Published by The Lawfare Institute
in Cooperation With
Apple’s challenge to a court order requiring the company assists the US government in unlocking the iPhone of one of the San Bernardino shooters has led to a discussion about what exactly Apple provides to the Chinese government. Some reports have speculated that while Apple defies the US government, it has no problem acquiescing to Beijing’s security demands—including the possibility that the company already may be providing Beijing exactly the sort of “backdoors” it will not give the FBI. Others allege that Apple’s stand in the US is necessary in order for the company to adopt a similar hard line in China.
Only Apple and the Chinese government know for sure the nature of their relationship, and what Apple is willing and obligated to provide. But in the absence of that information, a close reading of China’s applicable laws and regulations is the best guide to understanding the obligations that foreign technology companies take on in exchange for access to China’s market. These laws and regulations leave plenty of room for interpretation and negotiation by individual companies.
To lend some needed factual basis to the ongoing debate, the following is a primer for understanding the legal and regulatory environment companies like Apple face in China.
Understanding Beijing’s Approach to ICT and Cybersecurity Policy
Currently, the Chinese government—not unlike US authorities—is in the process of developing a legal and regulatory regime to catch up with the growth of new technologies, particularly in the internet and information communications technology (ICT) sectors. The senior political ranks in Beijing recognize that the government’s ability to control, censor, and supervise the technology and the information it transmits has fallen behind and must now catch up. Essentially, the technology has gotten ahead of the government’s ability to manage it.
Top leaders, including President Xi Jinping, are pushing for “protecting national sovereignty in cyberspace” (维护国家网络空间主权). The phrase appears repeatedly in policy directives and senior official statements dating back to at least 2010. It is intended to capture that the Chinese Communist Party maintains ultimate control over the internet and the ICT business environment in China in a way as to create, over time, national borders in cyberspace or even fragmentation of the global internet as the Party seeks to preserve domestic stability.
There are three primary relevant laws and an additional host of industry-specific regulations related to network and information security. These rules should not be read in isolation, but instead as mutually reinforcing elements of Beijing’s collective effort to increase security controls in cyberspace. Together these laws reflect Beijing's increasingly hardline approach to ICT policy as the government seeks to increase control over networks, data, and information transmission.
Key Laws and Regulations
Below are highlights from these laws and regulations.
National Security Law
The National People's Congress (NPC) passed the National Security Law in July 2015. The National Security Law operates as the legal framework to bolster control across all sectors of the economy under the banner of a sweeping definition of security that includes the economy, financial system, indigenous technology innovation, and social stability. The language is deliberately broad and will serve as basis for more detailed regulations, which are currently pending.
In the section on technology and information security, the familiar “protecting national sovereignty in cyberspace” language appears. And although the concept is not new, here Beijing elevates its importance by enshrining it in national law.
The National Security Law will likely lay the groundwork for more formalized reviews of inbound foreign investment, somewhat akin to the Committee on Foreign Investment in the United States (CFIUS), an interagency body in the US government. In the Chinese system, there are currently only national security review bodies dedicated to examining foreign investments in China's four free trade zones (FTZs) in Fujian, Tianjin, Guangdong, and Shanghai. However, under the new law, these review bodies are likely to extend to foreign investments nationwide, and they will take a far more expansive view of national security than counterparts like CFIUS do in within the US. It is possible that, over the coming years, foreign tech firms will be required to undergo multiple separate security reviews at different levels in the bureaucracy—the Chinese government is now also setting up a cybersecurity review body and yet-to-be disclosed industry-specific approvals and certifications, including one on data localization.
The NPC passed a Counterterrorism (CT) Law in December 2015. There are three important points to note about this law. The first is that the government made key changes between the draft and the final version and that those changes created more ambiguity in terms of what companies must provide to the government. The original language in the draft law required telecom operators and internet service providers (ISPs) to install “backdoors” in their products and report encryption keys to the government. The final version of the law, however, only says these types of companies must extend technical interfaces, decryption, and other technical assistance and support to anti-terror authorities.
It would thus appear that the new language waters down the original requirements. But the new language is also vague, and the government has not yet issued implementation details. Typically, the government first issues a law of broad principles and then clarifies the scope in a series of implementation decrees. Foreign technology firms are currently in the process of trying to predict and understand how the government will implement and enforce these broad new measures. Moreover, there are separate pending revisions to the 1999 Commercial Encryption Regulations. It would not be surprising if the government folds the encryption requirements that were removed from the CT law into this regulation.
The second point is that the encryption clause in the counterterrorism law only applies to telecom operators and internet services providers; Apple does not fall into either of these categories. And finally, note that the government has removed entirely a provision from the original draft that would have required telecom operators and ISPs to store all data and equipment in China.
These changes represent a modest victory for foreign ICT companies. Most importantly, the changes reflect that Beijing was at least somewhat responsive to pressure from US industry lobbies and the US government.
But that’s hardly the end of the story in China. Data localization remains a top priority for Beijing; the fact that it has disappeared from this particular law does not mean Beijing has backed down on the issue. To the contrary, the government has rolled out data localization requirements in other—less high-profile—industry-specific regulations it has released since the passage of the CT law. For example, last week the Ministry of Industry and Information Technology (MIIT) and the State Administration of Press Publication Radio Film and Television (SAPPRFT) unveiled new measures that require localization of server and storage equipment for online publishing and take effect March 10. Additionally, the draft cybersecurity law (see below) still contains data and equipment localization requirements.
In July 2015, shortly following the passage of the National Security Law, the NPC released the full text of the draft Cybersecurity Law. Here the government is working to create a legal basis for expanding its authority to preserve “cyberspace sovereignty” by outlining obligations of ICT companies and users.
The law faces two more rounds of review, and therefore, the content is still subject to change. Similar to the national security law, the language of the cybersecurity law is vague and broad. And as with other laws, the government will clarify the scope in follow-on decrees after the law is passed. But there is likely to be some space for discretion in how authorities implement the regulations; this may provide maneuverability for US tech firms, but could as easily justify stringent interpretation by officials who offer little transparency in their decision-making processes.
In terms of substance, there are two relevant elements in the draft law's content. First, the draft emphasizes that companies will be required to undergo security inspections and reviews in order to be in compliance with the government's rules, but the text offers no details on what these will entail. And second, the draft law mandates that information infrastructure operators store user data within the territory of mainland China. Companies may apply for exceptions to this rule, but only after undergoing a still-unspecified additional audit and certification process.
In terms of political leadership, the law identifies the Cyberspace Administration of China as the top body charged with shaping and implementing cybersecurity policy. This is significant for two reasons—both of which I’ll explore in depth in later posts. But in general, this body is the functional office of the Central Leading Group for Network Security and Information chaired directly by President Xi Jinping himself. This means that now cybersecurity policy is coming from the highest levels in the Chinese bureaucracy, whereas previously it had been fragmented with turf wars among lower-level players. Furthermore, the CAC is notoriously inaccessible to foreign companies in China—which means that efforts to engage with government stakeholders when it comes to the regulatory landscape will be extremely difficult.
“Secure and Controllable” Regulations
The Chinese government has also set out new security requirements in industry-specific regulations. The phrase “secure and controllable” (安全可控) is sometimes also referred to as “secure and reliable” (安全可靠) or “indigenous and controllable” (自主可控). Since August alone, the phrase has appeared in separate pending rules for ICT used in insurance, medical devices, and the Internet Plus sectors (i.e. smart technology, cloud computing, mobile technology, and e-commerce).
Because this standard has no single definition, the government and Chinese industry have broad discretionary authority to launch intrusive security audits or reject foreign suppliers altogether as not secure. And while many of these regulations are still pending, Chinese government and industry is already moving forward with informal implementation of the standard, by asking foreign vendors to certify that they are “secure and controllable.”
There are numerous interpretations of the phrase, but one thing is clear: the government is linking localization with security, which means that Chinese companies have a competitive advantage when it comes to meeting these new security standards. This puts foreign technology companies in a weaker negotiating position, and adds to pressure that they cooperate with local partners, rather than attempting to go it alone in the market.
Common Practices and Informal Pressures
Beyond the new and pending laws and regulations, foreign firms already face pressure to submit source code, undergo security audits, and localize data and equipment. These procedures are costly and expose foreign tech companies to a host of security, regulatory, and IP risks in order to be in the market.
Foreign tech firms have been providing at least partial source code to the Chinese government for years. For example, Microsoft provided Windows source code to the Chinese government in the 1990s. And it remains the common practice today. Providing source code is not necessarily the same as providing so-called “backdoor” access to device contents, but it does have significant security implications. And understanding the ongoing provision of such information is necessary to meaningfully evaluate the consequences of other requirements.
Similarly, security audits are also a regular part of operating in the China market. In practice, a security audit could range from something as benign as sitting down for a series of meetings with government officials—perhaps from the Ministry of Public Security—and answering questions about security features, data storage, or management techniques to something far more invasive. And as a consequence of the pending laws and regulations, these security reviews are likely to become increasingly intensive.
These requirements and practices underscore the fact that foreign enterprise in China is never as simple as it seems. And the obligations on foreign companies are still quite in flux.