New anti-terrorism legislation became effective on 1 January 2016, underlining China’s focus on information and network security and potentially having a significant impact on technology companies active in China. Under the new law, telecommunications and internet service providers may be forced to hand over sensitive data to the Chinese authorities. Many foreign companies doing business in China could be affected. We will monitor how the new law will be implemented.

As previously discussed in In context, the Chinese government is introducing a series of new laws aimed at tightening control over matters that may affect national security. The new anti-terrorism law is part of this agenda and follows the recent adoption of China’s National Security Law in July 2015 and the publication of the draft Cybersecurity Law in July 2015.

The anti-terrorism law was first published in draft form in November 2014. The draft law included several controversial provisions that received fierce criticism from various governments and businesses outside China. US President Barak Obama raised his concerns with Chinese President Xi Jinping. Two key points of concern in the draft law related to telecommunications and internet service providers having to share encryption codes with the Chinese government and having to keep servers and user data in China. Although these two controversial elements have been dropped, the new law still requires telecommunications and internet service providers to supply encryption codes and “technical means of support” when requested by the Chinese authorities in the context of prevention or investigation of terrorist activities.

In addition, telecommunications and internet service providers will be required to carry out preventive measures, implement supervisory systems and prevent the dissemination of information with terrorist or extremist content. Any information which is identified as containing terrorist or extremist content must be reported to the relevant authorities. However, the definition of “terrorist information” in the new law is very broad and there is no definition of “extremist.”

The new law applies to “telecommunications and internet service providers” but the law itself does not define these terms. It is assumed that any company providing telecommunications services subject to a Chinese telecommunications licence and any company that operates a website or provides services via the internet by using servers in China is subject to the new law.

The implementing measures of the new law have not yet been issued and it therefore remains to be seen how the Chinese government will use the seemingly far-reaching discretionary powers provided under this new law. Given the potentially significant effects on many companies doing business in China, we recommend closely monitoring how the new law is implemented. More laws relating to information and network security are expected to come into effect in the course of this year. We will keep you informed of further developments.