China has passed its first cybersecurity law on November 7, 2016, just a week after its third draft was proposed to the Standing Committee of National People’s Congress, often deemed as China’s rubber-stamp parliament.
Many China watchers are concerned about the increasing state censorship and control over the Internet and foreign technology firms consider the law as an act of protectionism. In contrast, Yang Heqing, spokesman for the NPC’s Legislative Affairs Commission at a press conference on Monday dismissed these concerns, saying that the law “is to protect the security and credibility of the Internet.”
What impacts would China’s Cybersecurity Law have on the industry and domestic Internet companies in particular? How significant is it?
First and probably the most predictable impact is that Internet companies are required to take on an even heavier role of monitoring, managing, and storing content on their platforms. As a consequence, small companies or startups might be forced out of business.
Article 10 of the Cybersecurity Law regulates that “companies that build, maintain the Internet or provide service through Internet shall follow laws and administrative regulations as well as mandatory requirements set by the state’s standards. They shall take technical and other necessary measures to ensure the Internet is functioning safe and stable, handle cybersecurity incidents effectively, prevent cyber criminal activities, and maintain the integrity, secrecy and usability of Internet data.”
In particular, Internet companies are required to “monitor and log operational status of the network”. Earlier in April this year, more than 20 companies that provide live-streaming services signed self-disciplinary agreements for content regulation which require user-generated content be stored for at least 15 days. Under the new cybersecurity law, that is far from enough. According to Article 21, Internet logs and relevant data shall be “stored for at least six months”.
While it is legitimate to ask Internet companies to safeguard Internet users against potential cyber attacks and cybersecurity threats, the data storage requirement puts extra, if not unreasonable burdens, on small-sized companies. This is also especially challenging for multimedia sharing companies or social media platforms with a large amount of users uploading pictures and videos every second. The math is simple: the longer a company needs to store its data and user content, the more bandwidth and storage room it needs, and the higher it needs to pay for those products.
Second, according to Article 50, all Internet companies are required to stop dissemination of illegal content and comply with relevant laws and regulations on online information control.
While this is nothing new as Rebecca MacKinnon, a prominent US-based Internet researcher, poignantly pointed out and proved in 2009 that all Internet companies in China have to comply with government censorship demands in order to keep their business licenses, some half-jokingly take it positive and comment that “it is a step forwards towards rule of law.”
Third and perhaps a less direct impact falls on smart device makers, online game operators, and other child-targeted service providers.
In early October, China’s Cyberspace Administration (CAC) proposed strengthening its policies on Internet safety for children, which requires smart device makers and importers to either pre-install child-protection softwares on their products or provide easy guidelines on how to install those softwares — a measure similar to the country’s (in)famous requirement proposed in 2009 that asked all personal computers sold in the country to include an internet filtering software called Green Dam. CAC also proposed that online-game operators shall lock out anyone under the age of 18 between midnight and 8 AM.
While the draft rules are still under review and hasn’t triggered too much debate in the country, the new Cybersecurity Law sparks a new round of concerns over the proposal. In fact, Article 13 which talks about child-safety protection was never in the first or second draft. It was added quite last-minute to the current and final version of the law. As one China-based Internet watcher pointed out, “the timing is weird…[T]he new law certainly lays grounds for CAC to pass its child-safety rules.”
Contrary to all the concerns and doubts are China’s lawmakers’ optimism who described the law as necessary to bolster its data security at a time of increasing cybersecurity threats.
According to Yang, spokesman at the press conference on Monday, in addition to reinstating China’s long-advocated concept of Internet sovereignty, the newly passed cybersecurity law also has a number of highlights: that it is “an important move to enforce the overall national security plans”, that it is “a necessity to maintain internet security” since China is a “giant Internet country which is facing one of the most severe cybersecurity threats”, and that the law comes in timely to meet the public’s demands and to “purity the cyberspace”. The law, which has seven chapters and 79 articles in total, is “comprehensive and encompassing” in that it specifies the responsibilities of relevant government agencies, Internet service providers, and Internet users.
Although the actual short-term or long-term objectives and impacts of the cybersecurity law are yet to unfold, it seems to some that the law is more of a “warning” after all. “Many of the measures are in place already. Your actions and words have been under surveillance already.” Zhang Lifan, a Chinese historian, concluded that “whether it is national security law or cybersecurity law, they are both an effort to secure the regime and its power.”
This article also appears on The Diplomat.