China Passes (De) Encryption Cyber Law

January.11.2016

On December 27, 2015, the Standing Committee of the National People's Congress, China's national legislative body, passed the Counter-Terrorism Law of China, which entered into force on January 1, 2016. Although the law's precise breadth and scope are yet to be determined, the law has important implications for companies deploying encryption technology as part of their cybersecurity programs.

As an initial matter, the Counter-Terrorism Law applies to telecommunications operators and internet service providers in China, but may very well be construed much more broadly. Specifically, the concept of an internet service provider is not clearly defined under Chinese law, and could refer to any business that provides services via the internet in China. This would sweep in the majority of global, including U.S.-based, technology companies with equipment, offices, employees and/or customers present in the Chinese marketplace.

Substantively, two key cybersecurity and privacy-related provisions of the Counter-Terrorism Law require that telecommunications operators and internet service providers:

Provide technical support and assistance to government investigators by, among other things, providing access to technical interfaces and decryption keys to law enforcement authorities and national security authorities to support terrorism prevention and investigation activities (Article 18).
Implement network security, information content-monitoring systems and measures designed to prevent the dissemination of content containing terrorism and extremism, to delete such information, and to immediately report to the Chinese police (Article 19).

A violation of the new law carries stiff penalties that may include corporate fines, as well as criminal charges and detention of individuals. It is noteworthy that the Counter-Terrorism Law does not include two highly controversial provisions from the draft bill published in 2014. Those provisions would have required telecommunications operators and internet service providers to design and pre-install "back doors" into their products or services, and to maintain data centers storing Chinese user data exclusively in China. While the lack of these provisions in the final legislation is a good sign, under Article 18, companies may still be asked by Chinese authorities for "technical interfaces" into systems that are tantamount to back doors, though the specific contours of enforcement remain unclear.

Interestingly, China's Counter-Terrorism Law raises a debate regarding encrypted communications similar to the current fight in the U.S. between technology companies' desire to keep data flows "safe" through encryption, and the U.S. Government's suggestion that encrypted communication flows hamper its ability to collect actionable intelligence. Although there is currently no requirement in the U.S. that companies maintain the encryption keys to their users' information to comply with U.S. government requests for information, Chinese law appears likely to require keeping the key and making it available in connection with a terrorism investigation. Companies subject to jurisdiction in China should carefully consider this dichotomy in setting up and maintaining a global security program when encryption is a significant portion of that strategy.

Other key privacy and security-related provisions of the Counter-Terrorism Law include the following:

The creation of a national leading agency for counter-terrorism work that is charged with enforcement authority and designation of terrorist activities and terrorist groups or individuals (Article 3).
Companies must freeze the funds or assets of publicly-identified terrorist groups and individuals, and to promptly report such groups or individuals to the public security authorities under the State Council, the national security authorities and the anti-money laundering authorities (Article 14);
Business operators or service providers of telecommunications, internet, finance, accommodations, long distance passenger transportation, automobile rental must check the identity of customers, and deny service to those who refuse or cannot be identified (Article 21). The authorities have not issued any guidelines regarding how Article 21 may be enforced, which is likely to prove challenging for companies given that it is unclear what measures companies must take to verify the identities of online consumers who may use a fake name to register an account.

In sum, the final Counter-Terrorism Law excludes some highly problematic provisions from the draft bill, but still imposes a high duty on companies to cooperate in the investigation and perhaps even prosecution of terrorists. How these rules are ultimately interpreted and enforced will be critical for multi-nationals doing business in China.

Authors

Xiang Wang Partner, Intellectual Property, Cyber, Privacy & Data Innovation

Beijing; New York; Shanghai

See my bio

D:+86 10 8595 5600
E: [email protected]

Practice:

Technology & Innovation Sector
Intellectual Property
Cyber, Privacy & Data Innovation
Mass Torts & Product Liability
Trade Secrets Litigation
IP Counseling & Due Diligence
Patents
Antitrust & Competition
International Trade and Investment
White Collar, Investigations, Securities Litigation & Compliance
Employment Law & Litigation
Trademark, Copyright & Media
Automotive Technology & Mobility
China

vCard

See full bio

Xiang Wang Partner

Beijing; New York; Shanghai

Xiang is a Guiding Expert of the China Overseas IP Dispute Response & Guidance Center.

He also serves several consultancy roles for local regulatory authorities, including as IP Guiding Expert of Shenzhen IP Protection Center; IP Guiding Expect of Zhejiang Province IP Protection Center; IP Consultant of Technology Innovation Bureau of Nanjing Jiangbei New Area Management Committee (Jiangsu Province); Expert of IP Dispute Investigation and Appraisal of Foshan Market Supervision and Administration Bureau (Guangdong Province); and Expert for Overseas IP Protection and Assistance of Foshan Intellectual Property Bureau (Guangdong Province).

Xiang has extensive experience in assisting local and foreign-based multinational companies with all aspects of their IP rights in the U.S. and China, including IP litigation and arbitration, patent infringement, industrial espionage, trade secret misappropriation, copyright and trademark infringement, ITC Sec. 337 investigations, patent office proceedings including inter partes reviews (IPR), IP due diligence and portfolio counseling, technology export control, mass torts and product liability, securities litigation, the Foreign Corrupt Practices Act (FCPA) and other investigations and compliance. These matters have implicated a vast array of technologies, from software and electronics to renewable energy and medical devices as well as agricultural and building materials, to name just a few.

Xiang also works extensively on cybersecurity investigations and data privacy compliance matters for both Chinese and international clients.

Xiang has been particularly active in Chinese state-owned enterprises related U.S. litigation. Clients turn to his strategic and innovative advice thanks to his in-depth understanding of their business needs and political risks. Clients appreciate that he “understood the environment in the China legal system and can give nuanced advice”.

Xiang has developed the region’s premier IP practice based on his reputation as one of the few IP lawyers who has a doctorate in electrical and computer engineering, a Juris Doctor, a Chinese Certificate of Laws, and admission to practice law in New York, Indiana and before the U.S. Patent and Trademark Office. Due to its success in patent disputes in the United States and China, involving both foreign and Chinese companies, Orrick IP team was exclusively featured in a documentary film “Patent Wars” by the China Central Television (CCTV).

Xiang is highly regarded for his practical legal advice that results from more than ten years of experience at medical and electronic device businesses before becoming a lawyer. He also has received four U.S. medical-technology patents in his name.

Mimiao Hu Of Counsel, Intellectual Property, Cyber, Privacy & Data Innovation

Beijing

See my bio

D:+86 10 8595 5688
E: [email protected]

Practice:

Technology & Innovation Sector
Intellectual Property
Cyber, Privacy & Data Innovation
China

vCard

See full bio

Mimiao Hu Of Counsel

Beijing

Her work has included trademark and copyright protection strategies, intellectual property litigation, unfair competition, intellectual property due diligence, cybersquatting and related technology issues. Mimiao has also advised clients on export regulation of military and dual-use items and customs regulation in China. In addition, Mimiao works extensively on cybersecurity & data privacy issues for both Chinese and international clients.

Prior to joining Orrick, Mimiao was a senior associate in the Beijing and Shanghai offices of a major PRC law firm.

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.