The CAC just issued its draft Cyber Data Security Administrative Rules for comments. Several interesting points:
1. it confirms my warning 2 weeks ago that even foreign firms like @google, @Meta
& @Twitter are required to comply with the new law even if they are not operating in China, and further expands the list of covered activities under Art. 3 of PIPL by adding
another category: involving important domestic data processing. If all these giant digital firms have not designated a China-compliance officer (even though they have no operation in China), they should do it now.
2. There now 4 categories of data: general data, important data, personal data and core data. Important data and personal data will get special protection, while core data will get strict protection.
3. Cyber security review is now mandated not only for IPOs in foreign countries, but even for Hong Kong!
Major platforms are also required to report to CAC when they set up headquarters or operation centers or R&D centers outside of China.
4. Art. 38 confirms my reading of Art. 38 of the new PIPL two months ago, i.e., international agreements like the RCEP can be used to allow data transfer out of China, which is also confirmed by China's former Minister of Commerce Chen Deming yesterday.
5. The biggest bombshell is Art. 41:
The state establishes a cross-border data security gateway to block the spread of information from outside the People’s Republic of China that is prohibited by laws and administrative regulations from being released or transmitted in China.
Nobody shall provide programs, tools, lines, etc. for penetrating or bypassing cross-border data security gateways, and shall not provide Internet access, server hosting, technical support, promotion, payment and settlement, application downloading for such activities.
"If domestic users access the domestic network, their traffic must not be routed overseas": this clause could potentially outlaw corporate VPNs for all MNCs in China!
Of course, these provisions are not really new. I've documented and discussed them extensively in my paper:
Gao, Henry S. “Data Regulation with Chinese Characteristics.” doi:10.1017/9781108919234.017.
I discussed extensively the requirement to use gov't-sanctioned international gateways for all Internet connections, a provision dating back to 25 years ago.
More recently, VPNs were explicitly outlawed in new rules.
however, AFAIK, this is the very first time the government openly recognizes the existence of the Great Firewall in a law/regulation.
But, for those who rush to conclude that this could violate China's @wto or RCEP obligations, the matter is not that simple as it works one-way,
i.e, by blocking info from entering China only. Apparently, it would not prevent data from being transferred out of China.
In other words, what China is building is a reverse osmosis system, just like the Great Wall.
6. Art 49 requires the platform companies to ensure "the authenticity, accuracy, and legality of the information" that they push to the users. This is the exact opposite of the safe harbor rule in the DMCA and really bad news for big companies like @BytedanceTalk!
7. There are also clauses on a National Cyber ID accreditation system (no more anonymity online); and requires platform companies to comply with government requests for data and info.
8. There's also an interesting definition section that defines what is important and core data, but my favorite is this definition on data cross-border security gateway:
an important security infrastructure that blocks access to overseas reactionary websites and harmful information, prevents cyberattacks from abroad, controls cross-border network data transmission, and prevents detection and combating cross-border cyber crimes.
Comments can be filed by Dec 13 at cac.gov.cn/2021-11/14/c_1….
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.