On December 27, 2015, the Standing Committee of the National People’s Congress (NPC), China’s top legislative body, enacted a Counter-Terrorism Law (see the Chinese version here, and an unofficial English translation here), which took effect on January 1, 2016.  The adoption of this law, a year after the first draft was released for public comment, followed closely the adoption of a new National Security Law and a draft Network Security Law.

The Counter-Terrorism Law reinforces the government’s broad powers to investigate and prevent incidents of terrorism and requires citizens and companies to assist and cooperate with the government in such matters.  The law imposes additional and specific obligations on companies in certain sectors, including those providing telecommunications, Internet, and financial services.  Non-compliance or non-cooperation can lead to significant penalties, including fines on companies and criminal charges or detention for responsible individuals. In some respects, the new law provides greater, higher-level legal authority to pre-existing regulations and practice. In others, it imposes new obligations or makes existing obligations more specific (e.g., penalties).

The law’s broadly-worded requirements create some uncertainty as to their implications for companies’ data protection and security policies. The final version of the law removes some of the more controversial requirements of the draft versions, including the requirement that telecommunications and Internet services providers install “backdoors” into their products, register encryption keys with the government, and keep servers and data related to Chinese users within the country. Nonetheless, the law imposes new requirements that require careful attention. For example, telecommunications and Internet services companies must:

  • Provide technical support and assistance, including handing over access or interface information and decryption keys; and
  • Establish content monitoring and network security programs and adopt precautionary security measures to prevent the dissemination of information on extremism, report terrorism information to the authorities in a timely manner, keep original records, and promptly delete such messages to prevent further circulation.

Companies in many other sectors, such as freight, transportation, and hospitality (including car rental), as well as providers of telecommunications, Internet, and financial services, are required to conduct identity checks of their customers or clients and refuse to provide services to those that decline to provide such information. It is unclear how these new provisions will interact with other provisions that require companies to collect certain types of personal data only with permission from customers.

These specific requirements are framed against the backdrop of more general obligations to assist government authorities in counter-terrorism investigations and operations. As is common with high-level Chinese laws, the language in the new Counter-Terrorism Law, including the definition of “terrorism” itself, is broad, leaving significant discretion in the hands of the responsible agencies. The contours of its implementation in practice, including its implications for companies handling user data and information, may become clearer as implementing regulations are issued.

Material for this post was contributed by Yan Luo of Covington & Burling LLP.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashwin Kaja Ashwin Kaja

With over a decade of experience in China, Ashwin Kaja helps multinational companies, governments, and other clients understand and navigate the complex legal and policy landscape in the country. He plays a leading role in Covington’s China international trade and public policy practices…

With over a decade of experience in China, Ashwin Kaja helps multinational companies, governments, and other clients understand and navigate the complex legal and policy landscape in the country. He plays a leading role in Covington’s China international trade and public policy practices and, outside of Covington, serves as the General Counsel of the American Chamber of Commerce in China.

Ashwin helps clients solve acute problems that arise in the course of doing business in China and position themselves for longer-term success in the country’s rapidly evolving legal and policy environment. He is an expert on Chinese industrial policy and has worked on matters related to a wide range of sectors including technology, financial services, life sciences, and the social sector. Ashwin has also counseled a range of clients on data privacy and cybersecurity-related matters.

As the General Counsel of the American Chamber of Commerce in China (AmCham China), Ashwin serves as a senior officer of the organization and as an ex officio member of its Board of Governors, supporting nearly one thousand member companies in developing their businesses in China and advocating for their needs with China’s central and local governments.

Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.