On November 7th, the latest China cybersecurity law aimed at tightening state control over the internet has been approved by the government. Although some of the practices that the law describes are not new and have already been implemented informally by many companies operating in China, this act prescribes specific guidelines and punishments for non-compliance.
New China cybersecurity law is going to have broad implications to technology companies operating in the Mainland and covers wide range of areas which were not explicitly defined up until now.
In this post, we are going to summarize most important points of the law, specifically those which are going to have the broadest implications.
5 Takeaways from the latest China cybersecurity law
#1: Real name requirements
The law makes sure that user’s anonymity online will no longer be tolerated – every messaging service and social network operating in China is now required to verify users’ identity. Only real names must be used and user’s personal information must be verified by providers who are required to deny service to anyone who refuses to comply.
Many Chinese internet companies have already been gradually implementing these requirements before the law took effect. Now, as it becomes official, it is reasonable to expect some retroactive action affecting existing users who haven’t been properly verified. Failure to pass verification would most likely result in account suspension.
#2: Data localization
Article 31 of the new China cybersecurity law requires that citizens’ personal information must be stored within China borders. In addition to personal data, the regulation loosely defines “other important data gathered and produced during operations” which must also be stored on local servers. This clause will be applied to “critical information infrastructure operators” which, in effect, means any network provider with large user database.
This requirement is certain to affect companies that presently have to move users’ data overseas for processing. Such companies may not be able to continue doing this without applying for a government’s permission. Some foreign tech companies such as Apple, already store their user data locally.
#3: Prohibited content
Network operators are now officially required to censor content and remove any prohibited material. The law states that “any person and organization shall, when using the network, abide by the the Constitution and laws, observe public order and respect social morality”.
It further expands to what is considered illegal content to be circulated online: “activities harming national security, propagating of terrorism and extremism, inciting ethnic hatred and ethnic discrimination, dissemination of obscene and sexual information, slandering or defame others, upsetting social order, harming the public interest, infringing of other persons’ intellectual property or other lawful rights and interests”
#4: Technology “backdoors”
The “cybersecurity” part in China cybersecurity law is further expanded by including requirement to submit to security reviews by authorities. Article 23 stipulates that “for the needs of national security and criminal investigation, investigating organs may request network operators provide necessary technological support and assistance in accordance with laws and regulations.”
This part has already been causing concerns to foreign technology companies as the requirement could also mean providing encryption backdoors or other surveillance assistance to the government. Fortunately, the requirement of source code disclosure in earlier draft version was removed amid protests from US and other countries.
#5: Critical information infrastructure sectors
The law further defines so called “critical information infrastructure” industries that includes telecommunications, energy, transportation, information services, finance, public services, military and government networks as well as “networks and systems owned or managed by network service providers with massive numbers of users”.
Those sectors are specifically singled out for additional checks and measures for establishing security safeguards enacted by the State Council.
#6: Legal responsibility
Chapter IV of China cybersecurity law prescribes punishments and penalties for violators. The fines range from RMB 10,000 to 1 million and can be applied to both organizations and individuals.
Repeated violations will result in temporary or permanent service suspensions, revoking business licenses, freezing assets and criminal responsibility.