China passed its first cybersecurity law on November 7, 2016, just a week after its third draft was proposed to the Standing Committee of the National People’s Congress, often referred to as China’s rubber-stamp parliament.
Many China watchers are concerned about the increasing state censorship and control over the Internet and foreign technology firms consider the law an act of protectionism. In contrast, Yang Heqing, spokesman for the NPC’s Legislative Affairs Commission, at a press conference on Monday dismissed these concerns, saying that the law “is to protect the security and credibility of the Internet.”
What effects will China’s Cybersecurity Law have on the industry and domestic Internet companies in particular?
The first and probably the most predictable effect is that Internet companies will be required to take on an even heavier role of monitoring, managing, and storing content on their platforms. As a consequence, small companies or startups might be forced out of business.
Article 10 of the Cybersecurity Law regulates that:
companies that build, maintain the Internet or provide service through the Internet shall follow laws and administrative regulations as well as mandatory requirements set by the state’s standards. They shall take technical and other necessary measures to ensure the Internet is functioning safely and stably, handle cybersecurity incidents effectively, prevent cyber criminal activities, and maintain the integrity, secrecy and usability of Internet data.
In particular, Internet companies are required to “monitor and log the operational status of the network.” Earlier in April this year, more than 20 companies that provide live-streaming services signed self-disciplinary agreements for content regulation, which require user-generated content be stored for at least 15 days. Under the new cybersecurity law, that is far from enough. According to Article 21, Internet logs and relevant data shall be “stored for at least six months.”
While it is legitimate to ask Internet companies to safeguard Internet users against potential cyber attacks and cybersecurity threats, the data storage requirement puts extra, if not unreasonable, burdens on small-sized companies. This is also especially challenging for multimedia sharing companies or social media platforms with a large amount of users uploading pictures and videos every second. The math is simple: the longer a company needs to store its data and user content, the more bandwidth and storage room it needs, and the more it needs to pay for those products.
Second, according to Article 50, all Internet companies are required to stop the dissemination of illegal content and comply with relevant laws and regulations on online information control.
This is nothing new; Rebecca MacKinnon, a prominent U.S.-based Internet researcher, poignantly pointed out and proved in 2009 that all Internet companies in China have to comply with government censorship demands in order to keep their business licenses. As a result, some half-jokingly took Article 50, which codifies such demands, as a positive, commenting that “it is a step forwards toward rule of law.”
Third, and less directly, there will be an added impact on smart device makers, online game operators, and other child-targeted service providers.
In early October, China’s Cyberspace Administration (CAC) proposed strengthening its policies on Internet safety for children, which require smart device makers and importers to either pre-install child-protection software on their products or provide easy guidelines on how to install those software — a measure similar to the country’s (in)famous requirement proposed in 2009 that asked all personal computers sold in the country to include an internet filtering software called Green Dam. CAC also proposed that online game operators lock out anyone under the age of 18 between midnight and 8 a.m.
While the CAC draft rules are still under review and hadn’t triggered too much debate in the country, the new Cybersecurity Law sparked a new round of concerns over the proposal. In fact, Article 13, which talks about child-safety protection, was not included in the first or second draft. It was added, quite last-minute, to the current and final version of the law. As one China-based Internet watcher pointed out, “the timing is weird…[T]he new law certainly lays grounds for CAC to pass its child-safety rules.”
In contrast to all the concerns and doubts, China’s lawmakers are optimistic. They described the law as necessary to bolster China’s data security at a time of increasing cybersecurity threats.
According to Yang, spokesperson at the press conference on Monday, in addition to reinstating China’s long-advocated concept of Internet sovereignty, the newly passed cybersecurity law also has a number of highlights: it is “an important move to enforce the overall national security plans”; it is “a necessity to maintain internet security” since China is a “giant Internet country, which is facing one of the most severe cybersecurity threats”; and it comes in timely fashion to meet the public’s demands and to “purify cyberspace.” The law, which has seven chapters and 79 articles in total, is “comprehensive and encompassing” in that it specifies the responsibilities of relevant government agencies, Internet service providers, and Internet users.
Although the actual short-term or long-term objectives and impacts of the cybersecurity law are yet to unfold, it seems to some that the law is more of a “warning” after all. “Many of the measures are in place already. Your actions and words have been under surveillance already,” Zhang Lifan, a Chinese historian, concluded. “Whether it is national security law or cybersecurity law, they are both an effort to secure the regime and its power.”
Lotus Ruan (@lotus_ruan) holds a Master’s degree in Asia Pacific Policy Studies from the University of British Columbia. She writes on the Internet, social media, and China-related research. Follow her blog here.