JURIST Guest Columnist Markus Rauschecker of University of Maryland, Francis King Carey School of Law discusses the effects of a new Chinese cybersecurity law and the need for response by the US Congress…

China’s Standing Committee of the National People’s Congress recently adopted [Chinese] a new comprehensive cybersecurity law. Throughout its drafting the law has been heavily criticized by businesses as well as human rights groups. Businesses have expressed their dismay that the law is overly broad and vague, making compliance difficult. Moreover some of the law’s requirements would establish real barriers to conducting business. Human rights groups are also concerned about the law’s breadth and vagueness. Some of the law’s provisions may be used to suppress activities deemed contrary to Chinese state interests. Even more troubling is that the law explicitly establishes censorship of certain online expression.

The Chinese government has continually argued that it needs to do more to secure against the barrage of cyber threats and also protect national security. As expressed in Article One of the cybersecurity law, the law’s intent is to “ensure network security, to safeguard cyberspace sovereignty, national security and the societal public interest, to protect the lawful rights and interests of citizens, legal persons and other organizations, and to promote the healthy development of economic and social informatization.” To understand business and human rights groups’ concerns about the law, it is helpful to look at some of the more significant provisions of this extensive cybersecurity law.

From a business interest perspective, one of the most troubling provisions of the cybersecurity law is the requirement that data generated within China by critical information infrastructure operators, must be stored in China [Chinese]. The current lack of a clear definition of, “critical information infrastructure operators” means it is uncertain which businesses would have to store data in China and which businesses would be exempt from this obligation. The law does provide that, upon review, the state may grant exemptions to this data provision if there is a business need to store information outside of mainland China. Nonetheless, this legal requirement will be a significant burden to companies that operate internationally and rely on the ability to transfer data across borders.

The new law also establishes an even greater basis for government involvement in business practices. With the justification of protecting national security, the Chinese state is requiring businesses [Chinese] that purchase network products and services that might impact national security to go through “a national security review organized by the State network information departments and relevant departments of the State Council”. Additionally, the law requires businesses to provide technical assistance to law enforcement [Chinese] in matters of national security and in criminal investigations.

These provisions all raise questions and uncertainty for businesses about their legal obligations. Will businesses be required to provide Chinese authorities with source code, or propriety information, or backdoor access into encrypted data? The answers to these questions are unknown at this time, but, based on the broad language of the law, it is likely that businesses would have to comply with such governmental requests.

Businesses who violate the law [Chinese] may face penalties in the form of fines or even the “temporary suspension of operations, a suspension of business for corrections, closing down of websites, cancellation of relevant operations permits or cancellation of business licenses” or the freezing of assets.

Foreign technology companies have been very outspoken in their opposition to the new law. James Zimmerman, the chairman of the American Chamber of Commerce in China, said the controversial provisions are “vague, ambiguous and subject to broad interpretation by regulatory authorities.”

This past August over 40 business groups from the US, Europe and Asia sent a letter [PDF] to Chinese Premier Li Keqiang to voice their concerns about the cybersecurity law. In their letter, the business groups asserted that the new law would not create any additional security benefits and would actually create a barrier to entry and trade for companies. Moreover the businesses are concerned that the law’s data retention and law enforcement assistance requirements could actually expose system and personal information to malicious actors.

Of course the business requirements described above immediately raise human rights concerns as well. Leading human rights organizations have criticized the law. Human Rights Watch [official website] has called the new law “a regressive measure that strengthens censorship, surveillance, and other controls over the Internet.” Moreover, “while many of the law’s measures are not new, most were previously only informally applied or defined in lower-level regulation. Elevating these powers in the cybersecurity law sends a signal that the government may enforce the requirements more strictly, leaving less leeway for tech companies to avoid implementation.”

Most troubling is that the law explicitly provides for censorship of activities and speech that the Chinese state finds objectionable. Article Twelve provides that:

“any person and organization using networks shall abide by the Constitution and laws, observe public order and respect social morality; they must not endanger network security, and must not use the network to engage in activities endangering national security, national honor and interests, inciting subversion of national sovereignty, the overturn of the socialist system, inciting separatism, undermining national unity…creating or disseminating false information to disrupt the economic or social order.”

Remarkably the law also requires [Chinese] that users of Internet services must provide their real names and identities when signing up for services. This requirement will likely effectuate censorship in that individuals will be extremely cautious in expressing their views if they lack anonymity.

During a public comment period, Amnesty International [official website] issued a report on the draft legislation [PDF] in which it argued that the cybersecurity law “would legalize censorship and surveillance in the name of national security beyond the requirements set out in international law, including strict tests of necessity and proportionality.”

The Chinese cybersecurity law is set to go into effect in June 2017. Until then, and beyond that time, the business community, human rights organizations and other stakeholders should continue to speak out against the law’s distressing provisions.

However the Chinese law should also be seen as a call to action for the US Congress. Countries around the world are grappling with cyber threats. Yet different countries have very different views on how to best address these threats. Technological abilities, legal structures, and fundamental values all affect the varying approaches to cybersecurity. As countries are evolving in their ways of advancing cybersecurity, it is imperative that the US proposes an alternative to the Chinese model.

A law passed by Congress will not only help to address some of the cybersecurity challenges that exist within the US, but it would also serve as a powerful counterexample to the Chinese law. Congress must pass a law that demonstrates how to address cybersecurity, while appropriately balancing the interests of security, business, civil liberties and privacy. Certainly this is no easy task. Yet the adoption of China’s cybersecurity law makes it more important than ever that Congress makes comprehensive cybersecurity legislation a priority.

Markus Rauschecker is the Cybersecurity Program Manager at the University of Maryland Center for Health and Homeland Security (CHHS) and is Adjunct Faculty at the University of Maryland Francis King Carey School of Law. Currently, he teaches a Law and Policy of Cybersecurity course and a course in Cyber Crimes.

Suggested citation: Markus Rauschecker, China’s New Cybersecurity Law is a Call to Action for Congress, JURIST – Academic Commentary, Nov. 26, 2016, http://jurist.org/forum/2016/11/Markus-Rauschecker-Chinas-new-cyersecurity-law-is-a-call-to-action-for-congress.php