Cybersecurity Law of the People's Republic of China

From Wikipedia, the free encyclopedia
  (Redirected from China Internet Security Law)
Jump to navigation Jump to search
Cybersecurity Law of the People's Republic of China
National Emblem of the People's Republic of China (2).svg
National People’s Congress
  • Cybersecurity Law of the People's Republic of China
CitationCybersecurity Law (English)
Territorial extentPeople's Republic of China but excludes China's Special Administrative Regions.
Enacted byStanding Committee of the National People's Congress
EnactedNov 7, 2016
CommencedJun 1, 2017
Related legislation
Data Security Law, National Intelligence Law, National Security Law (China)
Summary
A law formulated in order to: ensure cybersecurity; safeguard cyberspace sovereignty and national security, social and public interests; the lawful rights and interests of citizens, legal persons, other organizations; and promote the healthy development of the informatization of the economy and society.
Keywords
Cybersecurity, National Security, Cyber sovereignty
Status: In force

The Cybersecurity Law of the People's Republic of China, (Chinese: 中华人民共和国网络安全法) commonly referred to as the Chinese Cybersecurity Law, was enacted by the National People’s Congress with the aim of increasing data protection, data localization, and cybersecurity ostensibly in the interest of national security.[1] The law is part of wider series of laws passed by the Chinese government in an effort to strengthen national security legislation. Examples of which since 2014 have included a Law on National Intelligence, the National Security of the People’s Republic of China (not to be confused with the Hong Kong National Security Law) and laws on counter-terrorism[2] and foreign NGO management,[3] all passed within successive short timeframes of each other.

History[edit]

This law was enacted by the Standing Committee of the National People's Congress on November 7, 2016, and was implemented on June 1, 2017.[4] It requires network operators to store select data within China and allows Chinese authorities to conduct spot-checks on a company's network operations.[1]

Cybersecurity is recognized as a basic law. This puts the law on the top of the pyramid-structured legislation on cybersecurity. The law is an evolution of the previously existent cybersecurity rules and regulations from various levels and fields, assimilating them to create a structured law at the macro-level. The law also offers principal norms on certain issues that are not immediately urgent but are of long-term importance. These norms will serve as a legal reference when new issues arise.[5]

Provisions[edit]

The law created:

  • The principle of cyberspace sovereignty[6]
  • Defined the security obligations of internet products and services providers
  • Detailed the security obligations of internet service providers.
  • Further refined rules surrounding personal information protection[7]
  • Established a security system for key information infrastructure[8]
  • Instituted rules for the transnational transmission of data from critical information infrastructures.[9]

The cybersecurity law is applicable to network operators and businesses in “critical sectors.”[1] By critical sectors, China roughly divides the domestic businesses into networking businesses that are involved in telecommunications, information services, energy transport, water, financial services, public services, and electronic government services.[10] Some of the most controversial sections of the law include articles 28, 35, and 37.

Article 28 compels vaguely defined "network operators", (interpreted to include: social media platforms, application creators and other technology companies), to cooperate with public security organs such as the Ministry of Public Security and hand over information when requested.

Article 28: Network operators shall provide technical support and assistance to public security organs and national security organs that are safeguarding national security and investigating criminal activities in accordance with the law.

— Section 1: 'Ordinary Provisions'

Article 35 is targeted at purchases of foreign software or hardware by government agencies or other "critical information infrastructure operators", requiring any hardware of software purchased to undergo review by agencies such as China's SCA or State Cryptography Administration, potentially involving the provision source codes and other sensitive proprietary information to government agencies paving the way state theft of intellectual property or transmission to domestic competitors.[11] Above all, the article creates further regulatory burdens for foreign technology companies operating in China, indirectly creating a more favourable playing field for domestic competitors which would naturally be more prepared to comply with the regulations.

Article 35: Critical information infrastructure operators purchasing network products and services that might impact national security shall undergo a national security review organized by the State cybersecurity and informatization departments and relevant departments of the State Council.

— Section 2: 'Operations Security for Critical Information Infrastructure'

Article 37 creates the requirement of data localisation, meaning that foreign technology companies such as Microsoft, Apple and PayPal operating in the Chinese market are obligated to store Chinese user data on Chinese servers in mainland China providing an easier access route for Chinese intelligence and state security agencies to intercept data and communications, while expanding the power of the ruling Chinese Communist Party to target dissent and surveil citizens.[12]

Article 37: Critical information infrastructure operators that gather or produce personal information or important data during operations within the mainland territory of the People’s Republic of China, shall store it within mainland China. Where due to business requirements it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State cybersecurity and informatization departments and the relevant departments of the State Council to conduct a security assessment; where laws and administrative regulations provide otherwise, follow those provisions.

— Section 2: 'Operations Security for Critical Information Infrastructure'

The law is applicable to all businesses in China that manage their own servers or other data networks. Network operators are expected, among other things, to clarify cybersecurity responsibilities within their organization, take technical measures to safeguard network operations, prevent data leaks and theft, and report any cybersecurity incidents to both users of the network and the relevant implementing department for that sector.[13]

The law is composed of supportive subdivisions of regulations that specify the purpose of it. For instance, the Core Infrastructure Initiative (CII) Security Protection Regulations and Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data. However, the law is yet to be set in stone since China's government authorities are occupied with defining more contingent laws to better correspond with the cybersecurity law. By incorporating preexisting laws on VPN and data security into the cybersecurity law, the Chinese government reinforces its control in addition to emphasize has the need for foreign companies to comply with domestic regulations.[14]

The cybersecurity law also provides regulations and definitions on legal liability. For different types of illegal conduct, the law sets a variety of punishments, such as fines, suspension for rectification, revocation of permits and business licenses, and others. The Law accordingly grant cybersecurity and administration authorities with rights and guidelines to carry out law enforcement on illegal acts.[15][citation needed]

Although censorship affects mainland China, Hong Kong and Macau are exempt under the principle of “one country two systems” and the maintenance of separate and independent legal systems.

Related Regulations[edit]

In July 2021, the Cyberspace Administration of China issued “Regulations on the Management of Security Vulnerabilities in Network Products” requiring that all vulnerabilities be reported to the Ministry of Industry and Information Technology (MIIT) and prohibits the public disclosure of vulnerabilities, including to overseas organizations.[16]

Reactions[edit]

Along with the Great Firewall, restrictions stipulated in the law have raised concerns, especially from foreign technology companies operating in China.[17] Regarding the requirements for spot-checks and certifications, international law firms have warned that companies could be asked to provide source code, encryption, or other crucial information for review by the authorities, increasing the risk of intellectual property theft, information being lost, passed on to local competitors, or being used by the authorities themselves.[1] The Federal Bureau of Investigation warned that the law could force companies transmitting data through servers in China to submit to data surveillance and espionage.[18]

The law sparked concerns both domestically and internationally due to its phrasing and specific requirements.[19] Foreign companies and businesses in China expressed concerns that this law might impede future investments in China, since the law requires them to "store their data on Chinese-law regulated local servers, and cooperate with Chinese national security agencies".[20] Potentially increasing the risk of intellectual property theft and lost of trade secrets in the process.

Since its inception many foreign technology companies have already complied with the law. Apple for example, announced in 2017 that it would invest $1 billion in partnership with local cloud computing company Guizhou Cloud Big Data or GCBD to construct a new data center located in China's Guizhou province for the purposes of compliance.[21] Simultaneously, the company also announced that it would transfer the operation and storage of iCloud data to Mainland China.[22] Microsoft also announced an expansion of its Azure services in partnership cloud computing company 21Vianet through investment in more servers.[23] Meanwhile, online services, such as Skype and WhatsApp which refused to store their data locally and were either delisted from domestic app stores or restricted from further expansion.[24]

Article 9 of the cybersecurity law states that: “network operators … must obey social norms and commercial ethics, be honest and credible, perform obligations to protect network security, accept supervision from the government and public, and bear social responsibility.” Although some arguments and doubts arise, such a vague provisions are widely suspected to increase the government's scope to interpret and assert the need to intervene in business operations and restrict the free flow of information and speech. Such interventions would include investigations which could disperse into government trade associations requesting spot-checks foreign firms. Among other things the law further signals the determination[according to whom?] of the Chinese government in strengthening its control over data and technology companies.[citation needed]

The law forces foreign technology and other companies operating within China to either invest in new server infrastructure in order to comply with the law or partner with service providers such as Huawei, Tencent, or Alibaba, which have already have server infrastructure on the ground, saving capital expenditure costs for companies. The law is widely seen to be in line with 12th Five-Year Plan (2011-2015) which aims to create domestic champions in industries such as cloud computing and big data processing. The law is seen as a boon to domestic companies and has been criticized as creating an unfair playing ground against international technology companies such as Microsoft and Google.

Supporters of the law have stated that the intention of the law is not to prohibit foreign businesses from operating in China, or boost domestic Chinese competitiveness. A study by Matthias Bauer and Hosuk Lee-Makiyama in 2015, states that data localization causes minor damage to economic growth due to inefficiencies that arise from data transfer processes and the duplication of data between several jurisdictions. The requirement for data localization is also seen as a move by Beijing to bring data under Chinese jurisdiction and make it easier to prosecute entities seen as violating China's internet laws.[1]

The president of AmCham South China, Harley Seyedin, claimed that foreign firms are facing “mass concerns” because the law has greatly increased operating costs and has had a big impact on how business is done in China. More specifically, he stated that the cyber security law continues to create “uncertainties within the investment community, and it’s resulting in, at the minimum, postponement of some R&D investment.”[25]

The law was widely criticized for limiting freedom of speech.[citation needed] For example, the law explicitly requires most online services operating in China to collect and verify the identity of their users, and, when required to, surrender such information to law enforcement without warrant. Activists have argued this policy dissuades people from freely expressing their thoughts online, further stifling dissent by making it easier to target and surveil dissidents.[26]

See also[edit]

References[edit]

  1. ^ a b c d e Wagner, Jack (2017-06-01). "China's Cybersecurity Law: What You Need to Know". The Diplomat. Archived from the original on 2018-12-12. Retrieved 2018-12-14.
  2. ^ Blanchard, Ben (2015-12-28). "China passes controversial counter-terrorism law". Reuters. Retrieved 2021-07-21.
  3. ^ Wong, Edward (2016-04-28). "Clampdown in China Restricts 7,000 Foreign Organizations". The New York Times. ISSN 0362-4331. Retrieved 2021-07-21.
  4. ^ "网络安全法(草案)全文_中国人大网". www.npc.gov.cn. Archived from the original on 2016-10-29. Retrieved 2018-04-14.
  5. ^ Lulu, Xia, and Zhao Leo (2018-08-21). "China's Cybersecurity Law: An Introduction for Foreign Businesspeople". China Briefing. Archived from the original on 2018-12-13. Retrieved 2018-12-14.CS1 maint: multiple names: authors list (link)
  6. ^ 网易. "网络安全法明确了网络空间主权原则_网易新闻". news.163.com. Archived from the original on 2019-07-03. Retrieved 2018-04-14.
  7. ^ "《网络安全法》正式施行 为个人信息加把"锁"". 中国网. Archived from the original on 2018-12-14. Retrieved 2018-04-14.
  8. ^ 103411. "网络安全立法中的关键信息基础设施保护问题--理论-人民网". theory.people.com.cn. Archived from the original on 2018-04-15. Retrieved 2018-04-14.CS1 maint: numeric names: authors list (link)
  9. ^ "专家解读《网络安全法》 具有六大突出亮点-新华网". www.xinhuanet.com. Archived from the original on 2018-04-15. Retrieved 2018-04-14.
  10. ^ Gierow Johannes, Hauke (2015-04-22). "Cyber Security in China: Internet Security, Protectionism and Competitiveness: New Challenges to Western Businesses" (PDF). China Monitor, Merics: Mercator Institute for China Studies. Archived (PDF) from the original on 2018-12-16. Retrieved 2018-12-14.
  11. ^ "China's cyber regulations: a headache for foreign companies | Merics". merics.org. Retrieved 2021-07-22.
  12. ^ "Who Benefits from China's Cybersecurity Laws?". www.csis.org. Retrieved 2021-07-22.
  13. ^ "Understanding China's Cybersecurity Law INFORMATION FOR NEW ZEALAND BUSINESSES" (PDF). Ministry of Foreign Affairs and Trade, and New Zealand Trade and Enterprise. Sep 2017. Archived (PDF) from the original on 2019-01-23. Retrieved 2018-12-14.
  14. ^ Nick, Beckett (Nov 2017). "A Guide for Businesses to China's First Cyber Security Law". China Monitor, Merics: Mercator Institute for China Studies. Archived from the original on 2018-12-16. Retrieved 2018-12-14.
  15. ^ Lee, Jyh-An. "Hacking into China's Cybersecurity Law". Wake Forest L.
  16. ^ "China lays down new vulnerability disclosure rules". Arjun Ramprasad. Previewtech.net. June 18, 2021.
  17. ^ Uchill, Joe (October 17, 2019). "China's upgraded cybersecurity law could take a toll". Axios. Archived from the original on March 29, 2020. Retrieved April 8, 2020.
  18. ^ "Dangerous Partners: Big Tech and Beijing". Federal Bureau of Investigation. Archived from the original on 2020-04-02. Retrieved 2020-04-09.
  19. ^ Beijing, Liza Lin in Wuzhen and Yoko Kubota in (2017-12-06). "U.S. Tech Firms Spooked by China's Arcane Cybersecurity Law". Wall Street Journal. ISSN 0099-9660. Retrieved 2021-07-22.
  20. ^ "中国施行《网络安全法》 外企为何担忧?". BBC 中文网. 2017-05-31. Archived from the original on 2018-05-11. Retrieved 2018-04-14.
  21. ^ Gartenberg, Chaim (2017-07-13). "Apple is building its first China-based data center per new cybersecurity law". The Verge. Retrieved 2021-07-22.
  22. ^ "Learn more about iCloud in China". Apple Support. Archived from the original on 2018-03-07. Retrieved 2018-04-14.
  23. ^ "New Azure region coming to China in 2022 | Azure blog and updates | Microsoft Azure". azure.microsoft.com. Retrieved 2021-07-22.
  24. ^ "多家中国区应用商店下架Skype". 纽约时报中文网 (in Chinese). 2017-11-22. Archived from the original on 2018-04-13. Retrieved 2018-04-14.
  25. ^ Hu, Huifeng (2018-03-01). "Cybersecurity law causing 'mass concerns' among foreign firms in China". South China Post. Archived from the original on 2018-11-07. Retrieved 2018-12-14.
  26. ^ "中国《网络安全法》草案出炉 恐加强言论管制". BBC 中文网 (in Chinese). 9 July 2015. Archived from the original on 2018-05-08. Retrieved 2018-04-14.