Since last week, China has banned and barred the use of unregistered VPN servers – and thus the use of free Internet access. From a Western perspective, this raises concerns about data protection. Is this part of the new Chinese law for cyber security in force since June 2017?
Data protection regulated by the Cyber Security Act
China confirmed its willingness to further open markets and the economy at the World Economic Forum in Davos yesterday, according to Liu He, a key business consultant to President Xi Jinping. And also at the National Congress of the Chinese Communist Party (CPC) at the end of November 2017, a key report stated that economic reforms must focus on improving the property rights system and the market-oriented allocation of production factors. How does this fit in with the stricter regulations on Internet use from a Western perspective?
China’s new cyber security law came into force on 1 June 2017. In addition to the focus on cyber security, the law also regulates the handling of personal information and data by companies – a sensitive area. And it turns out that the handling of information and data is regulated in detail as well as in European regulations on data security and data protection. But the Chinese interpretation also contains national components.
Personal data protection in China
Under the new Cyber Security Act, the collection of a user’s personal data requires the user’s consent, and network operators must treat the data collected as strictly confidential. Personal data standards are also in accordance with European standards for personal data. In addition, the new cyber-security law requires critical information infrastructures (CIIOs) in China to store personal data and important data collected and generated in China and to perform annual security risk assessments of their data.
Who are the operators of critical information infrastructures?
The precise definition of CIIOs has not yet been finalised, but there are indications that the new rules will affect all foreign companies operating in China. According to designs by the Chinese Cyberspace Administration of China (CAC), virtually all personal information and important data collected by network operators in China will have to be stored within China and should not leave China – only after a security assessment. Since the new Cyber Security Act does not distinguish between internal and external networks, it is broad enough to include any company with an internal network.
No comprehensive data protection regulation in China
Even with the new cyber security law, China is not aiming for comprehensive data protection regulations. Instead, it regulates data protection and cyber security issues through a series of industry-specific laws such as the Medical Practice Act, the Commercial Banking Act, the Anti-Terrorism Act, the Postal Act and the provisions on the protection of personal data of telecommunications and Internet users. In addition, there is no central data protection authority in China that is responsible for enforcing data protection laws.
How does the current locking of all unregistered VPN servers in China fit into the picture? It consolidates the evidence that China wants to gain more control over Internet usage and thus the flow of data.
New Chinese Internet Court
After all, since August 2017, China has set up its own court for all online proceedings. The Chinese government is responding to the significant increase in such cases of product piracy and copyright infringement in general in online commerce. The so-called Netcourt (Hangzhou Internet Court) in Hangzhou deals with the following legal cases:
- Disputes over online shopping contracts
- Online shopping product liability disputes
- Disputes over network service contracts
- Signing on the Internet, conducting disputes over financial credit agreements and disputes over small loan agreements
- Network Copyright Disputes
The new court not only has a network-related name, but also offers a comprehensive online service. Any cases should be formally submitted to the Internet court via an online form. If the lawsuit is accepted, a mediation set by the court takes place. The mediator contacts all parties involved and conducts a mediation with Internet, telephone and also video conference. If mediation is unsuccessful, the case will be accepted by the Court’s Case Filing Division. Then you can even pay the necessary fee online.