10 February, 2016
After three deliberations, the Counter-Terrorism Law of the PRC (“CTL”) was formally promulgated by the National People’s Congress Standing Committee (“NPC Standing Committee”) on December 27, 2015, and took effect from January 1, 2016. The CTL is the first counter-terrorism law in China, which includes wide-ranging stipulations and is intended to cover to all aspects of counter-terrorism activities. Among other things, the CTL provides obligations for telecom and Internet enterprises to cooperate with government authorities in investigating terrorism activities, which may have a significant impact on the operation of Internet and tech firms in China.
Technical Assistance Interfaces and Decryption
According to the CTL, telecom and Internet service providers are required to provide technical interfaces and technical assistance in decryption and other efforts to public and national security authorities engaged in the lawful conduct of terrorism prevention and investigation. However, the CTL does not further specify the procedure and documentation required for the authorities to make such requests for assistance.
Preventing the Dissemination of Terrorism Information
The CTL also requires Internet service providers to implement network security and information and content monitoring systems and adopt technical security measures to prevent the dissemination of information containing terrorist or extremist content. Once such content is detected, Internet service providers shall cease the transmission of the information, keep the relevant records, delete the information and report the occurrence to public and national security bodies.
Identity Verification Requirements
In addition, the CTL clearly stipulates the real-name requirement for telecom and Internet providers. Under the CTL, telecom and Internet providers are required to verify the identity of their clients, and to not provide services to anyone whose identity is unclear or who declines to verify his/her identity. However, the CTL does not further specify the required measures for verification by telecom and Internet providers. Although the content monitoring and real-name requirements are already embodied in various regulations, the CTL extends these requirements to all types of telecom and Internet services as statutory obligations of the service providers.
Legal Liability
According to the CTL, telecom and Internet providers violating the aforesaid requirements may be subject to fines and their direct responsible persons may be subject to personal liabilities of fines and detention.
Brief Comparison with the Draft Released for Public Comment
Compared with the earlier draft of the CTL released by the NPC Standing Committee in November 2014 for public comment, the final CTL leaves out controversial language requiring telecom and Internet service providers to file their encryption plans with the encryption authority for review; pre-install interfaces in the design, construction and operation of telecommunication and Internet programs; and store their device and users’ data within the PRC.
Our Observation
In general, the obligations embodied in the CTL are still vague and ambiguous, and the CTL leaves large room for the authorities in terms of interpretation and implementation. For example, the CTL has not even provided a clear scope of telecom and Internet service providers subject to these requirements. The relevant government authorities may promulgate further implementing rules to stipulate the obligations. We suggest that telecom and Internet companies closely follow the developments in this area.