China’s new cyber security rules, which were implemented on 1 June, are causing “lots of confusion”, says Baker McKenzie partner Nancy Leigh, who believes that companies should not make “any drastic changes” to their data infrastructure until further clarity is provided.
“Basically there are still so many holes [in the regulations],” Leigh said at the Hong Kong Technology Conference last Friday. “At this point of time, you still don’t know how to change.”
Since the rules pertain to all ‘network operators’ – which is believed to include banks that have an online presence – Leigh said she has been “drowning with phone calls and emails” from clients, both before and after the enforcement date.
Yet, companies have been afforded a grace period that extends through 2018, giving both regulators and banks a year and a half to come to terms with the new regulations.
According to Leigh, much of the confusion relates to the definitions and applications of various terms used.
For instance, the rules state that a critical information infrastructure operator (CIIO) will have local residency requirements regarding “personal information and important data” – meaning security assessments must be carried out when data is sent overseas.
But since the Cyberspace Administration of China (CAC) is yet to clarify what constitutes “important data”, Leigh advises that companies “wait and see” before making changes to their data infrastructure.
Leigh said that of China’s existing data protection regulations, the new rules are the most stringent to date.
KT Gan, cyber security partner at PwC, told Asian Private Banker recently that China is “catching up to the international standards in terms of the protection of personal information”.