On Monday, November 7, 2016, the Standing Committee of the National People’s Congress of China promulgated a new cybersecurity law, providing the Chinese government with sweeping authority to regulate and monitor internet services. The impetus for the law was a perceived threat to local Chinese networks from malicious hackers, but the bill greatly affects both domestic and foreign companies operating within China’s borders and covers a wide range of activity relating to the use of the internet and information and communications technologies (“ICT”).  Among other provisions, the new law imposes data localization, surveillance, and real-name requirements.

More than 40 business groups from the U.S., Europe, and Asia petitioned Chinese Premier Li Keqiang in August, arguing that the new law would isolate China from the wider digital economy and could actually have the unintended effect of putting data security at risk. The critics pressed the Chinese government to make major changes to the law, but contentious provisions remained in the final draft passed by China’s legislature last week.

Of particular concern to businesses, the data localization rules will require businesses operating in “critical” areas to store inside China any personal information or important data that they gather within the country.  The law’s definition of “critical” is expansive, including ICT services, energy, transport, water resources, finance, and e-government.  Multinational companies have expressed concern that the hindrance on cross-border flow of business data will require expensive new investments in infrastructure to carry on business and will actually increase the risk of data theft. 

The surveillance requirement imposes a duty upon companies to report “network security incidents” to the Chinese government and to inform consumers of breaches, in addition to providing “technical support” to government agencies during investigations.  These terms are undefined, and some fear this provision will require businesses to reveal proprietary technologies and turn over security keys for inspection. 

The cybersecurity law will also mandate that instant messaging services and other internet companies require users to register with their real names and personal information, and to censor content that is “prohibited,” which is also an undefined term.  Commentators have noted that real-name policies have a self-censoring effect on online communications.  The new law also criminalizes certain categories of content, including that which encourages “overturn[ing] the socialist system,” “creating or disseminating false information to disrupt the economic or social order,” or “inciting separatism [or] undermining national unity.” 

The broad array of regulations and potential punishments within the new law will serve primarily to enhance China’s control over domestic internet activity, but the method of implementation and enforcement remains to be seen, as the law is not slated to go into effect until June 1, 2017.