OVERVIEW AND BACKGROUND
The National People's Congress ("NPC") of the People's Republic of China ("China" or "PRC") issued a draft Anti-Terrorism Law (the "Draft Law") for public comment on 3 November 2014. As of the end of February 2015, the Draft Law had moved into its second draft but the revised draft is not yet in the public domain.1 As of the date of this writing, deliberations on the Draft Law are ongoing, notwithstanding media speculation it had been dropped.2 One of the points that is striking about the Draft Law is that at no point does it define "terrorism" leaving the interpretation of this to the Chinese authorities, but the concept will no doubt encapsulate domestic as well as external threats.
The Draft Law, in its published first draft form, requires providers of telecommunications services (i.e. basic and value-added telecoms services providers) (电信业务经营者) ("Telecoms Service Providers") and providers of internet services "互联 网服务提供者" ("Providers of Internet Services") within China to actively cooperate with government authorities in their fight against terrorism. It mandates, among other things:
- equipment such as servers and data for users in China deployed or held by Telecoms Service Providers and Providers of Internet Services to be kept onshore;
- Telecoms Service Providers and Providers of Internet Services to install technical portals accessible by the Chinese government (socalled "back doors");
- Telecoms Service Providers and Providers of Internet Services to submit password/cryptographic schemes to the Chinese authorities for review;
- pre-rollout security assessments for applications before online release;
- operators of network and information systems to adopt monitoring, reporting, early detection, censorship, and emergency response measures; and
- special protection measures for key targets identified by Chinese government departments, including important telecoms and Internet networks and systems
The penalties for not complying are steep. Noncompliant products and technologies will be ordered to be taken off the market. Companies may be liable for up to RMB 500,000 in penalties, and certain persons in charge and directly responsible persons may face not only monetary fines, but also up to 25 days in detention.
IMPLICATIONS FOR FOREIGN TECHNOLOGY COMPANIES AND INVESTORS
These measures, and the accompanying penalties, have far-reaching implications for technology companies, particularly foreign technology companies, some of whom have variously described these measures as "burdensome," "intrusive" and "worrying."
The U.S. Obama administration has also expressed concerns. While these concerns were largely rebuffed by Chinese government spokespeople and the Chinese press,3 the controversy was enough to prevent the Draft Law from being taken up for a formal reading in the recent annual session of the National People's Congress, engendering speculation that it had been shelved. The Chinese Foreign Ministry has however, confirmed that deliberations are ongoing and that formulation of this law is an "important necessity."4
One thing is certain: China, which to date has never had a comprehensive anti-terrorism law, is going to pass an anti-terrorism law in the near future in one form or another. It will be interesting to watch whether Chinese legislators – and later the agencies that will implement the law – will be able to strike a balance between suppressing terrorism and stifling deployment of new technologies and innovation, and whether technology companies, especially foreign technology companies, will be able (or willing) to continue to develop, promote, and maintain cuttingedge and leading-edge proprietary technological solutions in mainland China after its implementation. Hovering over all of this is the 'elephant in the room': the concern that foreign technology is not secure and cannot be trusted, particularly in sensitive contexts, in part exacerbated by the Snowden revelations but in fact a long-running concern in China. On this front, there is a sense that in this most sensitive space, if pushed to choose between upsetting foreign investors in China and providing greater protection against what China perceives as terrorist threats, the latter is likely to win out.
ONSHORE LOCATION OF SERVERS AND DATA
The Draft Law requires Telecoms Service Providers and Providers of Internet Services in China to place all relevant equipment and keep all China customer data within the Chinese mainland.5 Those who refuse to do so will not be allowed to offer services in China.6 The Draft Law does not define the expression 'Providers of Internet Services', and the expression is ambiguous, with a broad interpretation stretching to all commercial or non-commercial website operators.
Current rules and a number of pending draft rules already contain server/data location requirements for certain industries, such as e-banking, e-insurance, credit reporting and network-based payment services.7 The Draft Law, however, would expand this generally to all Providers of Internet Services, regardless of industry.
While the Draft Law requires that equipment and data be located onshore, it does not address the important question of whether copies or back-ups may also be simultaneously maintained offshore. In the absence of a prohibition, this is presumably permitted, subject to any other restrictions in the law on export of data.
INSTALLATION OF ACCESS PORTALS AND REGISTRATION OF PASSWORD SCHEMES
The Draft Law requires Telecoms Service Providers and Providers of Internet Services to set up technological access portals and to submit password/cryptographic schemes to the department in charge of cryptography for review.8 This is akin to providing the keys to the vault containing their most sensitive and confidential data for many companies.
Furthermore, companies engaged in encrypted transmission services over the Internet must submit their password/cryptographic schemes to government departments for cyberspace and public security and cooperate with investigations.9
Public security and national security authorities will be able use these portals as part of their terrorism prevention and investigatory activities, and they may further order service providers or users to provide assistance for technological encryption and decryption support.10 In short, China will want the keys to all encrypted traffic carried by Telecoms Service Providers and Providers of Internet Services.
Products and technologies failing to meet these requirements cannot be placed in use, and those already in use will be immediately ordered taken out of use.11
PRE-ROLLOUT SECURITY ASSESSMENT OF APPS
Under the Draft Law, a Telecoms Service Provider or a Provider of Internet Services may be punished if its releases a new application ("App") online without having undertaken a network information security assessment and, as a result, the transmission of 8 Draft Law, Article 15, Paragraph 2. 9 Draft Law, Article 16, Paragraph 2. 10 Draft Law, Article 16, Paragraph 3. 11 Draft Law, Article 15, Paragraph 2. materials with contents relating to terrorism ("Terrorist Content") takes place.12
Unfortunately, this requirement is only included in the penalties provisions of the Draft Law, and no other operative provisions directly reference online Apps, pre-release security assessments or provide any further guidance on what is required to achieve compliance.
ADOPTION OF MONITORING, REPORTING, EARLY DETECTION, CENSORSHIP, AND EMERGENCY RESPONSE MEASURES
The Draft Law requires the operators of network and information systems to adopt technical and administrative measures to strengthen preventative network security, technical testing, early warning capabilities, and emergency response measures in accordance with national laws and regulations and standards issued by organs of the state.13 This provision is general and vague, and we expect additional follow on legislation and standards will be adopted providing specifics.
Telecoms Service Providers and Providers of Internet Services must implement censorship mechanisms to prevent and eliminate transmission of information with Terrorist Content.14 They will be required to delete and report such Terrorist Content on discovery,15 and/or on the orders of various government departments, and cooperate with government investigations.16 This raises the question of how they will achieve compliance with this: presumably the major Telecoms Service Providers will be able to buy in specialist 'sniffer software' that detects word strings, but query whether this is practical or affordable for all Telecoms Service Providers or Providers of Internet Services.
SPECIAL PROTECTION MEASURES FOR KEY TARGETS, INCLUDING IMPORTANT TELECOMS AND INTERNET NETWORKS AND SYSTEMS
Special measures are to be taken for key targets as determined by government departments in consultation with the relevant work units/enterprises.17 Key targets may include telecoms and Internet companies, facilities and networks that relate to the national economy and people's livelihood, public security and national security.18 Various special measures will have to be designed and implemented by enterprises that are key targets in close cooperation with government departments.19
Among these, enterprises that operate and manage basic information networks and critical information systems that relate to the national economy and people's livelihood, public security and national security will have to take special measures, including:
- implementing cyber security management systems and security technology protection measures,
- clarifying security responsibilities, establish cyber security monitoring and early warning systems,
- strengthening security monitoring and early warning notification, and
- supporting basic information networks and critical information system security.20
When basic information networks and critical information systems suffer a major attack, they must promptly report to the various departments in charge of cyber-security and assist in launching an incident 17 Draft Law, Article 27, Paragraph 1. 18 Draft Law, Article 27(3). 19 See Draft Law, Articles 28 and 32. 20 Draft Law, Article 28, last paragraph. investigation and emergency response.21 Reading the provision, the sense is that these enterprises are holders of critical, sensitive assets and hence are more likely to be domestic capital enterprises, but it cannot be ruled out that it would apply to certain foreign-invested enterprises.
Under the Draft Law, Telecoms Service Providers and Providers of Internet Services who fail to fulfill the various above-mentioned obligations may be fined up to RMB 500,000 by the public security authorities.22 Their main persons in charge and directly responsible personnel may be fined up to RMB 100,000, and in serious circumstances may be placed in detention for up to 25 days.23
A different penalty provision is included for failure to implement measures relating to the operation and management of basic information networks and critical information systems that relate to the national economy and people's livelihood, public security and national security.24 The penalties for the latter begin with warnings and orders for rectification.25 If the company refuses to undergo rectification, the company may be fined up to RMB 500,000 and its main persons in charge and directly responsible personnel may be fined up to RMB 100,000.26