After beginning the third reading of the draft last week, the National People’s Congress Standing Committee has passed China’s first cybersecurity law amid resounding international protest. Drafts of the law had attracted criticism for their potential to further restrict and legally codify China’s tightly controlled internet, as foreign business interests have cautioned that vague language could “undermine global trade, technological innovation, and the benefits of informatisation.” At The Wall Street Journal, Josh Chin and Eva Dou report on stipulations contained in the newly passed legislation, set to come into effect in June of next year, which remain controversial:
The law, passed by the standing committee of China’s rubber-stamp parliament and made public on Monday, says agencies and enterprises must improve their ability to defend against network intrusions while demanding security reviews for equipment and data in strategic sectors. The law also makes censorship a matter of cybersecurity, threatening to punish companies that allow unapproved information to circulate online.
[…] Many provisions of the law codify existing practices, including that the government can restrict internet access “in certain regions” in the event of an emergency and that network operators should demand users register with their real names.
Other provisions in the law promote the training of cybersecurity experts, restrict the use of individuals’ personal data and empower the government to punish organizations or individuals who hack into China’s critical infrastructure, including by freezing their assets.
“This is about how the internet might harm the Chinese state in the broadest sense possible,” said the University of Leiden’s Mr. [Rogier] Creemers. [Source]
At Reuters, Sue-Lin Wong and Michael Martina report further on continuing criticism of the law from foreign businesses and rights groups:
Overseas critics of the law say it threatens to shut foreign technology companies out of various sectors deemed “critical”, and includes contentious requirements for security reviews and for data to be stored on servers in China.
Rights advocates also say the law will enhance restrictions on China’s Internet, already subject to the world’s most sophisticated online censorship mechanism, known outside China as the Great Firewall.
[…] Contentious provisions remained in the final draft issued by the parliament, including requirements for “critical information infrastructure operators” to store personal information and important business data in China, provide unspecified “technical support” to security agencies, and pass national security reviews.
[…] Zhao Zeliang, director of the Cyberspace Administration of China’s cyber security coordination bureau, told reporters that every article in the law accorded with rules of international trade, and China would not close the door on foreign companies. [Source]
Just ahead of the law’s passing, Human Rights Watch detailed how the “fundamentally abusive aspects of the initial draft remain unchanged,” and along with other recent legislation enforce the idea that peaceful critique of the government is a matter of state security:
“Despite widespread international concern from corporations and rights advocates for more than a year, Chinese authorities pressed ahead with this restrictive law without making meaningful changes,” said Sophie Richardson, China Director. “The already heavily censored Internet in China needs more freedom, not less.”
[…] Article 46 of the final draft also prohibits individuals or groups from establishing “websites and communication groups” that are used for “spreading criminal methods” or “other information related to unlawful and criminal activities.” But as critical stories or protest are regularly criminalized in China, this article may encourage further self-censorship on social media.
[…] The Cybersecurity Law is the last of a recent set of new national security related pieces of legislation promulgated by the Chinese government since 2014, which includes the State Security Law, the Counterterrorism Law, and the Foreign NGO Management Law. Together, these laws wrongly promote the idea that peaceful criticism against the government is a threat to state security. […] [Source]
See also CDT coverage of the state security, counterterrorism, and foreign NGO management laws. The recent trend represented by these laws has been described by The New York Times’ Edward Wong as part of a legislative trend to reinforce “ideological security.”
At Quartz, Josh Horwitz reports on vague language in the law that appears aimed at effectively complicating foreign companies’ navigation of business in China:
“Generally speaking, all companies want to be in compliance. And because the laws are vague, companies don’t know how to be in compliance,” the same source tells Quartz. “Foreign companies who have the technology and have the impetus to get into the China, or continue servicing their customers [there], they’re not getting the necessary information to do so. And since the information isn’t there, they’re shut out of the market.”James Zimmerman, chairman of the American Chamber of Commerce in China, argued the law has less to do with cybersecurity than protectionism.
“In terms of improving security, this law is at best a missed opportunity, and some of the measures seem to emphasize protectionism rather than security,” he wrote in a statement. “But one thing is for sure: the more difficult it is for data to travel across the Chinese border, the more difficult it will be for companies inside those borders to innovate, and China risks becoming isolated technologically from the rest of the world.” [Source]