China: Abusive Cybersecurity Law Set to be Passed
Human Rights Watch, 7 November 2016
Human Rights Watch — The Chinese government is set to adopt the Cybersecurity Law, a regressive measure that strengthens censorship, surveillance, and other controls over the Internet, Human Rights Watch said today. China’s top legislative body, the National People’s Congress Standing Committee, held a third and final reading on the law on October 31, 2016, and is expected to pass the law by the end of its October 31-November 7 session.
“Despite widespread international concern from corporations and rights advocates for more than a year, Chinese authorities pressed ahead with this restrictive law without making meaningful changes,” said Sophie Richardson, China Director. “The already heavily censored Internet in China needs more freedom, not less.”
The third and final reading draft, which has not been officially published, reflects some changes from the first draft. Yet the fundamentally abusive aspects of the initial draft remain unchanged. The final draft:
- Requires a range of companies to censor “prohibited” information and restrict online anonymity, including by demanding that companies require users to provide their real name and personal information. The final law adds instant messaging services to the list of service providers subject to real-name requirements;
- Requires “critical information infrastructure operators” to store users’ “personal information and other important business data” in China. The final draft narrows the scope to only data that is related to a firm’s China operations, but the term “important business data” is undefined, and companies must still submit to a security assessment if they want to transfer data outside the country. The definition of “critical information infrastructure” remains vague and could encompass a broad range of companies;
- Requires companies to monitor and report to the government undefined “network security incidents,” as well as provide undefined “technical support” to security agencies to aid in investigations, raising fears of increased surveillance. The final draft further specifies that network operators must retain network logs for at least six months and accept government supervision; and
- Provides a legal basis for potentially large-scale network shutdowns to respond to “major [public] security incidents.”
The final draft contains two noteworthy changes compared to the first. In addition to prohibiting individuals from using the Internet to “endanger national security, advocate terrorism or extremism, [or] propagate ethnic hatred and discrimination,” article 12 of the second draft also prohibits them from “overthrowing the socialist system” and “fabricating or spreading false information to disturb economic order.” The third draft adds to this list, banning the use of the Internet “to incite separatism or damage national unity.” These crimes, some codified in criminal law, are regularly used to punish and jail peaceful activists and can result in lengthy sentences.
Article 46 of the final draft also prohibits individuals or groups from establishing “websites and communication groups” that are used for “spreading criminal methods” or “other information related to unlawful and criminal activities.” But as critical stories or protest are regularly criminalized in China, this article may encourage further self-censorship on social media.
The law does incorporate privacy protections for users regarding how private companies must safeguard their personal data or notify them of potential breaches or security vulnerabilities. However, the law fails to impose adequate protections for the right to privacy where security agencies monitor networks, investigate cybercrime, or access data held by companies.
While many of these measures are not new, most were previously only informally applied or defined in lower-level regulation. Elevating these powers in the Cybersecurity Law sends a signal that the government may enforce the requirements more strictly, leaving less leeway for tech companies to avoid implementation.
The Chinese government has a long record of tightly controlling online speech through censorship, harsh punishments, and the use of restrictive technologies. But Internet control has reached new heights since President Xi Jinping assumed power in March 2013.
In the past year alone, authorities have issued multiple directives to gag online speech, such as by requiring staff to monitor content round the clock, criminalizing the “spreading of rumors” about natural disasters, and issuing new rules requiring app providers to keep user logs for 60 days to reduce the spread of “illegal information.” Individuals including human rights lawyer Pu Zhiqiang and Uyghur economist Ilham Tohti have been prosecuted for online discussions of state policy. Recently, a leaked police report described virtual private networks (VPNs), widely used by businesses, journalists, and ordinary users to protect their privacy and evade the “Great Firewall,” as “terrorist software.”
The Cybersecurity Law is the last of a recent set of new national security related pieces of legislation promulgated by the Chinese government since 2014, which includes the State Security Law, the Counterterrorism Law, and the Foreign NGO Management Law. Together, these laws wrongly promote the idea that peaceful criticism against the government is a threat to state security.
While many states are debating cybersecurity legislation, China’s law should be viewed within a legal framework where threats to “information security” are defined broadly enough to include sharing information that diverges from official narratives, and where “preserving Internet sovereignty” is the overarching goal. Any cybersecurity legislation should protect freedom of expression, privacy, and other human rights, as well as increase the security of Internet networks.
“If online speech and privacy are a bellwether of Beijing’s attitude toward peaceful criticism, everyone – including netizens in China and major international corporations – is now at risk,” said Richardson. “This law’s passage means there are no protections for users against serious charges.”