On December 27, 2015, the Standing Committee of the National People’s Congress (NPC), China’s top legislative body, enacted a Counter-Terrorism Law (see the Chinese version here, and an unofficial English translation here), which took effect on January 1, 2016.  The adoption of this law, a year after the first draft was released for public comment, followed closely the adoption of a new National Security Law and a draft Network Security Law.

The Counter-Terrorism Law reinforces the government’s broad powers to investigate and prevent incidents of terrorism and requires citizens and companies to assist and cooperate with the government in such matters.  The law imposes additional and specific obligations on companies in certain sectors, including those providing telecommunications, Internet, and financial services.  Non-compliance or non-cooperation can lead to significant penalties, including fines on companies and criminal charges or detention for responsible individuals. In some respects, the new law provides greater, higher-level legal authority to pre-existing regulations and practice. In others, it imposes new obligations or makes existing obligations more specific (e.g., penalties).

The law’s broadly-worded requirements create some uncertainty as to their implications for companies’ data protection and security policies. The final version of the law removes some of the more controversial requirements of the draft versions, including the requirement that telecommunications and Internet services providers install “backdoors” into their products, register encryption keys with the government, and keep servers and data related to Chinese users within the country. Nonetheless, the law imposes new requirements that require careful attention. For example, telecommunications and Internet services companies must:

  • Provide technical support and assistance, including handing over access or interface information and decryption keys; and
  • Establish content monitoring and network security programs and adopt precautionary security measures to prevent the dissemination of information on extremism, report terrorism information to the authorities in a timely manner, keep original records, and promptly delete such messages to prevent further circulation.

Companies in many other sectors, such as freight, transportation, and hospitality (including car rental), as well as providers of telecommunications, Internet, and financial services, are required to conduct identity checks of their customers or clients and refuse to provide services to those that decline to provide such information. It is unclear how these new provisions will interact with other provisions that require companies to collect certain types of personal data only with permission from customers.

These specific requirements are framed against the backdrop of more general obligations to assist government authorities in counter-terrorism investigations and operations. As is common with high-level Chinese laws, the language in the new Counter-Terrorism Law, including the definition of “terrorism” itself, is broad, leaving significant discretion in the hands of the responsible agencies. The contours of its implementation in practice, including its implications for companies handling user data and information, may become clearer as implementing regulations are issued.

Material for this post was contributed by Yan Luo of Covington & Burling LLP.

Print:
EmailTweetLikeLinkedIn
Photo of Ashwin Kaja Ashwin Kaja

Ashwin Kaja is special counsel in the firm’s Beijing office and is a member of the firm’s International Trade, Public Policy, Data Privacy & Cybersecurity, and Anti-Corruption practice groups. He has advised multinational companies, governments, and other clients on a range of matters…

Ashwin Kaja is special counsel in the firm’s Beijing office and is a member of the firm’s International Trade, Public Policy, Data Privacy & Cybersecurity, and Anti-Corruption practice groups. He has advised multinational companies, governments, and other clients on a range of matters related to international trade, public policy and government affairs, data privacy, foreign investment, anti-corruption compliance and investigations, corporate law, real estate, and the globalization of higher education. He also serves as the China and India editor for Covington’s GlobalPolicyWatch.com. Mr. Kaja is also a certified information privacy professional (CIPP/US). Prior to joining the firm, Mr. Kaja was an associate at another major international law firm in Beijing.

Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.