Mar 72016

Technology Companies Should Prepare for Implications of China’s New Anti-Terrorism Law

Colleen Theresa Brown, Yuet Ming Tham and Jillian Lee
, , , , , ,

On January 1, 2016, China’s National People’s Congress Standing Committee enacted the new Anti-Terrorism Law (反恐怖主义法) that gives broad powers to the Chinese authorities to access and handle data held by telecommunications operators and internet providers (together, “Technology Companies”).  This law provides a legal framework to compel Technology Companies to cooperate and assist the Chinese authorities to combat the threat of “terrorism.”

The Anti-Terrorism Law broadly defines “terrorism” as “any activity or proposition that through violence, sabotage, threat, or other means, generates social panic, undermines public security, infringes upon personal and property rights, or menaces state authorities and international organizations with the aim of realizing a political, ideological, or other purpose.”  Due to this flexible definition, critics of this law have voiced concerns that the Chinese authorities may use its discretionary powers in broad ways, such as oppressing dissent in China, in the name of preventing terrorism.  These concerns are particularly salient for telecommunications operators and internet providers that place a high value on the open flow of communications, and could face global backlash for perceptions that they restrict free speech.

Critics have also voiced concerns about the data protection consequences of the new law.  Among the articles of the Anti-Terrorism Law aimed at preventing terrorism, two articles have particular data privacy implications for Technology Companies.

  • Article 18 requires Technology Companies provide technical assistance to public security agencies in their prevention and investigation of terrorist activities.  The scope of assistance expected of Technology Companies remains unclear as Article 18 of the Anti-Terrorism Law provides that Technology Companies are expected to provide decryption technology, technical interfaces, and “other technical support assistance.”  The breadth of flexibility of this provision gives Chinese authorities discretion to determine the kind and scope of assistance they can require from Technology Companies.  Particularly as debate heats up in the United States over government demands for decryption assistance, this provision may well lead to further tension and cybersecurity concerns for Technology Companies.
  • Article 19 requires Technology Companies have in place network security and content monitoring systems, together with safety measures to prevent dissemination of terrorist or extremist content.  If terrorist or extremist content is discovered, Technology Companies are required to prepare a report for public security agencies or other relevant departments.  Technology Companies are also expected to have a censorship mechanism to ensure that dissemination of the terrorist or extremist content is halted immediately, and that relevant information is deleted.  Critically, this provision applies to information held outside of China as well.

As a result, the Anti-Terrorism Law provides significant, broad and flexible rights for Chinese authorities that present data security and privacy concerns in China, and can effectively require Technology Companies to disclose sensitive information to prevent terrorism, including any activity that is deemed to undermine public security or menace the state or any international organization with any purpose.  Furthermore, because the terms “telecommunications operators” and “internet service providers” are not defined under the Anti-Terrorism Law, these terms may be widely interpreted by the Chinese authorities to cover all companies or individuals providing or connected with internet and telecommunications services in China.  Entities that could be considered a Technology Company operating in China should review their network security and encryption systems to prepare for and consider how they might respond to requests by the Chinese authorities under the Anti-Terrorism Law.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Yuet Ming Tham

Singapore, Hong Kong

ytham@sidley.com

Jillian Lee

jlee@sidley.com

You might also like
Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.

FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.