8 February, 2016
On 27 December 2015, the standing committee of the National People’s Congress (NPC) of China passed the Anti-Terrorism Law of China, the first national law to combat terrorism, which came into force on 1 January 2016. The Anti-Terrorism Law imposes some specific obligations on operators of telecom and internet services.
The year 2015 has seen national security and cyber security being brought to the top of the legislation agenda. In July 2015 the National Security Law and the draft Cyber Security Law were published in the same month, followed by the Anti-Terrorism Law at the end of the year, each of which contains provisions aimed directly at addressing cyber security issues. The newly-imposed obligations under the Anti-Terrorism Law on the telecom operators and internet service providers reflect the government’s determination to tighten its grip on cyber security and are bound to give rise to more legal compliance challenges.
Highlights of the Obligations under the Anti-Terrorism Law
Provision of Technical Assistance and Support
Telecom operators and internet service providers must provide assistance and support to the Ministry of Public Security (MPS) and the Ministry of State Security (MSS) for their activities relating to prevention and investigation of terrorism, including “technical interface and decryption”. The assistance is not limited to technical interface and decryption and the scope is not defined. Moreover, such assistance and support may be required for “prevention” as well as investigation of terrorism, which, without limitation, gives the authority an even greater unfettered discretion to determine what assistance may be required for prevention and investigation.
Prevention of Dissemination of Terrorist and Extremist Information
a.Preventive Measures – self censorship and security protection
As preventive measures, the Anti-Terrorism Law requires the telecom operators and internet service providers to establish cyber security and content censorship mechanism and take security technological safeguarding measures.
Where terrorist or extremist information is discovered, the telecom operators and the internet service providers must (i) stop transmission; (ii) keep relevant record; (iii) delete relevant information; and (iv) report to the police or relevant authority.
c.Cooperation with Authority
Cyberspace Administration of China (CAC) and the Ministry of Industry and Information Technology (MIIT), MPS and MSS are all empowered to order (i) cease of transmission, (ii) deletion of relevant information, or (iii) closure of website and relevant services.
The telecom operators and internet service providers must obey such orders, keep relevant record and assist with the investigation.
d.Prevention of Cross Border Transmission
The MIIT is obligated to take technical measures to prevent transmission of cross-border terrorist or extremist content.
Verification of Customer Identity
Telecom operators and internet service providers must verify the identity of their customers and are obligated to refuse to serve any customer who is of unknown identity or reject such verification. This echoes the real-name registration requirement for internet service users and telephone and mobile users already implemented.
Who will be affected
The Anti-Terrorism Law does not define the scope of the “telecom operators and internet service providers”. As such, we believe the obligations apply to entities that hold valid telecom licenses as well as those that do not. For instance, not-for-profit websites and non-platform e-commerce websites may also be subject to the obligations imposed by the Anti-Terrorism Law.
Who will be enforcing the law?
Under the regime established by the Anti-Terrorism Law, the telecom operators and internet service providers are likely to deal with the below authorities in discharging their obligations:
a.MPS: MPS has the power to require technical assistance and support, order cease of transmission or closure of service and detain those who fail to comply with the obligations imposed by the Anti-Terrorism Law. In addition, MPS has traditionally been charged with the power to police cyber security since the early 1990s, which would also allow MPS to supervise the information security measures that have been taken to stem the dissemination of terrorist and extremist information.
b.MSS: MSS is also empowered to demand technical assistance and order cease of transmission of terrorist and extremist information, but its activities in relation to cyber security are more of a secret nature and usually concern security of national interest.
c.MIIT: MIIT, as the industry regulator for telecom and internet, has extensive powers over the telecom operators and internet service providers. In the context of Anti-Terrorism Law, MIIT is expressly authorized to order cease of transmission of terrorist and extremist information and cut off cross-border transmission of terrorist and extremist information and, more importantly, has the power to impose fines on incompliant telecom operators and Internet service providers. Moreover, MIIT is also charged with duties of communication network security protection well before the promulgation of the Anti-TTerrorism Law and has the power to examine the security protection mechanism established by the telecom operators and internet service providers and impose a wider range of penalties, including revocation of telecom licenses.
d.CAC: CAC usually plays the coordinating, supervisory and policy-making role in the context of cyber security, which is confirmed in the draft Cyber Security Law. CAC is mentioned only once in the Anti-Terrorism Law in the provision for preventing transmission of terrorist and extremist information. We expect CAC to assume its current role of coordinating the authorities rather than a frontline enforcing body.
The Impact and what to expect
The obligations imposed by the Anti-Terrorism Law on the telecom operators and internet service providers are generally in line with the current legal framework established by the National Security Law, the Regulations of Telecommunications (as amended in 2014), and a series of regulations published by MPS and MIIT on cyber security. Most of the elements are already reflected in the draft Cyber Security Law and existing laws.
The uncertainty lies in the details. Most notably, what would the telecom operators and internet service providers be expected to do to satisfy their obligations? The scope and level of technical assistance and support are still unclear. The standards for establishing a satisfactory information security protection and self-censorship mechanism require clarification.
What is certain is that the authorities are stepping up their scrutiny over cyber security and the Anti-Terrorism Law grants the authorities yet another imperative legal ground to require cooperation that the telecom operators and internet service providers find even harder to refuse.
We would like to see some more detailed implementing rules to be published by the authorities enforcing the law. However, these rules, if published, might not fully address the concerns that we raise above. There might also be enforcement campaigns pushed forward with by the authorities to overhaul the cyber security system. We would also be interested in seeing cases where the authorities are actually exercising their powers to enforce the Anti-Terrorism Law on the telecom operators and internet service providers.
What to do
Despite the uncertainties, we would like to point out that before the publication of the Anti-Terrorism Law, there have been a series of national or industry standards published on the topic of information security protection. For instance, MPS together with industry regulators have been actively implementing the Multi-Level Protection Scheme (MLPS) from 2007. In the absence of rules to clarify the Anti-Terrorism Law, we would suggest telecom operators and internet service providers further review compliance of their information security system and mechanism with existing standards, establish procedures to prevent dissemination of terrorist or extremist information and assess the capability and feasibility of providing technical support and assistance to the authorities. The key is to demonstrate to the authorities that the obligations under the Anti-Terrorism Law have been adequately discharged.
On the other hand, telecom operators and internet service providers should review their current contracts, user terms and access rules to provide for an exemption from liabilities for actions taken pursuant to the Anti-Terrorism Laws.
For further information, please contact:
Karen Ip, Partner, Herbert Smith Freehills