Foreign Relations & International Law

Understanding China’s Cybersecurity Law

Chris Mirasola
Tuesday, November 8, 2016, 11:33 AM

Protecting “cyber sovereignty” (网络空间主权) has been the lodestar of Chinese policymaking regarding the internet for much of President Xi Jinping’s administration.

Published by The Lawfare Institute
in Cooperation With

Protecting “cyber sovereignty” (网络空间主权) has been the lodestar of Chinese policymaking regarding the internet for much of President Xi Jinping’s administration. In 2014, for example, President Xi worried that “the development of the internet has posed new challenges to national sovereignty, security and development interests.” A year later, he asserted that the internet “is by no means a land beyond law.” Since then, official news outlets have reaffirmed that “any state must be able to decide what measures to take when it comes to defending their national interests in cyberspace.”

These concerns coalesced into law on Monday, when the Standing Committee of the National People’s Congress promulgated a new Cybersecurity Law. This law, which has already been condemned by numerous foreign businesses and human rights groups, provides the government sweeping authority to regulate and monitor Internet services. It is set to go into effect on June 1, 2017. Though the law addresses a huge range of Internet activity, five characteristics are of particular note.

Many thanks to China Law Translate for providing an unofficial translation of the legislation. While I have relied in part on their work, the English translation in this post is my own.

Imposing vague requirements on internet companies

Important portions of the Cybersecurity Law are written such that the scope of state authority, and the regulations that may be imposed upon an internet company, are entirely ambiguous. Article 21, for example, mandates a “tiered system of Internet security protections” that may be subject to any “obligations provided by law or regulation.” Article 28 requires internet companies to assist public security organizations in “protecting national security and investigating crimes”—without defining or limiting what national security might entail or which crimes may be involved. Article 51 allows the state to establish undefined “systems for cybersecurity monitoring, early warning, and notification,” which internet companies would be required to implement.

As is true for much national legislation, some of these ambiguities will persist. However, it is also likely that state agencies will release more detailed implementing regulations in the coming months, and the Cybersecurity Law suggests as much. Article 53, for example, empowers government departments with jurisdiction over cyberspace issues to “establish sound cybersecurity risk evaluations and emergency response efforts.” Article 29 similarly provides that “relevant industry organizations will establish sound cybersecurity standards and mechanisms for collaboration.” Though subsequent regulations may provide some additional clarity, it is difficult to find concrete principles within the law that would limit the regulations that could be promulgated in the name of the legislation’s vaguely worded provisions.

Establishing particularly restrictive regulations for critical information infrastructure

The most controversial section of the Cybersecurity Law may be Chapter III, Section 2, which regulates “critical information infrastructure.” In addition to a wide range of heightened monitoring requirements, Article 37 mandates that “personal information and other important data” collected in China must be stored on servers physically located within mainland China (i.e., not Hong Kong). If a business can prove that it is “truly necessary” to store such information abroad, they must work with the State Council to formulate specific monitoring procedures. Article 34 is equally broad, requiring firms that operate “critical information infrastructure” to comply with all other obligations created by law or administrative regulation.

Unfortunately, the Cybersecurity Law does not clearly define what “critical information infrastructure” means. Article 31 suggests that it could include any services needed for public communication or information, power, transportation, water works, finance, public service, or digital governance, as well as any infrastructure that would endanger national security, national welfare, popular livelihood, or the public interest if destroyed or hacked. It is easy to imagine how this broad provision could be interpreted to include a huge range of foreign and domestic internet companies. Given the significant additional regulatory burdens imposed on this ill-defined group, it is little wonder that over forty global business groups criticized these regulations.

Providing a legal basis for existing internet regulations

Notwithstanding these broad new grants of authority, many provisions simply codify longstanding government restrictions on internet usage. Article 24, for example, mandates that companies verify an individual’s real identity before providing internet services. The China Cyberspace Administration has enforced similar requirements on blogs, instant-messaging services, discussion forums, and other internet outlets for over a year. Article 12 prohibits persons or organizations from “subverting national sovereignty” or “overthrowing the socialist system,” which is substantially similar to Article 15 of the 2015 National Security Law. Article 58 gives the State Council and other government entities the ability to temporarily restrict internet access as required by “national security” or to preserve “social order.” Given that the Cybersecurity Law does not retreat from these traditional censorship powers, it is unsurprising that NGOs like Human Rights Watch have been critical.

Creating wide-ranging punishments for non-compliance

Chapter VI provides a detailed array of financial, civil, and criminal punishments for non-compliance with the Cybersecurity Law. Fines are the most common punishment and can range from roughly 7,400 to 148,000 USD for companies and 740 to 15,000 USD for personally responsible individuals. Regulatory agencies can revoke business licenses and shut down websites for more serious violations (e.g., critical information infrastructure where information is illegally stored abroad). In the extreme, the Public Security Bureau may also detain offending individuals for up to fifteen days (e.g., for publishing information related to perpetrating fraud, selling prohibited items, or other illegal activities).

Individual protections

The law does, however, provide substantial individual protections. Articles 41 through 43 restrict the amount of personally identifiable information that can be collected, limit how it can be transferred, and give an individual the right to request that information be deleted if mishandled. For this reason, some may welcome the law’s implementation.

Final thoughts

When the Cybersecurity Law takes effect on June 1, internet companies operating in China will be subject to a broad and ill-defined array of regulations and potential punishments. Notwithstanding the enhanced individual protections that it provides, the law primarily serves to increase the state’s ability to control domestic Internet activity. As the country moves toward implementation in June, we must look toward the new implementing regulations that will be released in order to better understand just how far this new authority will extend.

Chris Mirasola is a Climenko Fellow and lecturer on law at Harvard Law School. Previously, he was an attorney-advisor at the Department of Defense Office of General Counsel.

Subscribe to Lawfare