On January 1, 2016, China’s National People’s Congress Standing Committee enacted the new Anti-Terrorism Law (反恐怖主义法) that gives broad powers to the Chinese authorities to access and handle data held by telecommunications operators and internet providers (together, “Technology Companies”). This law provides a legal framework to compel Technology Companies to cooperate and assist the Chinese authorities to combat the threat of “terrorism.”
The Anti-Terrorism Law broadly defines “terrorism” as “any activity or proposition that through violence, sabotage, threat, or other means, generates social panic, undermines public security, infringes upon personal and property rights, or menaces state authorities and international organizations with the aim of realizing a political, ideological, or other purpose.” Due to this flexible definition, critics of this law have voiced concerns that the Chinese authorities may use its discretionary powers in broad ways, such as oppressing dissent in China, in the name of preventing terrorism. These concerns are particularly salient for telecommunications operators and internet providers that place a high value on the open flow of communications, and could face global backlash for perceptions that they restrict free speech.
Critics have also voiced concerns about the data protection consequences of the new law. Among the articles of the Anti-Terrorism Law aimed at preventing terrorism, two articles have particular data privacy implications for Technology Companies.
- Article 18 requires Technology Companies provide technical assistance to public security agencies in their prevention and investigation of terrorist activities. The scope of assistance expected of Technology Companies remains unclear as Article 18 of the Anti-Terrorism Law provides that Technology Companies are expected to provide decryption technology, technical interfaces, and “other technical support assistance.” The breadth of flexibility of this provision gives Chinese authorities discretion to determine the kind and scope of assistance they can require from Technology Companies. Particularly as debate heats up in the United States over government demands for decryption assistance, this provision may well lead to further tension and cybersecurity concerns for Technology Companies.
- Article 19 requires Technology Companies have in place network security and content monitoring systems, together with safety measures to prevent dissemination of terrorist or extremist content. If terrorist or extremist content is discovered, Technology Companies are required to prepare a report for public security agencies or other relevant departments. Technology Companies are also expected to have a censorship mechanism to ensure that dissemination of the terrorist or extremist content is halted immediately, and that relevant information is deleted. Critically, this provision applies to information held outside of China as well.
As a result, the Anti-Terrorism Law provides significant, broad and flexible rights for Chinese authorities that present data security and privacy concerns in China, and can effectively require Technology Companies to disclose sensitive information to prevent terrorism, including any activity that is deemed to undermine public security or menace the state or any international organization with any purpose. Furthermore, because the terms “telecommunications operators” and “internet service providers” are not defined under the Anti-Terrorism Law, these terms may be widely interpreted by the Chinese authorities to cover all companies or individuals providing or connected with internet and telecommunications services in China. Entities that could be considered a Technology Company operating in China should review their network security and encryption systems to prepare for and consider how they might respond to requests by the Chinese authorities under the Anti-Terrorism Law.