The Standing Committee of the National People’s Congress (NPC) passed the 9th Amendment to the Criminal Code in August 2015, and the new Anti-terrorism Law about four months later. Both have now come into effect, with provisions concerning cybersecurity.
A first observation is that both laws were passed within a relatively short period of time. In the case of the 9th Amendment of the Criminal Code, three readings and a public consultation process took place in less than 10 months. Similarly, the Anti-terrorism Law started its legislative journey in November 2014, when it received a first reading, and was completed by the end of December 2015. Considering that the Anti-terrorism Law is a new law and the first of its kind – and a new law generally takes two to three years to pass in China – this legislative pace is quite remarkable.
[ihc-hide-content ihc_mb_type=”show” ihc_mb_who=”1″ ihc_mb_template=”2″ ]
A short while ago, the new National Security Law wrapped up three readings in less than eight months, and was enacted with immediate effect. Apparently, security-related legislation has been on the top of the NPC’s law-making agenda. The Cybersecurity Law, on which public comments were gathered more than six months ago, is set to be next. A second reading may take place very soon, and formal promulgation is expected within 2016.
Obligations on service providers
As far as cyberspace is concerned, the Anti-terrorism Law imposes three specific obligations on “telecom business operators” and “internet service providers”, namely that they:
- Provide technical support to authorities in their efforts to combat terrorism, specifically, to provide technical interface with network or decryption assistance as may be requested on occasion (article 18);
- Adopt appropriate security measures, monitor and prevent dissemination of terrorist or extremist content, and co-operate with government investigations (article 19); and
- Verify customer identity and refrain from serving customers who fail to pass identity checks (article 21). Companies will be fined for non-compliance in an amount between RMB200,000 (US$30,000) and RMB500,000. In serious cases, however, a higher fine can be imposed, possibly along with an order to cease operations. It is noted that directly responsible individuals will also be subject to penalties, which in serious cases include fines of up to RMB500,000 and administrative detention for up to 15 days.
Enforcement of the Anti-terrorism Law is led by the Ministry of Public Security and the Ministry of National Security, under the direction of the National Anti-terrorism Leadership Group, and assisted by the judiciary, the army and the police.
Controversial requirements gone?
Many have noticed that some of the more controversial language in the earlier draft has been removed from the final text. These include requirements to file encryption plans with the authority, to pre-install a technical interface in the network, and to store relevant equipment and users’ data within China. A welcomed move as it is, whether these requirements are really gone will not be certain until the Cybersecurity Law is published in its final form. It cannot be excluded that the legislators dropped these particular issues under the Anti-terrorism Law, only to have them addressed in a more suitable legislation that is the Cybersecurity Law.
[/ihc-hide-content]
Business Law Digest is compiled with the assistance of Baker & McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker & McKenzie by e-mailing Danian Zhang (Shanghai) at: danian.zhang@bakermckenzie.com
