During 2015, China introduced several far-reaching pieces of legislation in the area of technology and cyber security. The most recent of these was the Counter-Terrorism Law (“CTL”), promulgated on December 27, 2015.
CTL contains several provisions of great significance to users of telecommunication and internet services (i.e. everyone!). Among these, certain disclosure requirements related to encryption and internet content stand out. For example, under the new law, internet service providers are supposed to “provide technical interfaces, decryption and other technical support and assistance to public security organs and state security organs”. As is common, the specific scope and practical implementation of new rules remain to be seen. In the area of encryption, it is not clear that the internet service provider would be able to assist the government even if it wanted to as many encryption tools are impenetrable without access to end-user passwords, an aspect the CTL fails to address. Further “Implementing Guidelines” should be expected during the coming twelve months.
CTL in its promulgated version does not include two controversial requirements that had been put forward at the draft stage, namely (i) a need for internet service providers to locate their servers and domestic user data in China; and (ii) a “backdoor” key into telecommunications and internet services to allow the Chinese government to “prevent” and “investigate” terrorist activities. These had for obvious reasons been subject to serious concerns, both from the business community and individual internet users.
CTL was preceded by a draft Cybersecurity Law (“CSL”), floated on July 8, 2015. CSL, when eventually promulgated in its final form, will represent China’s first comprehensive regulation of information security and privacy online. As such, it includes a right for users to access, correct, and delete personal information. Network operators are put under an obligation to notify users and relevant government departments when privacy breaches occur. Worth noting is that the draft CSL includes the type of localization requirements that were ultimately omitted in final version of CTL. How the final version of CSL deals with localization of data will have an impact on how companies with international operations, say banks or online retailers, handle Chinese customer data.
Overarching CTL and (the draft) CSL is a new Chinese National Security Law (“NSL”) promulgated on July 1, 2015. The main implication of the NSL is that the concept of “national security” is broadened beyond a previous scope mainly related to military and defense matters, into new areas that will end up being of significance to foreign businesses active in China. While NSL is a piece of framework legislation awaiting further implementing rules, it is already clear that China is expanding its “national security review” regime, which will kick in in relation to certain types of foreign investments, key technologies, “network information technology products and services”, construction projects, and other major activities that have national security implications.
In summary, the new NSL, along with (the draft) CSL and the recently promulgated CTL, highlight the ever-evolving regulatory environment that Magnusson’s clients are facing in China. Among other things, the new laws further put internet and data management issues into focus.