Data Privacy & Security

Regulatory Update: China's Emerging Cybersecurity Regime (Part 1)

The Chinese legislator passed the 9th Amendment to the Criminal Code in August 2015, and the new Anti-terrorism Law about four months later.  Both contain cybersecurity provisions and have come into effect by now.  In this two-part post, we offer our observations and comments on these and other recent cybersecurity developments (as an update to our previous alert on China's "Internet Sovereignty" and Emerging Cybersecurity Regime).

Fast Pace On Security Law-Making

Both legislations were passed within a relatively short period of time.  In the case of the 9th Amendment of the Criminal Code, three readings as well as a public consultation process took place within the span of less than 10 months.  Similarly, the Anti-terrorism Law started the legislative journey in November 2014  and reached the finish-line by the end of December 2015.  Considering that the Anti-terrorism Law is the first of its kind in China, and a new law generally takes two to three years to pass in China, this legislative pace is quite remarkable. 


Diagram I - Legislative Progress In A Snapshot

A short while ago, the new National Security Law wrapped up three readings in less than 8 months and was enacted with immediate effect.  Apparently, security related legislations have been on the top of China’s law-making agenda.  The Cybersecurity Law, on which public comments were gathered over six months ago, is set to be next.  A second reading may take place very soon, and formal promulgation is expected in 2016.        

Cybersecurity Obligations For Service Providers

The Anti-terrorism Law imposes three specific cybersecurity obligations on "telecom business operators" and "Internet service providers":

  1. provide technical support to authorities in their efforts to combat terrorism, specifically, provide technical interface in the network or decryption assistance as may be requested;

  2. adopt appropriate security measures, monitor and prevent dissemination of terrorist or extremist content, and cooperate with government investigations; and

  3. verify customer identity and refrain from serving customers who fail to pass identity checks.

Fines  for non-compliance range between US$30,000 and US$75.000.  In serious cases, however, a higher fine may be imposed, possibly along with an order to cease operations.  It is noted that directly responsible individuals will also be subject to penalties, which in serious cases include fines up to US$75.000 and administrative detention of up to 15 days. 

Who Is Caught?

The terms "telecom business operators" and "Internet service providers" are not defined under the Anti-terrorism Law raising the question who will be subject to the above obligations. 

(1)        Telecom Business Operators

In the context of China's telecommunication regulations, we suggest that this term refers to companies operating ona basic telecom license or a value-added telecom license of any service category.

(2)        Internet Service Providers

It seems logic to refer to a definition of the term contained  in a department regulation of the Ministry of Public Security.  According to the regulation, the term "Internet service providers",  refers to "entities that provide to users Internet access services, Internet data center services, Internet information services and Internet surfing services".  "Internet data center services" is further explained to include "server hosting or leasing, rental of virtual space, etc.".   

The term "Internet information services" technically covers all websites that are hosted on servers deployed in China, whether they are regarded as "operational" (requiring an ICP license") or "non-operational" (only requiring an ICP recordal).  Provision of "Internet information services" may even be construed to include mobile apps operating through servers located in China.  This scope is alarmingly wide, extending to potentially all corporate and business websites.  However, from a practical point of view, rather than requesting technical assistance from individual websites, the enforcement authorities seem more likely to engage directly with the infrastructure and connectivity providers to trace and eliminate terrorist content.

Controversial Requirements Are Gone?

Many have noticed that some of the more controversial provisions in the earlier draft did not make it into the final text.  These include the requirements to file encryption plans with the authority, pre-install a technical interface in the network, and store relevant equipment and users' data within China.

A welcomed move as it is, whether these requirements are really gone is not certain until the Cybersecurity Law is released in its final form as this may include some of the dropped provisions.

Contributor: Ruan Zhenyu