In recent months, the new PRC Cyber Security Law which took effect on June 1, 2017 (“CSL”) has been a hot topic discussed heatedly. Concerns of the foreign business community have been focused on issues like the meaning of critical information infrastructure operator (CIIO) and the data export control. What remains less noticed but actually quite important is the changing administrative landscape closely associated with how the Chinese government is going to implement the CSL.
The Cyberspace Administration of China (国家互联网信息办公室 in Chinese, also known as the Office of the Central Leading Group for Cyberspace Affairs, “CAC”) is more often appearing in news headlines and playing a more and more active role under the CSL regime. It was founded in 2014 and reports to the Central Leading Group for Internet Security and Informatization (中央网络安全和信息化领导小组 in Chinese), which is headed by the top leaders of the Communist Party of China (“CPC”) including President Xi Jinping. The creation of CAC has resulted in re-shuffling of administrative power relating to the control and management of cyber affairs which used to be shared by other ministries like the Ministry of Industries and Information Technology (“MIIT”) and the Ministry of Public Security (“MPS”). This has been reflected by the various legislative moves taken by CAC recently. One controversial move was the introduction of the Measures for the Security Assessment of Export of Personal Information and Critical Data which surprisingly broadened the scope of data export control under Article 37 of the CSL (see our earlier analysis on this topic at CAC to Regulate Data Export). Besides, CAC is also trying to institutionalize its powers and functions, as can be seen from the Procedural Provisions for Administrative Enforcement on Internet Information Content Management (“Procedural Provisions”) promulgated by CAC on May 2, 2017 and took effect on the same date as the CSL. These provisions are the very first set of procedural rules formulated based on the CSL and the implications are worth noting.
Nation Wide Setup
In the past, the administrative power of regulating and managing internet related contents was shared by many other authorities. According to Article 18 of the Administrative Measures for Internet Information Service promulgated by the State Council and revised on January 8, 2011, these authorities include e.g. MIIT, State Administration of Press, Publication, Radio, Film and Television of the People’s Republic of China (“SAPPRFT”), Ministry of Education, Ministry of Health, State Food and Drug Administration, MPS, State Administration for Industry and Commerce. The landscape changed in 2014 when CAC was established by the State Council. According to a notice issued by the State Council on August 26, 2014, CAC was authorized to be in charge of internet information and content management across the country including the respective enforcement. However, this notice is very simple which contains only one sentence in the aforesaid authorization. It remained unclear how CAC was going to conduct its work until official effectiveness of the CSL and promulgation of the Procedural Provisions which substantiate the organizational and procedural framework.
The Procedural Provisions indicate that CAC is not an army of one seated in Beijing, but rather a nation-wide network comprised of CAC in Beijing as well as its various local branches. There are very detailed rules under these provisions clarifying the issue of enforcement jurisdiction among local level CACs. In principle, a local CAC at the place of offense (e.g. location of website, operator’s seat, connection point, hardware whereabouts) will have competency over the case. Important and complicated cases shall be handled by CACs at provincial level, which may further be escalated to CAC in Beijing if such importance and complication has national influence and significance. The Procedural Provisions also include other rules very much similar to the procedural rules of Chinese courts such as designated jurisdiction and transfer of jurisdiction. There are also rules clarifying how CAC shall transfer a case to other bodies like the procuratorate (criminal offense), MIIT (ICP license and online news license).
A case may be initiated by CAC, whistle-blowing or enforcement by other administrative authorities. Subject to the challenge principle, at least two CAC staff shall be assigned to handle a case. The Procedural Provisions set forth detailed work flow for an enforcement case from case establishment, investigation, hearing, punishment decision, enforcing to case closing, which is quite alike the flow set forth under the Law of Administrative Punishment.
On the other hand, the Procedural Provisions bear a strong “cyber feature”, e.g. very detailed definition is given to electronic data which may serve as digital evidence in a case. The definition moves with the times by mentioning popular social media and online solutions like webpage, blogger, Weibo, instant messenger (WeChat), forum, Tieba, cloud drive, emails and network back end. The definition further reflects a more mobile digital time by mentioning where electronic evidence (including audio and video) may be stored, e.g. mobiles, portable storage (USB) and cloud besides traditional PCs and servers.
By attaching various standardized formalities, the Procedural Provisions provide a very detailed guidance on how to conduct a digital case investigation, e.g. digital evidence shall be collected according to – besides laws and regulations – national and industrial standards and technical norms. Completeness, legitimacy, trueness and relevance of digital evidence shall be ensured during the collection and retrieving process. During an investigation, the enforcement officials shall – among others – collect and freeze digital evidence in time. As far as there is a possibility of evidence loss, the enforcement officials may take evidence preservation measures to detain the respective hardware where the prescribed formalities are supposed to be used.
What remains an interesting question is why CAC is taking such a formalistic and institutionalized approach to explain how it works. Quite often in the past a newly created agency would choose to remain mysterious. CAC is obviously different. To some extent this reflects the fact that it receives strong support from the top level political leadership (i.e. it is at the same time an execution agency of the CPC to lead and coordinate cyber security policies). The confidence to stay transparent also goes hand in hand with the desire and strategy of the country to strengthen its position in the cyber world where no border exists and global cooperation is necessary. Such cooperation could only be encouraged and achieved by an open and transparent approach, in particular when China intends to shoulder more responsibility in today’s world.
From a technical point of view, the Procedural Provisions appear fairly neutral. Detailed procedural guidance is always good for business to follow during any dawn raids. However, the administrative power reshuffling as reflected by the rise of CAC will have an impact on business practice. Stay in tune and get the right message behind the scene will be critical for international operation to properly navigate under the new CSL regime.