The Anti-Terrorism Law of the People’s Republic of China (the Anti-Terrorism Law), setting out new regulatory obligations for Telecommunications Service Operators and Internet Service Providers, was passed by the Standing Committee of the National People’s Congress of China on 27 December 2015 and came into force on 1 January 2016.
In contrast to the well established and comprehensive anti-terrorism legislation in place in the US and EU, China, until recently, lacked a single, integrated system governing its terrorism prevention efforts. Instead, provision was made in a number of different ways, with the earliest legislative effort in the field of anti-terrorism being traced back to 2001. In April 2014, after a series of terrorist attacks, China decided to speed-up the pace of establishing new rules for national security by drafting its first inclusive Anti-Terrorism Law. On 27 December 2015, after over a year of preparation and several rounds of revision, the government announced that the Anti-Terrorism Law would come into force on 1 January 2016. Alongside a number of articles which provide a broad legislative framework to support to the country's stance against terrorism, the law sets out several specific obligations for Telecommunications Service Operators and Internet Service Providers (Operators and Providers) within China. These obligations are likely to have a significant impact on the TMC sector as a whole.
Key obligations for Operators and Providers
In order to assist Operators and Providers in their compliance efforts, we have summarised the key obligations set out in the Anti-Terrorism Law that apply to companies falling within this definition.
1. Obligation to provide ‘technical support and assistance’ for the prevention of or investigation into terrorist activities
The Anti-Terrorism Law contains provisions for Operators and Providers in order to require them to provide ‘technical support and assistance’ to public security authorities for anti-terrorism related matters. Such provisions include:
- a requirement that Operators and Providers should provide a technical interface for public security authorities; and
- a requirement that Operators and Providers must assist public security authorities with decryption activities where required.
However, no further clarification is given in regard to what is expected from Operators and Providers when providing such ‘technical support and assistance’ to public security authorities. In addition to the lack of clarity surrounding these broad requirements, the Anti-Terrorism Law is unclear as to whether sensitive business information, such as source codes, will be required to be submitted to the government where deemed necessary by the supervising authorities
When comparing the Draft Anti-Terrorism Law released in November 2014 (the Draft Law), to the enacted provisions of the finalised Anti-Terrorism Law, it is evident that a number of controversial clauses, such as the requirement for Providers and Operators to install government-accessible ‘backdoors’ and to provide encryption keys to public security authorities for examination, were deleted in the drafting process. These deletions are most likely to be a compromise to the pressure exerted on legislators by multinational companies and Western media over the course of the Anti-Terrorism Law’s development during the past 12 months. Despite this concession, Operators and Providers should not be reassured into thinking that the path forward is without difficulties. The relatively generic provisions found in the law and the lack of substantiation of terms such as ‘technical support and assistance’ leaves a large amount of room for interpretation as to how to implement the requirements in practice. It is likely that the relevant industrial authorities will release further implementing rules which will further guide how companies should respond to the Anti-Terrorism Law. Compliance teams should look out for the publication of any such rules.
2. Obligation to substantively censor information content
As part of the obligations surrounding the censorship of certain information content, Operators and Providers are required to:
- enact network security and information content monitoring systems, as well as safety and technical prevention measures, to avoid the dissemination of information with terrorist content;
- halt further dissemination where information with terrorist content is discovered;
- keep all relevant records;
- delete, where instructed by supervisory authorities, any relevant information;
- report to governmental agencies for public security and other competent divisions where required; and
- close-down websites or terminate services wherever governmental agencies deem appropriate under the Anti-Terrorism Law.
In order to comply with the new requirements, Operators and Providers must strengthen their information management systems from a compliance perspective. Action should be taken such as creating a compliance role focusing on anti-terrorism, drafting anti-terrorism policies or adding anti-terrorism rules to pre-existing policies, organising regular meetings of key personnel to ensure compliance with anti-terrorism policies and keeping a detailed record of such meetings so as to illustrate the corporate compliance with the law. Contracting parties may agree to include a term in future contracts to the effect that information suppliers and publishers are contractually bound to comply with their anti-terrorism obligations. Parties should reserve a right to terminate the contract should the other party be found in violation of this term or any of the more specific obligations under the Anti-Terrorism Law. Operators and Providers may wish to consider the inclusion of a disclaimer clause in contracts or public statements to exempt their liability in the event that the service that they provide is suspended by authorities as a result of terrorism related issues.
3. Identity verification obligations
Under the Anti-Terrorism Law, Operators and Providers are required to verify the identities of their respective users and are under an obligation not to provide services to users without clear identities or those who refuse to cooperate in the identity verification process. Such provisions are likely to have a greater impact upon corporations dealing with individual customers as opposed to corporate customers as the administration process becomes more complex.
4. Legal Liability
According to the Anti-Terrorism Law, Operators and Providers, alongside individuals in charge of companies, business sectors and other personnel who bear direct liability for the violation of the requirements set out in the Anti-Terrorism Law may be subject to fines of amounts between RMB 2,000 and RMB 500,000. A further fine in excess of RMB 500,000 may occasionally be applicable, according to the circumstances and gravity of the offence. The person in charge of companies, business sectors or other personal who bear direct liabilities may also be sentenced to between 5 and 15 days of detention.
The Anti-Terrorism Law also punishes extremism, which is not precisely defined in either the Anti-Terrorism Law or accompanying Chinese criminal legislation. Operators and Providers are potentially at risk of bearing burdensome obligations to censor information content which is considered to be linked to extremism. However, the exact extent of such obligations is unclear as without a defined meaning, the required censorship obligations are difficult to interpret. An implementation rule which follows the Anti-Terrorism Law may hopefully provide a definition of what constitutes ‘extremism’, therefore offering greater certainty to Operators and Providers.
The new effective Anti-Terrorism Law places a number of new obligations on Telecommunications Service Operators and Internet Service Providers. It requires them to provide with technical support and assistance in governmental investigations on terrorism activity and to substantively censor information content considered by the authorities to be associated to terrorism or extremism. In order to comply with the regulatory requirements, Operators and Providers operating within China may need to review internal compliance mechanisms, revisit contractual terms with customers and suppliers to address anti-terrorism issues and include statements about anti-terrorism into customary public announcements which are provided to service users when gaining access to the services provided by such Operators and Providers. Compliance teams should look out for implementing rules providing additional detail on the precise content of the new requirements.