Since 2015, the PRC has passed or updated comprehensive national security, cybersecurity, and data privacy laws and regulations, expanding Beijing’s oversight of domestic and foreign (including US) companies operating within China. Beijing views inadequate government control of information within China and its outbound flow as a national security risk. These laws provide the PRC government with expanded legal grounds for accessing and controlling data held by US firms in China. US companies and individuals in China could also face penalties for traditional business activities that Beijing deems acts of espionage or for actions that Beijing believes assist foreign sanctions against China. The laws may also compel locally employed PRC nationals of US firms to assist in PRC intelligence efforts.
OVERVIEW / LAWS AND THEIR IMPLICATIONS, INTENDED PURPOSE:
- Broadens the scope of the PRC’s counterespionage law.
- Expands the definition of espionage from covering state secrets and intelligence to any documents, data, materials, or items related to national security interests, without defining terms.
- Comes into effect 1 July 2023.
Implications:
- Potential to create legal risks or uncertainty for foreign companies, journalists, academics, and researchers.
- Any documents, data, materials, or items could be considered relevant to PRC national security due to ambiguities in the law.
2023 Counter-Espionage Law Up-date
INTENDED PURPOSE:
- Codifies the privacy rights of PRC citizens.
- Requires domestic and foreign (including US) companies to comply with reviews.
Implications:
- Controls handling of personal data within and outside mainland PRC when providing products or services to persons within the PRC.
- Restricts ability of companies in China to gather and retain personal data
- Authorizes the PRC government to collect personal data for actions Beijing deems to be in the public interest.
2021 Personal Information Protection Law
INTENDED PURPOSE:
- Requires all (including US) companies with China-based equities to report cyber vulnerabilities discovered in their systems or software to PRC authorities.
- Vulnerabilities cannot be publicly disclosed or shared overseas until PRC authorities complete an assessment.
Implications:
- May provide PRC authorities the opportunity to exploit system flaws before cyber vulnerabilities are publicly known.
2021 Cyber Vulnerability Reporting Law
INTENDED PURPOSE:
- Provides grounds for the PRC to take counter[1]measures against foreign sanctions and authorizes PRC actions against foreign persons or entities that implement or assist foreign sanctions against China.
Implications:
- Facilitates Beijing’s ability to retaliate against foreign entities that it judges have “assisted” in implementing foreign sanctions.
- Threshold for assisting in implementing foreign sanctions is unspecified in the law.
- May compel U.S. companies to heed PRC regulations rather than US requirements, or face legal consequences.
2015 National Security Law
INTENDED PURPOSE:
- Outlines PRC’s approach to cybersecurity.
- Mandates that critical infrastructure companies (undefined in the law) retain their data within China’s borders.
- Requires data stored in the PRC to be accessible to its intelligence services.
Implications:
- Companies must localize certain types of data held within China’s borders, including the data of foreign (including US) companies working in undefined critical industries.
2017 Cybersecurity Law
INTENDED PURPOSE:
- Classifies data in a tiered system according to Beijing’s interpretation of the data’s importance to state security.
- Subjects cross-border data flows to additional regulatory requirements and prohibitions.
- Positions Beijing to control or deny cross-border data transfers and refuse foreign government data transfer requests.
Implications:
- Expands the PRC’s access to, and control of, companies and data within China.
- Expands the PRC’s ability to control the outbound flow of data.
- Imposes stricter penalties on China-based businesses (including US) for noncompliance.
2021 Data Security Law
INTENDED PURPOSE:
- Stipulates that citizens or private organizations must assist the PRC’s Ministries of Public Security and State Security in national intelligence efforts
Implications:
- Creates “affirmative” legal responsibilities for PRC and foreign (including US) entities to provide access to, or collaborate with, the PRC’s intelligence agencies.
- May force locally employed PRC nationals of US companies to assist in PRC national intelligence efforts.
2017 National Intelligence Law
INTENDED PURPOSE:
- Outlines whole-of-society responsibilities for
- the PRC’s national security posture
- Stipulates that PRC citizens and private organizations must assist the PRC government and intelligence services with security issues when ordered
Implications:
- Mandates that domestic companies and citizens within China provide assistance to all security agencies and assist Beijing on national security issues.
- May compel locally employed PRC nationals of US companies to assist in investigations that may expose operating elements of US companies/citizens.
Link to NCSC report: ncsc_sof_prclaws_bulletin.pdf
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
Comments