variety of critical aspects both for the government’s enforcement efforts and the state of data protection in China.

Personal Information Protections

The survey, which included results from ordinary citizens and questions designed around key government concerns, provides interesting insights into the current personal information protection environment.

Perception of Excessive Personal Information Collection by Companies

Perception of “Forced” Collection of Personal Information by Companies, Otherwise Services Would Be Withheld

A large number of respondents also stated that after they noticed their own information was leaked or abused, making an effective complaint was difficult and it was not easy to establish a case against the offenders.

In the past two years, the police detected more than 3,700 cases involving infringement of personal information. From 2014 to September 2017, a total of 1,529 criminal cases of infringement of personal information were heard in courts nationwide.

Critical Information Infrastructure Protections

The concept and scope of the critical information infrastructures (CII) is a key data protection issue in China, especially for the operators of the CII, which have significantly increased obligations under the new framework. The new report detailed the amount of CII in China for the first time, stating that there are 11,590 critical network equipment and important information systems in all industries at the end of 2017.

The inspection team also authorized the China Information Technology Security Evaluation Center (ITSEC) to conduct a remote penetration test and vulnerability scanning for 120 of the selected CII. ITSEC found 30 security vulnerabilities in the 120 CII during the remote test, including 13 high-risk vulnerabilities.

A key focus of the new data protection framework and general national strategy, especially for CII, is in-country storage of data and localization of hardware and software to Chinese technologies. Accordingly, the report also highlighted risks related to an over-reliance on foreign technology, such as production control systems that were constructed by foreign companies and supporting networks or safety equipment adopting foreign products as well. Additional risks identified in this area included that the configuration of network and safety equipment was controlled by foreign personnel, and that the local personnel of the enterprises did not have configuration and management permissions for the safety equipment.

Government Successes and Opportunities for Improvement

The report released further details regarding internet management and the successes of the government’s efforts in this area. Since 2015, the Cyberspace Administration of China and other departments have closed more than 13,000 illegal websites and over 10,000,000 illegal accounts.

However, the report also noted some areas that could be improved. The inspection team observed that there are many departments that can supervise network security, and this may create administrative inefficiencies in the government’s approach, for example, by having different law enforcement departments repeat inspections on the same network operator, sometimes using different standards. In addition, even though there are many departments that have influence over cyberspace, and there were 198 national standards regarding network security in China, the report also conceded that many articles from the Network Security Law are mostly principles and may be challenging for actual implementation; for example, the security assessment obligation before a cross-broader transfer of data, which is a clear requirement in the law, still lacks key details about how it must be implemented.

Next Steps and Recommendations from the Report

At the end of the report, the inspection team submitted several suggestions to the Standing Committee of the NPC, which can be viewed as potentially part of the roadmap for the government’s data protection efforts during 2018:

  • Acceleration of finalizing key legislation:
    • Personal Information Protection Law
    • Regulations on the Critical Information Infrastructure Security Protection
    • Regulations on the Network Security Graded Protection
  • Clarification of key aspects of the new framework:
    • The definition and scope of CII operators
    • Instructions on how to implement the graded protection system
    • The foundation of the real-name registration system

2017 was a pivotal year in China for data protection, with the cornerstone of the new framework, the Network Security Law, coming into effect. Based on recommendations in the report and other indications from the government, 2018 will similarly be a critical year of change as many of the remaining gaps in the framework are filled and the key details become available.