China’s parliament recently passed an antiterrorism law that excludes the most controversial language originally proposed by lawmakers but still raises concerns for companies that do business in China.
The original draft law was circulated in early 2015 and required both domestic and foreign companies to create “backdoors” in their systems to allow Chinese authorities access for surveillance purposes by providing them with encryption codes (the passcodes that help protect data). The draft also required companies to store data on Chinese citizens in data centers located within China. These measures drew criticism from the US government, companies that do business in China, and advocacy groups for potentially jeopardizing businesses’ proprietary commercial information and intellectual property.
Before China’s parliament passed the final version of the law during the last week of December 2015, Chinese authorities defended the law, stating that it was necessary to help the Chinese government prevent terrorist attacks and protect its citizens. Further, Chinese foreign ministry spokesman Hong Lei asserted that Chinese lawmakers modeled the law after US and European legislation.
The law, which took effect on January 1, 2016, removed the requirements regarding both “backdoor” access through mandatory provision of encryption codes and local data storage, but the language still raises some questions about its potential effect on companies that operate in China. Under the final wording of Article 18, telecommunications and Internet service providers are required to provide technical interfaces and technical support and assistance in terms of decryption and other counterterrorism efforts to Chinese security agencies as part of terrorism prevention and/or investigations. Under Article 19, these companies are also required to implement content screening systems to prevent the dissemination of terrorist content.
Although Chinese officials have asserted that the new law will not affect companies’ normal business in China nor infringe on their intellectual property rights, it is unclear how China will enforce these requirements and what the scope of the law’s impact will be. Companies, especially those whose products feature encryption keys, should be aware of the law’s potential impact and carefully consider how it may affect their businesses in China.