On December 27, 2015, the Standing Committee of the National
People's Congress, China's national legislative body,
passed the Counter-Terrorism Law of China, which entered into force on
January 1, 2016. Although the law's precise breadth and
scope are yet to be determined, the law has important implications
for companies deploying encryption technology as part of their
As an initial matter, the Counter-Terrorism Law applies to
telecommunications operators and internet service providers in
China, but may very well be construed much more broadly.
Specifically, the concept of an internet service provider is not
clearly defined under Chinese law, and could refer to any business
that provides services via the internet in China. This would
sweep in the majority of global, including U.S.-based, technology
companies with equipment, offices, employees and/or customers
present in the Chinese marketplace.
Substantively, two key cybersecurity and privacy-related
provisions of the Counter-Terrorism Law require that
telecommunications operators and internet service providers:
Provide technical support and assistance to government
investigators by, among other things, providing access to technical
interfaces and decryption keys to law enforcement authorities and
national security authorities to support terrorism prevention and
investigation activities (Article 18).
Implement network security, information content-monitoring
systems and measures designed to prevent the dissemination of
content containing terrorism and extremism, to delete such
information, and to immediately report to the Chinese police
A violation of the new law carries stiff penalties that may
include corporate fines, as well as criminal charges and detention
of individuals. It is noteworthy that the Counter-Terrorism
Law does not include two highly controversial provisions from the
draft bill published in 2014. Those provisions would have
required telecommunications operators and internet service
providers to design and pre-install "back doors" into
their products or services, and to maintain data centers storing
Chinese user data exclusively in China. While the lack of
these provisions in the final legislation is a good sign, under
Article 18, companies may still be asked by Chinese authorities for
"technical interfaces" into systems that are tantamount
to back doors, though the specific contours of enforcement remain
Interestingly, China's Counter-Terrorism Law raises a debate
regarding encrypted communications similar to the current fight in
the U.S. between technology companies' desire to keep data
flows "safe" through encryption, and the U.S.
Government's suggestion that encrypted communication flows
hamper its ability to collect actionable intelligence.
Although there is currently no requirement in the U.S. that
companies maintain the encryption keys to their users'
information to comply with U.S. government requests for
information, Chinese law appears likely to require keeping the key
and making it available in connection with a terrorism
investigation. Companies subject to jurisdiction in China
should carefully consider this dichotomy in setting up and
maintaining a global security program when encryption is a
significant portion of that strategy.
Other key privacy and security-related provisions of the
Counter-Terrorism Law include the following:
The creation of a national leading agency for counter-terrorism
work that is charged with enforcement authority and designation of
terrorist activities and terrorist groups or individuals (Article
Companies must freeze the funds or assets of
publicly-identified terrorist groups and individuals, and to
promptly report such groups or individuals to the public security
authorities under the State Council, the national security
authorities and the anti-money laundering authorities (Article
Business operators or service providers of telecommunications,
internet, finance, accommodations, long distance passenger
transportation, automobile rental must check the identity of
customers, and deny service to those who refuse or cannot be
identified (Article 21). The authorities have not issued any
guidelines regarding how Article 21 may be enforced, which is
likely to prove challenging for companies given that it is unclear
what measures companies must take to verify the identities of
online consumers who may use a fake name to register an
In sum, the final Counter-Terrorism Law excludes some highly
problematic provisions from the draft bill, but still imposes a
high duty on companies to cooperate in the investigation and
perhaps even prosecution of terrorists. How these rules are
ultimately interpreted and enforced will be critical for
multi-nationals doing business in China.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On 12 August 2016, the Cyberspace Administration of China (CAC), the General Administration of Quality Supervision, the Inspection and Quarantine of China (GAQSIQ), and the Standardisation Administration of China (SAC) jointly released Several Guidelines to Strengthen National Cybersecurity Standardisation (the "Guidelines").
On July 21, the Personal Data Protection Commission ("PDPC") imposed a $5,000 fine on Toh-Shi Printing Singapore for its failure to implement proper and adequate verification procedures...
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).