The Standing Committee of the National People’s Congress (the “NPC”) passed the 9th Amendment to the Criminal Code in August 2015, and the new Anti-terrorism Law about four months later. Both have come into effect by now, with provisions concerning cybersecurity. We would like to offer our observations and comments on these and other recent developments, as an update to our previous alert on China’s “Internet Sovereignty” and Emerging Cybersecurity Regime.
Fast Pace on Security Law-making
Our first observation is that both legislations were passed within a relatively short period of time. In the case of the 9th Amendment of the Criminal Code, three readings as well as a public consultation process took place within the span of less than 10 months. Similarly, the Anti-terrorism Law started the legislative journey in November 2014 when it received first reading, and reached the finish-line by the end of December 2015. Considering that the Anti-terrorism Law is a new law and the first of its kind, and a new law generally takes two to three years to pass in China, this legislative pace is quite remarkable.
Diagram I - Legislative Progress in a Snapshot
Click here to view image
A short while ago, the new National Security Law wrapped up three readings in even less than 8 months and was enacted with immediate effect. Apparently, security related legislations have been on the top of the NPC’s law-making agenda. The Cybersecurity Law, on which public comments were gathered over six months ago, is set to be the next. A second reading may take place very soon, and formal promulgation is expected within 2016.
Obligations on Service Providers in the Cyberspace
As far as the cyberspace is concerned, the Anti-terrorism Law imposes three specific obligations on “telecom business operators” and “Internet service providers”:
- to provide technical support to authorities in their efforts to combat terrorism, specifically, provide technical interface in the network or decryption assistance as may be requested on the occasion (Article 18)
- to adopt appropriate security measures, monitor and prevent dissemination of terrorist or extremist content, and cooperate with government investigations (Article 19)
- to verify customer identity and refrain from serving customers who fail to pass identity check (Article 21)
Companies will be fined for non-compliance in an amount between RMB 200,000 to 500,000. In serious cases, however, a higher fine can be imposed, possibly along with an order to cease operation. It is noted that directly responsible individuals will also be subject to penalties, which in serious cases include fines up to RMB 500,000 and administrative detention up to 15 days.
Enforcement of the Anti-terrorism Law is led by the Ministry of Public Security and the Ministry of National Security, under the direction of the National Anti-terrorism Leadership Group, and assisted by the judiciary, the army and the police.
Who Are Caught?
The terms “telecom business operators” and “Internet service providers” are not defined under the Anti-terrorism Law. Questions thus arise as to who should consider themselves bound by these obligations.
- Telecom Business Operators
In the context of China’s telecommunication regulations, we suggest that this term should refer to companies operating on the strength of a basic telecom license or a value-added telecom license of any service category.
- Internet Service Providers
The term is defined in a department regulation of the Ministry of Public Security, namely, the Provisions on the Technical Measures for the Protection of Internet Security (“Internet Security Provisions”). We find it a very useful reference in understanding and interpreting the scope of “Internet service providers” under the Anti-terrorism Law, given the pivotal role the Ministry of Public Security plays in the promulgation and enforcement of the Anti-terrorism Law.
“Internet service providers”, according to the Internet Security Provisions, refers to “the entities that provide to users Internet access services, Internet data center services, Internet information services and Internet surfing services”. “Internet data center services” is further explained to include “server hosting or leasing, rental of virtual space, etc.”.
We should point out that “Internet information services” technically covers all websites that are hosted on servers deployed in China, whether they are regarded as “operational” (thus requiring an ICP license”) or “nonoperational” (thus an ICP recordal is sufficient). Provision of “Internet information services” may even be construed to include mobile apps operating through servers located in China. Admittedly, this scope is alarmingly wide, extending to potentially all corporate and business websites. However, from a practical point of view, the enforcement authorities seem more likely to engage directly with the infrastructure and connectivity providers to trace and eliminate terrorist contents, than to request technical assistance from individual websites.
Controversial Requirements Are Gone?
Many have noticed that some of the more controversial languages in the earlier draft were removed in the final text. These include the requirements to file encryption plans with the authority, to pre-install a technical interface in the network, and to store relevant equipment and users’ data within China.
A welcomed move as it is, whether these requirements are really gone is not certain until we see the Cybersecurity Law in its final form. We cannot exclude that the legislators dropped these particular issues under the Anti-terrorism Law, only to leave them to be addressed in a more suitable legislation that is the Cybersecurity Law.
Criminal Liabilities for Jeopardizing Cybersecurity
Following the 9th Amendment to the Criminal Code, network service providers may be exposed to criminal liabilities, if they:
- fail to comply with network security management obligations, causing large-scale dissemination of illegal information or other serious results (Article 286)
- knowingly provide technical support (such as Internet access, server hosting, network storage or communications transmission) to aid crimes committed through information networks (Article 287)
In both cases, the offence will lead to up to 3 years’ imprisonment or criminal detention, and/or fines. In case the offender is an entity, personal liabilities will be pursued against the “persons directly in-charge” and “other persons directly liable”.
Curiously, the 9th Amendment to Criminal Code (as well as the draft Cybersecurity Law, and a few related regulations) use the term “network service providers”, while the Anti-terrorism Law and the Internet Security Provisions use “Internet service providers”. We tend to believe they have the same meaning, as there seems no convincing reason to differentiate them, but there is room for argument. Given the importance of this concept, we hope clarifications will be offered to confirm if these two phrases are used interchangeably under Chinese laws and regulations.
The long-awaited Administrative Regulations on Maps were promulgated by the State Council in November 2015 with effect from 1 January 2016 (the “Map Regulations”).
The Map Regulations have a dedicated chapter on “Internet map services”, which has codified existing rules concerning the provision of Internet and mobile map services in China. Previously those rules were scattered in isolated circulars and regulations issued by the National Administration of Surveying, Mapping and Geoinformation.
Online navigation, geographic information uploading and marking, and map database development are among the services which require an appropriate surveying and mapping license. Such license is still quite restricted for foreign invested enterprises. In addition, the Map Regulations reiterate that map data must be stored on servers located within China and safeguarded by necessary security measures. Service providers are obligated, among others, to monitor and censor information that is prohibited by the State from being shown on maps.
What To Look Out For In 2016?
As shown in the diagram below, a number of laws and regulations that have a bearing on national or public security are being drafted or deliberated at the moment. We will follow these threads, especially the progress of the Cybersecurity Law, and keep you updated.
Diagram II - Security-related Legislations in the Pipeline
Click here to view image