With China’s passage this month of its Cyber Security Law (the “Law”; unofficial English translation on China Law Translate), much of the attention in the international business community has focused on how business obligations will change for mainland China operations and how the law will generally affect cross-border handling of customer, operations, and other data. These are all legitimate questions, and this attention is bound to create additional questions for China’s regulators to answer.
There is another area worth considering: To what extent may foreign businesses and individuals use the Law’s mandates to seek relief for data breaches and other cyber security compromises?
Recent reports have identified concerns over particular companies in China that manufacture Internet of Things (IoT) devices and distribute online application software, which implicate the security of Internet infrastructure companies outside of China and privacy for users overseas. In one account, hackers may have exploited a security vulnerability in closed circuit security cameras to co-opt those IoT devices into a botnet attack against a major Internet infrastructure company. Another report by Kryptowire identified firmware in mobile devices that collected user information from device applications. The firmware then sent that information to the firmware administrator in China. That information included user text message content, contacts lists, call history, device identification data, and in some instances, location information.
The Law does not take effect until June 1, 2017, and presumably would not affect the IoT manufacturer or firmware company at issue in these reports (that is, unless the issues identified in these reports are not rectified by that date). These incidents, however, are not likely to cease; if anything, it is more likely that they will proliferate in volume and variety.
Under the Law, an IoT manufacturer may be considered to be a “network operator” (as a “network service provider” under Art. 76) or a provider of “network products “or perhaps “critical network equipment” or “specialized network security products” (Arts. 22-23). In turn, a firmware administrator could be considered to be a “network operator” or “application software download service provider” (Art. 48). Depending on how the company is viewed, the Law imposes security obligations.
In particular, network operators are obligated to undertake measures to prevent network intrusions and immediately take remedial measures upon discovering that their products and services have security flaws or vulnerabilities (Arts. 21-22). The Law also requires a network operator to obtain consent from a person to gather data and prohibits the operator from gathering personal information unrelated to the services it provides or providing it to others without the person’s consent (Arts. 41-42).
Similarly, an application software download service provider also is required to perform security management duties (Art. 48), although the Law does not address that provider’s other obligations in the detailed way as with a network operator. A prior administrative regulation (the Ministry of Information and Industry Technology’s “Provisions on the Protection of Personal Information of Telecommunications and Internet Users”; the “Provisions”) prohibits telecommunication business operators and Internet information service providers (which may cover firmware administrators in the situation described here) from collecting user information without consent and requires those entities to inform users about that collection activity and limit it to only what is necessary for providing service (Provisions, Art. 9).
Those Provisions, unlike the Law, do not contain a private right of action. The Law contains a general civil liability provision, that is, when violations of the Law “cause harm to others,” then “civil liability is borne in accordance with law” (Art. 74). What is the scope of that civil action? The General Principles of Civil Law (the “GPCL”) (issued by the National People’s Congress) address individual liability under contract and tort theories and provide that liability may exist in the absence of fault, should the law so provide (GPCL, Art. 106). The GPCL sets forth relief that includes court orders to terminate infringing conduct and compensation for loss (GPCL, Art.134).
Furthermore, what is interesting is that the law defines “personal information” in terms of any natural person (Art. 76(5)), as opposed to prior versions that defined this term as relating to citizens of the People’s Republic of China. Theoretically, then, foreign private citizens could bring court action in China against companies for violating their obligations regarding collection of personal information under the Cyber Security Law. Foreign companies that suffer damage from Chinese companies covered by the law may also have a right of action.
Under PRC civil procedural law, however, a plaintiff will be somewhat pressed to discover and obtain supporting evidence, absent an existing administrative finding or sanction. More practically, it is not clear whether a court will give the same treatment to a foreign plaintiff’s claim against a domestic network operator or other entity covered under the Law, as it would to a domestic plaintiff in China.
As suggested above, the Law is not clear on these issues of civil liability, just as it is less than specific on a number of its data protection obligations. A number of questions arise: How concrete must an injury be before a plaintiff sues? What is the requisite proof that a plaintiff must introduce for a defendant company to be held liable under the law? What kinds of damages would be available? How would injunctive relief be enforced? And if there is civil litigation in the United States, how will Chinese and U.S. jurisdictions handle the conflicting litigation? As these incidents continue to grow, we can expect to see Chinese courts being asked to determine these important issues.