The definition of a CIIO in the Law is ambiguous and described as public-facing entities that maintain “critical information infrastructure that if destroyed, losing function or leaking data might seriously endanger national security, national welfare and the people’s livelihood…” Examples of the sectors subject to this definition include businesses operating in public communications and information services, power, traffic, water, etc., which may very well implicate multinational corporations (Multinationals).
On April 11, 2017, the Cyberspace Administration of China released the draft Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data (Draft Measures). Designed to implement the Law, the Draft Measures take a more expansive approach and extend the data localization requirements to Network Operators, in addition to CIIOs.
The definition of Network Operators includes, “those who own or administer a network, and to network service providers.”[2] Based on this definition, the reach of the law now extends to not only network service providers, but also those who own or administer a network, which is conceivably any private company, including Multinationals.
Although the Draft Measures are not final, they do offer a strong indication of things to come. The language of the Law and Draft Measures appear crafted ambiguously and broadly to impose sweeping measures on a range of entities, including Multinationals. For this reason, it is important for Multinationals to stay abreast of these changes and prepare for compliance once the Law and Draft Measures are effective.
Contact Zasio today to see how our consulting services can help you stay complaint and ahead of the laws evolving around the world.
[1] http://www.chinalawtranslate.com/cybersecuritylaw/?lang=en
[2] https://www.huntonprivacyblog.com/wp-content/uploads/sites/18/2017/04/Draft-of-Measures-on-Security-Assessments-for-Public-Comment-English-translation-c.pdf
#multi-national #China #cybersecurity #localization #PersonallyIdentifiableInformation #MeasuresforSecurityAssessmentofOutboundTransmissionofPersonalInformationandImportantData #Compliance #chian
#PII #multinationals