The Standing Committee of the National People’s Congress of the People’s Republic of China promulgated the PRC Anti-Terrorism Law, which has now been in effect for a little over two months (it became effective January 1). Implementing regulations have not yet been issued, but are expected to be forthcoming and are hoped to provide further guidance on how the law will be interpreted. The stated purpose of the New Law is to guard against and punish terrorist activities, strengthen anti-terrorist initiatives, and safeguard national security, public security, and the security of the lives and property of the people. Namely, to protect against “terrorism,” broadly defined to include actions and behavior which uses violence, intimidation, and other means to create social panic, endanger public safety, harm persons or property, or coerce State organs or international organizations in order to achieve political, ideological, or other objectives. It is hoped that the forthcoming guidance will provide greater clarity around the definition of terrorism and extremist content.

The new law has several specific provisions that relate to data privacy. In particular, it sets out potentially onerous requirements and obligations for telecommunications operators and internet service providers. There is no definition of “telecommunications operator” or “internet service provider,” nor any further guidance as to the scope of what these terms cover. Again, it is hoped that the implementing regulations will provide clarification. The law could potentially apply to a wide range of providers, including e-commerce businesses and data storage and mobile application providers.

Telecoms operators and internet service providers are required to provide technical support and assistance to assist the relevant PRC security authorities to investigate and prevent terrorist activities. This includes an obligation to supply technical interfaces and decryption technology to such agencies for this purpose, if required. In addition, telecoms operators and internet service providers must implement network security and monitoring systems to identify and prevent the dissemination of terrorist or extremist content. If information with such content is detected, the operators and providers have a duty to stop any transmission of this information, retain relevant evidence, delete offending information, and report the situation to the relevant PRC security agencies. A broad group of business operators and service providers is now also required to verify the identity of customers and clients before providing any services. This includes the following sectors: telecoms; internet; finance; hotels and lodgings; long-distance passenger transportation; and motor vehicle rental.

Penalties for failing to comply with the new law include both fines and detention. Companies can be fined RMB 200,000 – 500,000 (USD $30,000 – $80,000 [approx.]), and directly responsible managers or other responsible persons can be fined up to RMB 100,000 (USD $16,000 [approx.]). In cases deemed serious, the fine for companies can be above RMB 500,000, and the fine for responsible persons can be RMB 100,000 – 500,000. In addition, responsible persons may be detained for 5 – 15 days by security agencies.

There is no definition of responsible persons for this purpose. This potentially could include the legal representative, directors and officers, general manager, and other senior management personnel of a company in China.

TIP: It is unclear at this point how strictly the PRC authorities will enforce and use this new anti-terrorism law. Unless and until implementing regulations are issued, it is hard for companies to know exactly how to react. Nevertheless, given the wide potential implications from a technology, IP, and data privacy perspective, foreign companies operating in China should monitor developments closely, review their existing technology and security systems, and develop internal protocols for handling any requests from the PRC authorities.