Chinese internet overseeing authority has completed implementing China cybersecurity law which was first introduced at the end of 2016. The law was aimed at tightening state control over the internet by Chinese government. Although some of the practices that the law describes were not new and have already been implemented informally by many companies operating in China prior to the law taking effect, this act prescribed specific guidelines and punishments for non-compliance.
The latest China cybersecurity law have had broad implications to technology companies operating in the Mainland. It also covers wide range of areas which were not explicitly defined up until the enactment of the law.
In this post, we are going to summarize most important points of the law, specifically those having the broadest implications.
5 Most Important Takeaways from China cybersecurity law
#1: Real name requirements
The law makes sure that user’s anonymity online will no longer be tolerated – every messaging service and social network operating in China is now required to verify users’ identity. Only real names must be used and user’s personal information must be verified by providers who are required to deny service to anyone who refuses to comply.
Many Chinese internet companies have already been gradually implementing these requirements before the law took effect. After it has become official, some retroactive action also affected existing users who haven’t been properly verified. Failure to pass verification now typically results in account suspension.
#2: Data localization
Article 31 of the new China cybersecurity law requires that citizens’ personal information must be stored within China borders. In addition to personal data, the regulation loosely defines “other important data gathered and produced during operations” which must also be stored on local servers. This clause is applied to “critical information infrastructure operators” which, in effect, means any network provider with large user database.
This requirement has already affected companies that presently have to move users’ data overseas for processing. Such companies are not be able to continue doing this without applying for a government’s permission. Some foreign tech companies such as Apple, were forced to store their user data locally which already caused backlash from some users.
#3: Prohibited content
Network operators are officially required to censor content and remove any prohibited material. The law states that “any person and organization shall, when using the network, abide by the the Constitution and laws, observe public order and respect social morality”.
It further expands to what is considered illegal content to be circulated online: “activities harming national security, propagating of terrorism and extremism, inciting ethnic hatred and ethnic discrimination, dissemination of obscene and sexual information, slandering or defame others, upsetting social order, harming the public interest, infringing of other persons’ intellectual property or other lawful rights and interests”
#4: Technology “backdoors”
The “cybersecurity” part in China cybersecurity law was further expanded by including requirement to submit to security reviews by authorities. Article 23 stipulates that “for the needs of national security and criminal investigation, investigating organs may request network operators provide necessary technological support and assistance in accordance with laws and regulations.”
This part has already been causing concerns to foreign technology companies as the requirement could also mean providing encryption backdoors or other surveillance assistance to the government. Fortunately, the requirement of source code disclosure in earlier draft version was removed amid protests from US and other countries.
#5: Critical information infrastructure sectors
The law further defines so called “critical information infrastructure” industries that includes telecommunications, energy, transportation, information services, finance, public services, military and government networks as well as “networks and systems owned or managed by network service providers with massive numbers of users”.
Those sectors are specifically singled out for additional checks and measures for establishing security safeguards enacted by the State Council.
#6: Legal responsibility
Chapter IV of China cybersecurity law prescribes punishments and penalties for violators. The fines range from RMB 10,000 to 1 million and can be applied to both organizations and individuals.
Repeated violations will result in temporary or permanent service suspensions, revoking business licenses, freezing assets and criminal responsibility.