On December 27, 2015, the Standing Committee of the National People's Congress, China's national legislative body, passed the Counter-Terrorism Law of China, which entered into force on January 1, 2016. Although the law's precise breadth and scope are yet to be determined, the law has important implications for companies deploying encryption technology as part of their cybersecurity programs.
As an initial matter, the Counter-Terrorism Law applies to telecommunications operators and internet service providers in China, but may very well be construed much more broadly. Specifically, the concept of an internet service provider is not clearly defined under Chinese law, and could refer to any business that provides services via the internet in China. This would sweep in the majority of global, including U.S.-based, technology companies with equipment, offices, employees and/or customers present in the Chinese marketplace.
Substantively, two key cybersecurity and privacy-related provisions of the Counter-Terrorism Law require that telecommunications operators and internet service providers:
A violation of the new law carries stiff penalties that may include corporate fines, as well as criminal charges and detention of individuals. It is noteworthy that the Counter-Terrorism Law does not include two highly controversial provisions from the draft bill published in 2014. Those provisions would have required telecommunications operators and internet service providers to design and pre-install "back doors" into their products or services, and to maintain data centers storing Chinese user data exclusively in China. While the lack of these provisions in the final legislation is a good sign, under Article 18, companies may still be asked by Chinese authorities for "technical interfaces" into systems that are tantamount to back doors, though the specific contours of enforcement remain unclear.
Interestingly, China's Counter-Terrorism Law raises a debate regarding encrypted communications similar to the current fight in the U.S. between technology companies' desire to keep data flows "safe" through encryption, and the U.S. Government's suggestion that encrypted communication flows hamper its ability to collect actionable intelligence. Although there is currently no requirement in the U.S. that companies maintain the encryption keys to their users' information to comply with U.S. government requests for information, Chinese law appears likely to require keeping the key and making it available in connection with a terrorism investigation. Companies subject to jurisdiction in China should carefully consider this dichotomy in setting up and maintaining a global security program when encryption is a significant portion of that strategy.
Other key privacy and security-related provisions of the Counter-Terrorism Law include the following:
In sum, the final Counter-Terrorism Law excludes some highly problematic provisions from the draft bill, but still imposes a high duty on companies to cooperate in the investigation and perhaps even prosecution of terrorists. How these rules are ultimately interpreted and enforced will be critical for multi-nationals doing business in China.