Tuesday, July 28, 2015
China Issues Draft Network Security Law
On July 6, 2015, China’s National People’s Congress released a draft of a new Network Security Law for public comment through August 5, 2015. While the draft consolidates a number of previously-issued obligation for network operators, it adds several new ones: a requirement that data breaches be notified to users, as well as to government authorities; a prohibition on transfers of certain types of sensitive personal information outside of China, unless approved by national network administration authorities; and the creation of a new category of personal data, namely "personal biometric information." According to Covington & Burling, provisions of the draft law "reflect a recent trend of tightening rules regarding cross-border data transfers. It will be more burdensome for multinational companies operating critical information infrastructure in China to transfer personal data internationally, whether intra-group or to third parties (such as data processing contractors)." Like most high-level laws, the draft Network Security Law employs broad language, leaving many aspects of interpretation and clarification to implementing rules that will be issued by government regulators.