On 27 December 2015, the National People’s Congress Standing Committee passed China’s new Counter-Terrorism Law (New Law), which came into effect on 1 January 2016. Compared to the Draft Counter-Terrorism Law (Draft Law) that was first released on 3 November 2014 for public reading, the New Law appears less draconian as two, much objected, key requirements have been dropped. These requirements were: (i) telecommunication service operators and Internet service providers (together, “ISPs”) must “locate their related servers and domestic user data” in China (the “Localisation Requirement”), and (ii) must install “technical interfaces in the design, construction, and operation of the telecommunication and internet [services]” which would allow Chinese government to “prevent” or “investigate” terrorist activities (the “Backdoor Requirement”). The New Law, however, retains two key requirements from the Draft Law i.e., that ISPs shall disclose encryption keys to government authorities (the “Decryption Requirement”) and shall enhance monitoring and reporting of all Internet content (the “Reporting Requirement”). The respective exclusions and inclusions bring some relief to the international tech community but trigger concerns for others.
Specifically, Article 18 of the New Law requires that ISPs “shall provide technical interfaces, decryption and other technical support and assistance to public security organs and state security organs conducting prevention and investigation of terrorist activities in accordance with the law.” This Decryption Requirement overlooks the fact that an increased number of communications products nowadays use “end-to-end” encryption where the software vendors themselves do not retain any decryption keys. The only way to meet the Decryption Requirement in such cases is to surrender users’ passwords, putting the issue of privacy at risk. So far, the United States, home to many tech companies, has expressed the greatest resistance to the New Law as the Decryption Requirement appears to target vendors whose products, including smartphones and tablets, feature end-to-end encryption.
The Reporting Requirement is illustrated in Article 19 of the New Law, requiring ISPs to “put into practice network security systems and information content monitoring systems, technical prevention and safety measures, to avoid the dissemination of information with terrorist or extremist content.” Where information with terrorist or extremist content is discovered, its dissemination shall immediately be halted, relevant records shall be saved, and the relevant information deleted, and a report made to public security organs or to relevant departments. What exactly constitutes adequate “network security systems” and “information content monitoring systems” to satisfy this Article is unclear.
Some argue that the removal of the Backdoor Requirement is discounted by the Decryption Requirement as government authorities can obtain needed access anyway through either the backdoor or the front door. The revoked Localisation Requirement, however, appears to be a positive step in lifting the potential huge burden imposed on ISPs with servers and China user data stored outside the country. We note in passing that the Draft Cybersecurity Law, released for public comment on 8 July 2015, has a similar localisation provision requiring Critical Information Infrastructures to store within China, Chinese citizens’ personal information and other important data, gathered and produced, while carrying on their business operations. Will the final version of the Cybersecurity Law eliminate this highly controversial requirement as well?