A controversial anti-terrorism law now being deliberated in the People’s Republic of China (PRC) is raising concerns among global technology companies.

Under the draft law, telecommunication and internet services providers (or Internet services providers—ISPs, see textbox below for clarification) would be required to install government-accessible “backdoors” and provide encryption keys to public security authorities for any data stored on their servers. The law also requires ISPs to locate their servers and store all PR.-collected user data in China, thereby providing the government the capability to access a wealth of private data, including corporate documents stored on a PRC-based cloud server, and an individual’s personal email or chat logs. If enacted, the law would allow law enforcement personnel to examine such data so long as a terrorist threat were deemed to exist.

President Obama has criticized the technology provisions of the draft law, stating in a recent Reuters interview that the Chinese government would “have to change [the law] if they expect to do business with the United States.” Chinese officials have responded by noting that any government access is limited to law enforcement purposes, in keeping with “general practices internationally,” and essential for national security.

Following international complaint, it appears that China has backed off from plans to promulgate the law during the National People’s Congress now being held in Beijing. China’s Foreign Ministry, however, reports that “deliberations of the draft are still ongoing,” and it looks likely that some form of the law will be passed this year. Companies with operations in China would be wise to familiarize themselves with the present draft, as its provisions are instructive for understanding the future direction of China’s Internet policy.

A note on terminology: “ISP” is used here to refer both to “telecommunication service operators” and to “Internet service providers” (dianxin yewu jingyingzhe and hulianwang fuwu tigongzhe). While the former term is generally used to refer to the operators of China’s backbone telecommunications networks, such as China Telecom, the latter term has appeared in only one government regulation: the “Provisions on the Technical Measures for the Protection of the Security of the Internet.” In that regulation [Chinese], which went into effect March 1, 2006, “Internet service providers” are defined as “work units that provide users with Internet access services, Internet data center services, Internet information services, and Internet web services.” Although it is unclear how broadly the term will be interpreted in any final draft of the anti-terrorism law, it does seem likely that it will cover most providers of online content or services, including cloud computing providers, email providers, mobile messaging tools such as Tencent’s popular WeChat, or those foreign technology firms such as LinkedIn or Evernote licensed to do business in China.

The Draft Law

Although the Anti-terrorism Law is broad in scope, the specific provisions most relevant to ISPs are contained in the law’s Articles 15 and 16. These provisions place the following major requirements on ISPs:

  • Provide “Backdoors” to Government Authorities: Article 15 requires ISPs to install “technical interfaces in the design, construction, and operation of telecommunication and Internet [services].” These technical “interfaces” would act as backdoors for government access. China’s law enforcement authorities may use these backdoors to “prevent” or “investigate” terrorist activities.
  • Provide Encryption Keys to Government Authorities: Article 15 requires ISPs to “report their encryption scheme” to the “departments responsible for encryption [likely the State Commercial Cryptography Administration] for examination.” No further details are given regarding the scope of this “examination.” Article 16 requires ISPs that provide “encrypted transmission services” to file their encryption scheme with “network communication departments [likely the Ministry of Industry and Information Technology] and public security organs,” and to assist such organs in any subsequent investigative work. Essentially, this requires ISPs to provide the encryption keys to relevant government departments for use during any later investigation.
  • Data Localization: Article 15 states that any ISP “providing telecommunications or Internet service within the borders of the People’s Republic of China must locate its related servers and domestic user data within the borders of [China].” This data localization requirement follows on the heels of a similar measure in Russia, and appears aimed at ensuring that the Chinese government has full access to all information transmitted within its borders. This requirement is in keeping with China’s recent embrace of the principle of “cyber-sovereignty,” which holds, in part, that States, rather than a multi-lateral coalition of stakeholders, should be free to regulate all content transmitted within their physical, geographical borders. By requiring international companies to place their servers in China, the draft law would ensure that international companies fall under Chinese jurisdiction.

  • Strengthening of the Firewall: Article 16 states that “[r]esponsible departments may adopt technical measures to stop the dissemination of information with terrorist content available on the international Internet.” This oblique reference to China’s firewall, one of the few found in Chinese law and regulation, suggests a further strengthening of China’s main tool for censoring overseas content. In addition to the data localization requirement discussed above, this provision suggests that China is taking an increasingly narrow view of content delivered from overseas, which may suggest further openings to international technology companies provided they strictly adhere to Chinese law.
  • Monitoring and Reporting: The draft law also directs ISPs to increase their network security and content monitoring systems in accordance with relevant laws and regulations. If an ISP discovers “information with terrorist content,” then it shall immediately cease transmission of the offending information, record all details related to its transmission, and report the matter to the relevant “public security organ” or “other responsible department.” Chinese law currently requires ISPs to monitor and report a number of forms of prohibited content. Under this provision, “terrorist content” would be added to that list.

Political Trends

The Anti-terrorism Law reflects the Party’s concern with two recent developments seen as threatening China’s domestic security.

First, terrorist groups centered in China’s far-west Xinjiang province have carried out a series of attacks against government and civilian interests over the last two years, including mass knifing attacks at train stations in Kunming and Urumqi and the crashing of a Jeep into a group of pedestrians in Tiananmen Square. Attacks by China’s minority Uyghur population on government authorities and ethnic Han Chinese have increased, though specific details of these attacks are generally unattainable given ongoing media restrictions in Xinjiang province.

China’s Anti-terrorism Law is, foremost, a response to these recent acts of terror. From the Chinese point of view, the law is necessary to ensure the safety and security of its citizens, and to prevent any form of social instability that may pose a threat to continued economic development or Party rule.

Second, the draft law’s focus on technology reflects the Party’s increased attention to cybersecurity following Edward Snowden’s allegations of global U.S. government surveillance. China has vociferously defended the draft law at recent press conferences, indicating that the law’s technology requirements are a reasonable response to the current international situation. At one press conference, Chinese officials made a veiled reference to an “other country’s” recent hack of private encryption keys; a not-so-subtle reference to recently published allegations that U.S. and British intelligence had hacked into a private company and obtained the encryption keys to millions of SIM cards used around the world. In a world of such threats, China believes it is justified in seeking clear legal mechanisms to protect and safeguard its national security.

The Draft Law’s Effect on Global Technology

Although it is unclear what shape the draft law will take in its final form, its current provisions are instructive for understanding the direction of China’s Internet policy. If passed, the law could have three major effects on global technology.

  1. Cyber-Sovereignty may further Wall-off the Chinese Internet. The government access rights, data localization requirements and strengthened firewall found in the draft law point to a future Chinese Internet heavily monitored by the Party and further splintered from international norms. Along with recent actions by Russia and Iran, such actions portend a future Internet Balkanized along national lines.
  1. Foreign companies will see increased opportunity—but at a high cost. Although China boasts the greatest number of Internet users and mobile device subscribers of any nation on earth, international Internet companies long have faced difficulties providing their services within the PRC As noted above, China’s new approach to Internet management suggests a scheme by which overseas content is increasingly censored while international technology companies are permitted (and likely encouraged) to locate their servers domestically, thereby falling under Chinese jurisdiction. This could mean increased opportunity for global technology companies to offer their products and services within China, provided they agree to follow Chinese law, tantamount, in some cases, to exercising strict self-censorship. Though the conditions under which this access is granted may prove too burdensome for many global technology companies, we should remember that international companies in other sectors have put up with other arguably onerous requirements in exchange for access to China’s large consumer market. These concessions are not the companies’ preference but are deemed a cost of doing business in China.
  1. Diminished International Markets for Chinese Technology Companies. Along with the international success of Chinese Internet giants like Tencent and Alibaba, China currently boasts a vibrant startup scene still largely overlooked in the West. As this industry matures, Chinese technology firms looking to grow their international market may find themselves stymied by foreign consumers or governments unwilling to adopt their products because of security concerns related to PRC government access. This could prove to be a major blow to one of the true bright spots in China’s slowing economy, frustrating efforts by Chinese policymakers to pursue innovation-led development and a “go global” economic development strategy.

Chinese officials have indicated that the draft law will not be finalized at the current annual meeting of the National People’s Congress, but may be picked up by the Standing Committee and promulgated later this year.