China Internet Security Law
|China Internet Security Law|
|Standing Committee of the National People's Congress|
|Territorial extent||People's Republic of China but excludes China's Special Administrative Regions.|
|Enacted by||Standing Committee of the National People's Congress|
|Enacted||7 Nov 2016|
|Commenced||1 Jun 2017|
|Status: In force|
The Cyber Security Law of the People's Republic of China, commonly referred to as the China Internet Security Law, was enacted to increase cybersecurity and national security, safeguard cyberspace sovereignty and public interest, protect the legitimate rights and interests of citizens, legal persons and other organizations and promote healthy economic and social development.
This law was enacted by the Standing Committee of the National People's Congress on November 7, 2016 and was implemented on June 1, 2017. It requires network operators to store select data within China and allows Chinese authorities to conduct spot-checks on a company's network operations.
The Chinese Ministry for Industry and Informatization(中华人民共和国工业和信息化部) justified the law as the means of pursuing the ‘Going Out’ strategy(走出去) they have persisted on ever since 1999.
Cybersecurity is recognized as the “Basic Law.” This puts the law on the top of the pyramid-structured legislation on cybersecurity. The Law is an evolution of the previously existent cybersecurity rules and regulations from various levels and fields, assimilating them to create a structured law at the macro-level. The Law also offers principle norms on certain issues that are not immediately urgent, but are of definite long-term importance. These norms will serve as a legal reference when new issues arise.
The law created
- The principle of cyberspace sovereignty
- Defined the security obligations of internet products and services providers
- Detailed the internet service providers' security obligations
- Further perfected the rules of personal information protection
- Established a security system for key information infrastructure
- Instituted rules for the transnational transmission of data at critical information infrastructure.
The Cybersecurity Law is applicable to network operators and businesses in “critical sectors.” By critical sectors, China roughly divides the domestic businesses into Networking businesses that are involved in telecommunications, information services, energy transport, water, financial services, public services, and electronic government services.
These definitions mean the law is applicable to almost all businesses in China that manage their own email or other data networks. Network operators are expected, amongst other things, to: clarify cybersecurity responsibilities within their organization, take technical measures to safeguard network operations and prevent data leaks and theft; and report any cybersecurity incidents to both users of the network and the relevant implementing department for that sector.
The Law is composed of supportive subdivisions of regulations that specify the purpose of it. For instance, the CII Security Protection Regulations and Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data. However, the law is yet to be called fixed, since China's government authorities are occupied with defining more contingent laws to better correspond the Cyber Security Law. By incorporating preexisting laws on VPN and data security into the Cyber Security Law, the Chinese government is reinforcing business law in China.
The Cybersecurity Law also provides elaborate regulations and definitions on legal liability. For different types of illegal conduct, the Law sets a variety of punishments, such as fines, suspension for rectification, revocation of permits and business licenses, and others. The Law accordingly grant cybersecurity and administration authorities with rights and guidelines to carry out law enforcement on illegal acts.
Although the censorship affects the whole nation, it does not affect China's special administrative regions such as Hong Kong and Macau. This is because these regions enjoy a high degree of autonomy, as specified in local laws and the "One country, two systems" principle.
Along with the Great Firewall, restrictions raise concerning voices, especially amongst foreign companies. Regarding the requirements for spot-checks and certifications, international law firms have warned that companies could be asked to provide source code, encryption, or other crucial information for review by the authorities, increasing the risk of this information being lost, passed on to local competitors, or used by the authorities themselves.
The law sparked complaints both internally and internationally due to its wording. Foreign companies and businesses in China expressed concerns that this law might impede future investments in China, because the law now requires them to "store their data on Chinese-law regulated local servers, and cooperate with Chinese national security agencies if asked to," which could potentially compromise business secrets and sensitive information.
To comply with the law, for instance, Apple announced that it would transfer the operation of iCloud in Mainland China to a government-sponsored data company named Guizhou-Cloud Big Data. Meanwhile, online services, including Skype and WhatsApp, refused to store their data locally and were either banned from operating in China or restrained from further expansion.
Article 9 of the cybersecurity law states that “network operators … must obey social norms and commercial ethics, be honest and credible, perform obligations to protect network security, accept supervision from the government and public, and bear social responsibility.” Such vague provision is suspected to increase the government's guard to interpret and assert the need to intervene. Such interventions would include investigations which could disperse into government trade associations requesting spot-checks at the foreign firm.
Foreign firms are now placed between two choices: One, they could invest in new data servers in China to comply with data localization or incur new costs to hire a local server provider, such as Huawei, Tencent, or Alibaba, which have spent billions in recent years establishing domestic data centers as part of Beijing's 12th Five-Year Plan (2011-2015). The substantial investment by these Chinese technology firms in recent years is one of the reasons for which critics believe that the new law is partly designed to bolster the domestic Chinese data management and telecommunications industry against global competitors.
However, an international firm in China reported to PGI that the intention of the law is not to prohibit foreign businesses from operating in China, nor is it to boost Chinese competitiveness. In fact, with regards to a study by Matthias Bauer and Hosuk Lee-Makiyama in 2015, data localization causes minor damage to economic growth due to inefficiencies that arise from data transfer processes and the duplication of data between several jurisdictions. As a matter of fact, the requirement for data localization should instead be seen as a legal move by Beijing — bringing data under Chinese jurisdiction will make it easier to prosecute entities seen as violating China's internet laws.
The president of AmCham South China, Harley Seyedin, claimed that foreign firms are facing “mass concerns” because the law has greatly increased operating costs and has had a big impact on how business is done in China. More specifically, he stated that the cyber security law continues to create “uncertainties within the investment community and it’s resulting in, at the minimum, postponement of some R&D investment.”
The law was widely criticized by social activists for limiting freedom of speech. For example, the law explicitly requires most online services operating in China to collect and verify the identity of their users, and, when required to, surrender such information to law enforcement. Activists claimed that that this policy dissuades people from freely expressing their thoughts online.
- "Cyber-security Law of the People's Republic of China". Asiapedia. Dezan Shira and Associates.
- "网络安全法（草案）全文_中国人大网". www.npc.gov.cn. Archived from the original on 2016-10-29. Retrieved 2018-04-14.
- Wagner, Jack (2017-06-01). "China's Cybersecurity Law: What You Need to Know". The Diplomat. Retrieved 2018-12-14.
- Lulu, Xia, and Zhao Leo (2018-08-21). "China's Cybersecurity Law: An Introduction for Foreign Businesspeople". China Briefing. Retrieved 2018-12-14.CS1 maint: multiple names: authors list (link)
- 网易. "网络安全法明确了网络空间主权原则_网易新闻". news.163.com. Archived from the original on 2019-07-03. Retrieved 2018-04-14.
- "《网络安全法》正式施行 为个人信息加把"锁"". 中国网.
- 103411. "网络安全立法中的关键信息基础设施保护问题--理论-人民网". theory.people.com.cn. Retrieved 2018-04-14.
- "专家解读《网络安全法》 具有六大突出亮点-新华网". www.xinhuanet.com. Retrieved 2018-04-14.
- Gierow Johannes, Hauke (2015-04-22). "Cyber Security in China: Internet Security, Protectionism and Competitiveness: New Challenges to Western Businesses" (PDF). China Monitor, Merics: Mercator Institute for China Studies. Retrieved 2018-12-14.
- "Understanding China's Cybersecurity Law INFORMATION FOR NEW ZEALAND BUSINESSES" (PDF). Ministry of Foreign Affairs and Trade, and New Zealand Trade and Enterprise. Sep 2017. Retrieved 2018-12-14.
- Nick, Beckett (Nov 2017). "A Guide for Businesses to China's First Cyber Security Law". China Monitor, Merics: Mercator Institute for China Studies. Retrieved 2018-12-14.
- "中国施行《网络安全法》 外企为何担忧？". BBC 中文网. 2017-05-31. Retrieved 2018-04-14.
- "Learn more about iCloud in China". Apple Support. Retrieved 2018-04-14.
- "多家中国区应用商店下架Skype". 纽约时报中文网 (in Chinese). 2017-11-22. Retrieved 2018-04-14.
- Hu, Huifeng (2018-03-01). "Cybersecurity law causing 'mass concerns' among foreign firms in China". South China Post. Retrieved 2018-12-14.
- "中国《网络安全法》草案出炉 恐加强言论管制". BBC 中文网 (in Chinese). Retrieved 2018-04-14.