8 February, 2016
On December 27, 2015, the Standing Committee of the National People's Congress, China's national legislative body, passed the Counter-Terrorism Law of China, which entered into force on January 1, 2016. Although the law's precise breadth and scope are yet to be determined, the law has important implications for companies deploying encryption technology as part of their cybersecurity programs.
As an initial matter, the Counter-Terrorism Law applies to telecommunications operators and internet service providers in China, but may very well be construed much more broadly. Specifically, the concept of an internet service provider is not clearly defined under Chinese law, and could refer to any business that provides services via the internet in China. This would sweep in the majority of global, including U.S.-based, technology companies with equipment, offices, employees and/or customers present in the Chinese marketplace.
Substantively, two key cybersecurity and privacy-related provisions of the Counter-Terrorism Law require that telecommunications operators and internet service providers:
- Provide technical support and assistance to government investigators by, among other things, providing access to technical interfaces and decryption keys to law enforcement authorities and national security authorities to support terrorism prevention and investigation activities (Article 18).
- Implement network security, information content-monitoring systems and measures designed to prevent the dissemination of content containing terrorism and extremism, to delete such information, and to immediately report to the Chinese police (Article 19).
A violation of the new law carries stiff penalties that may include corporate fines, as well as criminal charges and detention of individuals. It is noteworthy that the Counter-Terrorism Law does not include two highly controversial provisions from the draft bill published in 2014. Those provisions would have required telecommunications operators and internet service providers to design and pre-install "back doors" into their products or services, and to maintain data centers storing Chinese user data exclusively in China. While the lack of these provisions in the final legislation is a good sign, under Article 18, companies may still be asked by Chinese authorities for "technical interfaces" into systems that are tantamount to back doors, though the specific contours of enforcement remain unclear.
Interestingly, China's Counter-Terrorism Law raises a debate regarding encrypted communications similar to the current fight in the U.S. between technology companies' desire to keep data flows "safe" through encryption, and the U.S. Government's suggestion that encrypted communication flows hamper its ability to collect actionable intelligence. Although there is currently no requirement in the U.S. that companies maintain the encryption keys to their users' information to comply with U.S. government requests for information, Chinese law appears likely to require keeping the key and making it available in connection with a terrorism investigation. Companies subject to jurisdiction in China should carefully consider this dichotomy in setting up and maintaining a global security program when encryption is a significant portion of that strategy.
Other key privacy and security-related provisions of the Counter-Terrorism Law include the following:
- The creation of a national leading agency for counter-terrorism work that is charged with enforcement authority and designation of terrorist activities and terrorist groups or individuals (Article 3).
- Companies must freeze the funds or assets of publicly-identified terrorist groups and individuals, and to promptly report such groups or individuals to the public security authorities under the State Council, the national security authorities and the anti-money laundering authorities (Article 14);
- Business operators or service providers of telecommunications, internet, finance, accommodations, long distance passenger transportation, automobile rental must check the identity of customers, and deny service to those who refuse or cannot be identified (Article 21). The authorities have not issued any guidelines regarding how Article 21 may be enforced, which is likely to prove challenging for companies given that it is unclear what measures companies must take to verify the identities of online consumers who may use a fake name to register an account.
In sum, the final Counter-Terrorism Law excludes some highly problematic provisions from the draft bill, but still imposes a high duty on companies to cooperate in the investigation and perhaps even prosecution of terrorists. How these rules are ultimately interpreted and enforced will be critical for multi-nationals doing business in China.
For further information, please contact:
Aravind Swaminathan , Partner, Orrick