What China’s 2018 Internet Governance Tells Us About What’s Next
Emerging developments in personal information protection, content controls, and the Cybersecurity Law regime
Blog Post
Unsplash / Ralf Leineweber
Jan. 28, 2019
The year 2018 witnessed a busy period of developments in China's internet governance. The landmark Cybersecurity Law went into effect in 2017, and the system of supporting rules and government guidelines around it continued to evolve in 2018, in fits and starts. In some areas, such as the personal information protection, regulation has become more concrete. In other areas of no less importance, such as the scope of “critical information infrastructure” rules, cybersecurity reviews of network products and services, and security assessment for outbound data transfers, final clarifications are still to come.
The Chinese government last year also accelerated establishment of overarching laws in key internet-related areas. It passed the E-Commerce Law, which came into force on January 1, 2019. Other important laws such as the Personal Information Protection Law and the Data Security Law remain in development, appearing on the government’s list of legislation planned for deliberation between 2018 and 2023, indicating that these laws are expected to be passed during this period. The pending Foreign Investment Law may also have implications for China‘s internet ecosystem, and a draft Encryption Law remains in development.
In all of these developments, maintaining government control of a changing cyberspace environment remains a central theme. The Chinese government is a major proponent of “cyber sovereignty,” a perspective that sees the internet as an extension of the physical world and therefore subject to the same intensity of regulation in Chinese life offline. In addition to an emphasis on control, however, the government also strives for a booming digital- and technology-driven economy to maintain support for its rule. Fueling tech-driven growth calls for a mixture of proactive support and regulatory restraint. The 2015 “Internet Plus” initiative to upgrade traditional industries through the use of internet technologies remains a major driving force. Meanwhile, the logic of the digital economy sometimes calls for less government control, to unleash the benefits of easy flows of data and free markets for innovation and fair competition. How the Chinese government will balance the need to control and the need to develop in the context of the fast evolution of the internet, technology, and society is a crucial determining factor in internet governance.
The key legislative and regulatory developments related to China’s internet governance in 2018 reveal hints of what to watch for in 2019 and beyond.
Progress in Protecting Personal Information
Amidst growing public awareness about risks to privacy and misuse of personal information in 2018, the Chinese government sped up the development of its regime around personal information protection—one prominent area in the broader development of a data governance regime. The most noteworthy policy in 2018 on this topic is probably the Personal Information Security Specification (the “Specification”; DigiChina translation forthcoming), which went into effect in May 2018. The Specification is not legally binding, but it is powerful in practice. This 35-page national standard, issued by the National Information Security Standardization Technical Committee, or TC260, has become an essential guideline for Chinese companies addressing compliance with the Cybersecurity Law, which includes several important provisions on personal information protection. The Specification provides more detailed definitions than the law and a series of detailed best practices to achieve compliance, including how to gain valid consent and how to handle sensitive data. Many of the details are very similar to the requirements of the General Data Protection Regulation (GDPR) of the European Union, which also went into effect in May. Despite the fact that the Specification is technically non-binding, Chinese regulatory authorities have frequently relied on it to evaluate whether a business operator has met legal requirements or should receive benefits of certain preferential policies for its data processing performance.
Another major development in personal information protection came in the E-Commerce Law, a high-level law regulating e-commerce transactions. Like the Specification, the E-Commerce Law also includes some provisions aligning with the GDPR. For example, it requires e-commerce business operators to help users exercise the rights of access, rectification, and erasure related to their personal data, and government authorities to adopt necessary measures for data security. Yet more eye-catching is Article 18, which specifies that if a business operator provides personalized search results based on consumer habits and preferences, the operator should also provide non-personalized options as an alternative to ensure fairness.
Personal information protection also features in regulations and policies in certain industries. Examples can be found in the securities and futures industry and the health and medical industry.
In 2019 and beyond, there is more to come in this area, especially for the private sector:
- Among the regulatory moves expected to be finalized in the coming months are the Internet Personal Information Security Protection Guidelines (see DigiChina translation and analysis).
- A published draft Civil Code explicitly lists the right to privacy and the protection of personal information in the Personality Rights Chapter, which may reflect an intention to strengthen the protection of personal information under the realm of civil law, paving the way for the forthcoming Personal Information Protection Law.
- The Personal Information Protection Law is listed for action in the legislative priority agenda of the National People’s Congress (NPC) for 2018–2023, after an earlier draft in 2005 did not result in passage.
- The Data Security Law is also included in this NPC priority agenda. While not many details have been disclosed, this new law is likely to be closely interlinked with the existing National Security Law and Cybersecurity Law, addressing the common practice of data security with a particular emphasis on data generated by certain important sectors such as critical information infrastructure.
When it comes to the two laws slated for NPC work, it is too early to say how they would impact China’s legal regime on personal information protection, since no official drafts have been released, but two overarching laws covering two highly important areas of data regulation will certainly mark a major milestone in the development of China’s data governance regime.
Nevertheless, uncertainties and concerns remain regarding government access to and use of personal information. Business operators in China generally have a duty to provide information requested by government, and the E-Commerce Law underlines those requirements. The Chinese government has also targeted implementation of its Social Credit System system by 2020, although how personal data would exactly be collected, processed and shared in this complicated interdepartmental system is still largely unclear to the public. In addition, selective and arbitrary law enforcement and lack of an efficient redress mechanism for private rights also darken the prospect of a truly effective and comprehensive system to protect personal information from government as well as private actors.
Final details on measures for security assessment of outbound data transfers are also expected soon. The Cybersecurity Law requires data localization by default on “personal information and important data” generated within China by those designated “critical information infrastructure operators” (CII operators). If CII operators wish to transfer such data abroad, a security assessment is required. The Specification has clarified the definition of “personal information,” but other key terms such as “important data” and “CII operators” are still waiting to be clearly defined, as are the detailed procedures for the outbound data transfer security assessment. A few drafts of the related supporting rules and guidelines were released for public comment in 2017, but after minimal public updates in 2018, industry is looking for clarification in 2019.
Increased Content Restrictions
Censorship is not new in China, but 2018 brought new developments in regulatory environment governing online content. The new Provisions on the Administration of Microblog Information Services joined the system of internet content regulations centered around the 2017 Provisions for the Administration of Internet News Information Services. The wide-reaching system divides online content into eight sectors: internet search, online forums (BBSs), live-streaming, mobile apps, comments posting, group discussion, microblogs, and public accounts (used primarily on WeChat by organizations and individuals to openly publish information to the account’s subscribers). In contrast to the intermediary liability law in the United States that generally exempts online platforms from liability for user-generated content, China imposes strict liabilities on almost all kinds of internet-related service providers, with obligations such as ensuring users’ real identities are known to the providers, promptly detecting and blocking the dissemination of illegal content, and providing technical support and assistance when government authorities request it.
Content controls have also been extended to the blockchain field. Under the early 2019 Regulations on Blockchain Information Services Management, blockchain service providers are similarly required to censor information, ensure real-id registration, and provide technical support and assistance to the government. These demands, of course, contradict the fundamental spirit and architecture of blockchain systems, and could accordingly curb the technology's development in China.
The aggressive content control efforts are further demonstrated by the Regulations for the Security Assessment of Internet Information Services Having Public Opinion Properties or Social Mobilization Capacity, which took effect in late 2018. This regulation seeks to ensure an efficient monitoring system to continuously keep pace with the fast technology evolvement, requiring any online service that has or introduces features that allow the public to express opinions or could bring about social mobilization to conduct a “security assessment” so that the provider will be capable of blocking the dissemination of “unlawful or harmful information” and promptly detecting any collective action. The service provider also must provide technical and data support for government oversight and investigation.
Broadening Government Scrutiny on Internet-Related Products and Services
In 2018, government authority was broadened and strengthened in a wide range of internet-related industries on the grounds of national security concerns. Under the 2015 National Security Law, “national security” is defined to encompass almost every aspect of society, from financial to cultural. This law requires “secure and controllable” systems in core network and information technologies, critical infrastructure and information systems, and data in important fields. In this vein, the Cybersecurity Law and a host of supporting rules and policies impose a series of rigorous requirements on cyber-related industries.
Entering 2019, while the highly anticipated implementation rules on outbound data transfer are not yet finalized, the outbound transfer of intellectual property rights—which had already been restricted for many years—became subject to an even tougher government scrutiny with a more formal procedure focused on national security. A draft of the Regulations on Cybersecurity Multi-level Protection Scheme (MLPS) released in June 2018 would also upgrade the 2007 MLPS that imposes cybersecurity requirements for systems according to their level of sensitivity.
Looking forward, numerous industry guidelines are likely to be issued after the annual NPC meeting in March. And together with the Personal Information Protection Law and the Data Security Law, China also plans to launch the Encryption Law by 2023. Based on the released draft, this will be another law with broad scope, applying to all aspects of the encryption industry such as development, manufacturing, selling, and import and export. More worrisome, though expectedly, telecommunication and internet service providers will have a duty to provide decryption support at government request for the purposes of criminal investigation and national security. The regulatory agent would also be authorized to conduct on-site inspections, copy materials, and seal up products, equipment, and business premises, raising the potential for abuses of power.
Conclusion
China’s regulatory regime governing many aspects of cyberspace remains a work in progress. As the governance structure becomes more concrete with each new release, and as more enforcement actions take place, DigiChina will continue to monitor these developments.
Thanks to Paul Triolo and Graham Webster for valuable comments and editing.