European Chamber Comments on Cybersecurity Law (Second Reading Draft)
2016-08-03 | Beijing, Shanghai
1. 总体评价/General Comments
中国欧盟商会自成立十六年以来,非常重视同各部委及其他立法机构的沟通,并积极参与法律法规的征求意见工作。
Since its establishment 16 years ago, the European Chamber has been committed to engaging with relevant ministries and other government agencies, and to actively participating in the public consultation of laws and regulations.
商会非常欢迎全国人大对于《网络安全法(草案二次审议稿)》进行意见征集的决定。在向有关工作组会员进行了征询后,现将研究、汇总后的意见附上供全国人大参考。
The European Chamber welcomes the decision of the NPC to publicly call for comments on the Cybersecurity Law (Second Reading Draft). Upon the circulation of the draft within its relevant working group members, the European Chamber would like to propose the following comments for consideration of the NPC.
《网络安全法》制定的初衷是“保障网络安全,维护网络空间主权和国家安全、社会公共利益,保护公民、法人和其他组织的合法权益,促进经济社会信息化健康发展”。在当前经济全球化的大背景下,网络安全无疑正变得愈发重要。商会理解并支持中国维护网络安全的权利,以及出台专门立法的必要性,因为此类问题也是企业的一大关切。
The Cybersecurity Law is formulated so as to “ensure network security, to preserve cyberspace sovereignty, national security and the societal public interest, to protect the lawful rights and interests of citizens, legal persons and other organizations, and to promote the healthy development of economic and social informatization.” Under the context of economic globalisation, cybersecurity is becoming, without any doubt, increasingly important. The European Chamber understands and supports China’s right to preserve cybersecurity and the need for a dedicated law on this subject, as this is a concern for business as well.
相比2015年公布的《网络安全法(草案)》,草案二次审议稿涵盖了一些积极进展,包括新加入了“建立多边、民主、透明的网络治理体系”以及“在关键信息基础设施保护中获取的信息,只能用于维护网络安全的需要,不得用于其他用途”等相关表述。商会欢迎这些有待进一步落实的条款,并希望下文所列的总体和细分建议,能够真正协助达成本法中的积极承诺。
Compared to the Cybersecurity Law (Draft) released in 2015, the second reading draft introduced some positive changes, including the newly-added reference to the establishment of “a network governance system that is multilateral, democratic and transparent” and the requirement of limiting the use of information obtained during critical information infrastructure protection to “the protection of network security”, which “must not be used in other ways”. The European Chamber commends such provisions which still need to be implemented, and hopes that the below general and detailed suggestions can truly help to fulfil these positive commitments.
同时,商会认为,草案二次审议稿仍然存在一些问题,可能导致同上文提及的积极进展矛盾。
Nonetheless, the European Chamber has also noticed some remaining issues in the second reading draft, which might lead to contradictions with the abovementioned positive developments.
l 概念明晰度和确定性下降 Lowered clarity and certainty relating to certain terms
在某种程度上,同2015年草案相比,草案二次审议稿所涉及概念的明晰度和确定性有所降低,其包含一些宽泛而仍待明确的定义,目前尚不清楚具体的适用范围和对象,这在赋予有关部门广泛权力的同时为“网络运营者”带来了很大的合规风险,易对国际商业社会产生深远影响。有鉴于此,商会恳请有关部门在本法或后续出台的相关法规和标准中,能对此类定义进行明确而合理的界定,在达到政府维护网络安全的目的的同时,最大程度上避免对包括中国本土和外资在内的企业带来负面影响。此类不明确概念包括但不限于:
To some extent, compared to the 2015 draft, the level of clarity and certainty of the second reading draft has been lowered, as the latter includes many imprecise terms without clear scope. This lack of clarity and certainty brings significant compliance risk to “network operators” operating in China while giving competent authorities wider power, and can thus have a potentially far-reaching impact on the international business community. In light of such a situation, the European Chamber hopes that in the present law or forthcoming laws and regulations, clear and reasonable definition can be provided for such terms, so that it is possible to achieve the government’s goal to protect cybersecurity, while avoiding adverse impact on domestic enterprises and foreign-invested enterprises (FIEs). Such ill-defined terms include, but are not limited to:
- “关键信息基础设施”范围 Scope of “critical information infrastructure”
- “安全可信”定义及与其他类似概念的异同 Definition of “secure and trustworthy” and its relationship with other similar terms
- “公民个人信息”含义 Definition of “citizens' personal information”
- “重要数据”、“重要业务数据”含义 Definition of “important data”/”important business data”
- “网络运营者”含义 Definition of “network operators”
- “网络安全等级保护制度”内涵及与“信息安全等级保护制度”的区别 Definition of “tiered network security protection system” and its relationship with “multi-level protection scheme (MLPS)”
- “技术支持和协助”含义 Meaning of “technical support and assistance”
- 其他有关机关、部门,以及相关法律、法规 Other relevant departments, and relevant laws and regulations
l 安全可信 Secure and trustworthy
草案二次审议稿第15条要求,应“推广安全可信的网络产品和服务”。商会希望有关部门能够尽早澄清“安全可信”的合理定义。此外,已经公布的一系列法律法规和政策文件中分别出现的“自主可控”、“安全可控”、“安全可靠”等内涵和外延同样不明的概念,为执行和合规带来了困难。根据国家标准化管理委员会和全国信息安全标准化技术委员会(TC260)网站信息,TC260正在制定信息技术产品安全可控水平评价指标系列标准。商会及其会员企业希望,为了保证有关规定的清晰、明确且稳定,营造一个有利于合规及商业发展的政策环境,有关部门能够:
Article 15 of the second reading draft requires the promotion of “secure and trustworthy cyber products and services”. The European Chamber invites relevant authorities to provide as early as possible a reasonable definition for “secure and trustworthy”. In addition, the European Chamber notes a series of already released laws, regulations and policy documents making reference to similarly unclear terms including “indigenous and controllable”, “secure and controllable” and “secure and reliable”, thereby rendering implementation and compliance difficult. According to information available on the Standardisation Administration of China (SAC) and the National Information Security Standardisation Technical Committee (TC260) websites, TC260 is currently formulating security and controllability evaluation standards. With a view to ensuring clear, fair and stable rules and creating a policy environment favourable for compliance and business development, the European Chamber and its members hope that relevant authorities could:
- 避免对此类概念作出排斥外资的解释;
Avoid any interpretation of such terms that may lead to discrimination against FIEs;
- 阐明上述“自主可控”、“安全可控”、“安全可靠”、“安全可信”概念的异同之处;
Explain the differences and similarities between “indigenous and controllable”, “secure and controllable”, “secure and reliable” and “secure and trustworthy”;
- 澄清目前正在制定的安全可控水平评价指标系列标准是否同样适用于草案二次审议稿所称“安全可信”及其余类似术语的评估。
Clarify whether the standards that are being formulated for evaluating to what extent information technology products are secure and controllable can also be used for evaluating the level of “security and trustworthiness” as well as compliance with similar requirements.
过于宽泛模糊的定义会对合法运营造成不利影响,也可能造成保护国内企业、阻碍商业,特别是外资企业良性发展的曲解,并不符合中国制定《网络安全法》的初衷。因此,商会真诚希望,本法以及后续出台的一系列法律、法规、标准能够对上述概念进行进一步澄清,并保证不同法律文件中概念使用的统一性,以便中国和外资企业能更好地配合《网络安全法》维护中国网络安全的要求。
Overly broad and vague terms can have an adverse impact on legitimate business as well as open up avenues for abuse of this law to promote domestic industry, and limit the development of legitimate business, especially foreign business. Readers would benefit greatly from additional definitions in either the present law or forthcoming laws, regulations and standards, and from the consistent use of the so defined terms, in order to ensure that both domestic enterprises and FIEs can better comply with the Cybersecurity Law and assist China with the protection of its cybersecurity.
l 数据本地化 Data localisation
草案二次审议稿第35条规定“关键信息基础设施的运营者在中华人民共和国境内运营中收集和产生的公民个人信息和重要业务数据应当在境内存储”,延续了上版草案数据本地化的要求,并将其范围扩展至尚无明确定义的重要业务数据。此外,该条进一步取消了在境外存储数据的可能。商会理解相关规定的初衷旨在加强网络安全与数据保护,然而,此类要求给中国和外资企业均带来了技术困难与运营负担,其所能带来的附加安全性却十分有限。因此,商会认为,网络安全相关措施应能体现当今商业环境的无国界、互联互通及全球化特质,而相比数据本地化,应重点关注数据处理、存储和维护的方式。
Article 35 of the second reading draft stipulates that “citizens' personal information and other important business data gathered or produced by critical information infrastructure operators during operations within the mainland territory of the People's Republic of China, shall be stored within mainland China”, which is in line with the localisation requirement in the previous draft, and further expands its scope to important business data without clear definition. Furthermore, this article renders impossible the overseas storage of data. The European Chamber understands that this requirement has been introduced to reinforce cybersecurity and data protection, however, it brings technical difficulties and operational burdens to both Chinese domestic enterprises and FIEs, with limited added-value to security. Therefore, the European Chamber believes that cybersecurity measures should reflect the borderless, inter-connected and global nature of today’s business environment, and that it is more important to focus on how data is processed, stored and maintained, rather than forcibly restricting cross-border data flow.
本地化不仅会使备份、故障转移和加载数据变得更为困难,也会影响安全。本地化相当于在旧有系统上新构建一个软件层,而该层本身就易成为新的漏洞、异常、攻击途径来源,并导致更加昂贵、缓慢的系统,同时减少系统的安全性和可靠性。此外,限制数据如何、在哪里被存储和处理也会使中国和外资企业及其他组织不能正常获取其赖以开展业务的信息,并最终导致负面经济影响:除了限制企业发展外,数据本地化要求还会减少国内市场上的服务种类并提高服务价格,放缓技术创新,限制企业提供某些产品和服务,限制外国投资,并最终导致隔离、影响经济增长。
Indeed, not only does localisation complicate backups, fail-over and loads, it has a reverse effect on security: it adds a new layer of software to the Internet that will itself become a source of vulnerabilities, bugs, and attack vectors – resulting in more expensive systems, that are slower, less reliable, and less secure. Moreover, restrictions on how and where data is stored or transferred, poses fundamental obstacles to access to information on which businesses - whether domestic or FIEs - and other organisations depend. The disruption ensuing from the data on-shoring requirements can have a severe economic impact: in addition to its impact on businesses, data on-shoring requirements tend to reduce services and increase prices for domestic consumers, to result in a slowdown of technological innovation, to prevent companies from offering certain products and services, to reduce foreign investment, consequently dampening economic growth (due to the thus created isolation).
l 网络安全审查、检测、认证、评估 Network security review, testing, certification and assessment
草案二次审议稿中包括第33条要求“关键信息基础设施的运营者采购网络产品和服务,可能影响国家安全的,应当通过国家网信部门会同国务院有关部门组织的国家安全审查”;第35条要求“关键信息基础设施的运营者在中华人民共和国境内运营中收集和产生的公民个人信息和重要业务数据[…]因业务需要,确需向境外提供的,应当按照国家网信部门会同国务院有关部门制定的办法进行安全评估”;此外,草案二次审议稿还提到应由有资质的机构进行网络安全认证或检测。
Articles 33 of the second reading draft stipulates that “critical information infrastructure operators purchasing network products and services that might impact national security shall go through a national security review organized by the State network information departments and relevant departments of the State Council”; article 35 stipulates that when the personal information of citizens and important business data collected and generated during the operations of critical information infrastructure has to be provided cross-border for business reasons, a security assessment shall be conducted per the measures developed by State network information departments and the relevant departments of the State Council; in addition, the second reading draft also contains provisions requiring “qualified establishments” to conduct cybersecurity certification and testing.
对此,商会希望对本法及后续规则的制定表达以下几点建议:
On this, the European Chamber would like to put forward the following recommendations for the formulation of the present law and any forthcoming rules:
- 尽早为此类安全审查、检测、认证、评估的流程和范围以及国家安全的内涵做出明确、适当而合理的界定,包括公开相关目录;
Provide at an earlier enough stage clear, proportional and reasonable clarification for the procedures and scope of such security review, testing, certification and assessment and for the meaning of national security; this should include the release of relevant catalogues;
- 在这一过程中应确保技术中立,避免出现可能的如源代码披露等不利于商业发展的要求。
Ensure technology neutrality and avoid possible negative requirements such as mandating source code disclosure.
l 标准及法律制定程序的开放性和透明性 Openness and transparency of the standardisation and legislation process
该草案在一些条款中多次提到“国家标准”、“行业标准”和更严格的标准。2016年发布的《标准化法(修订草案征求意见稿)》曾提出,“国家鼓励积极参与制定、采用和推广国际标准”, 行业对此表示赞同和支持,并希望这一点在网络安全领域能得以体现。在网络安全标准规划、立项和制定时,建议落实《标准化法》和国务院《深化标准化工作改革方案》的精神,充分参考国际标准,避免标准间的重复和冲突,在为企业创造更为便利的合规环境的同时,也能确保中国企业使用的产品和技术在世界范围内都能获得信任,更加有利于中国企业向国际市场进行出口。同时,建议明确包括外资企业在内的各方参与标准化活动的平等权力。
The draft makes reference to “national standards”, “industry standards” as well as more stringent standards in several articles. As a matter of fact, the Standardisation Law (Amended Draft for Comment) released in 2016 requires the State to actively encourage “participation in activities of formulating, adopting and promoting international standards”. The industry fully supports this point and further hopes that it can be implemented in the field of network security. For example, we suggest that standards development bodies (SDOs) fully refer to existing international standards while planning for, proposing and formulating relevant standards, in order to avoid repetition and conflicts, and to ensure an easier compliance environment while guaranteeing that 1) the technology that Chinese enterprises used is trusted worldwide and 2) their ability to export internationally is maintained. In addition, equal and fair rights to all stakeholders (including FIEs) for participation in standardisation activities should be granted.
l 对个人信息保护及“网络运营者”责任的偏重 Strong emphasis on personal information protection and the responsibility for “network operators”
网络安全和信息安全具有不同的内涵。作为一部网络安全专项立法,本法包含了众多个人信息保护相关条款,导致其不但不能融入个人信息保护框架,且易引起实施中的混淆和困难。另外,同初版草案一样,草案二次审议稿过多强调“网络运营者”即企业所应担负的众多责任,可能对商业发展造成限制。
Cybersecurity and data protection have different meanings. As a dedicated law to protect cybersecurity, the second reading draft in its present form contains too many provisions about personal information protection, which makes it ill-adapted to a real personal information protection framework and may lead to confusion and difficulties of implementation. Furthermore, in line with the first draft, the second reading draft continues the clear and strong share of responsibility for “network operators”, i.e. businesses, which might restrict their development.
以下为商会针对《网络安全法(草案二次审议稿)》的具体建议,如需对有关内容进行进一步澄清,请联系商会工作组协调员马晓雯女士(xwma@europeanchamber.com.cn 或6462 2066转52)。
Below are the European Chamber’s detailed comments on the Cybersecurity Law (Second Reading Draft). If further clarifications are needed, please contact (Ms.) Xiaowen Ma, Working Group Coordinator at the European Chamber at xwma@europeanchamber.com.cn or 6462 2066 ext. 52.