© AP Photo/Greg Baker

1 June, China enters into force the Law on cyber security of the PRC, adopted in October 2016, the standing Committee of vsekitajsky meeting of national representatives (vsnp PC). Normative act came to light three decades later after the Professor of one of Beijing’s universities Qian Tianbai first entered the Internet for correspondence with foreign colleagues.

A law consisting of six chapters and additions that affect the rights and interests of more than 700 million users of the Chinese segment of the Internet (the so-called Chinanet), specifying the obligations of providers of electronic services. It sets out General principles and measures for support and development of network security, including surveillance, prevention and response to emergency situations. Mentions the liability for violations of requirements of the law.

“This law is designed to ensure network security, the protection of sovereignty of cyberspace and national security, upholding social and public interests, protect the legitimate rights and interests of citizens, legal persons and other organizations to promote the healthy development of Informatization of economy and society”, — emphasized in the first article of the document.

The vast majority of Internet users in China is unlikely to directly feel the consequences of the law came into force: it encompasses already existing in the country, the rules and regulations of the Internet. However, the cybersecurity Act, China creates for these and subsequent acts and regulations legislative framework. Despite the apparent incompleteness and sometimes vague, the law will provide a platform for government regulation of information technology (it), embedding them in the overall construction of modern Chinese society.

Although the new rules are intended to regulate cybersecurity in China and originate from purely Chinese realities, the requirements of national legislation, they presented interest for other countries that face the threat of cyber-terrorism, have become the targets of cyber attacks and where there are issues of relationships with foreign manufacturers of equipment and providers of Internet services.

Standardization and control — basics of Internet security in China

The law of cybersecurity “is used for the creation, operation, maintenance and use of the Internet, and use (social) networking”, says the document, emphasizing the importance of standardization and control to the dominant role of the government.

“The state creates and improves the system of standards for network security. The departments of standardization and other departments under the state Council of the PRC in accordance with its responsibilities organize and formulate and revise national and industry standards for network security management and network products, services network and security norms”, — is spoken in it. The creators of the law, knowing that even to the world’s largest Executive power can not afford to give you full control of the Internet population (in China it exceeds 700 million users), partially subcontract the implementation of the systems network security network operators, which, in turn, “must comply with the requirements of the protection system-level security requirements and other requirements to fulfill the obligations of network security to ensure network performance without interference, to prevent the access of destructive or unauthorized queries, data leakage, identity theft and fraud.”

See also

China has launched a platform to monitor false information on the Internet

Operators should establish an internal safety management system, to take preventive measures against computer viruses and network attacks. They were instructed to monitor and record the network status, technical measures to resolve issues of network security, and store records for at least six months from the date of their creation. The initial sorting of data encryption and creating backups of important information — also among the duties of operators.

Providers of network products and services do not install “malware”. Upon detection of network products and services “weaknesses, loopholes and other risks,” they must “take immediate action to remedy the situation in a timely manner to inform users and the relevant competent authorities.”

Standardization requirements and controls apply to hardware and SOFTWARE, including foreign ones. “Critical network equipment and network security products before the sales must be checked for compliance with the national standards and mandatory requirements to be certified institutions or to pass the safety tests”, — stated in the law. These functions are assigned to “departments involved in the field of the Internet, and the state Council of the PRC”, which “draw up and publish a list of key Internet equipment and products in the field of Internet security, and ensure the promotion of safety certificates and testing, prevent the possibility of duplication of these documents.”

The main thing — the protection of the public interest, anonymity — no!

The issues of privacy of information in the Internet are treated in the law in General, the collection of personal information allowed under “relevant laws and regulations”. “Providers of network products and services with the function of collecting user data must obtain permission from the user to collect information; collection of personal information must be made in compliance with the relevant laws and regulations about personal information,” reads the document. Operators “must not disclose, distort, harm, as well as to the collection of personal information”.

“Any individuals and organizations have no right to assign the personal information, or use other illegal methods to obtain it”. However, eliminating the anonymity of users: “access to the Internet, register with a social network, you connect a landline or mobile, providing services to the client release of information or its transmission, with the signing of the agreement (for services) the customer must provide authentic identification. If it is not provided, the service provider has no right to customer service”. In this case, “the government adopts strategy for development of technology and the creation of reliable means of identity documents and their reciprocal recognition.”

Individuals and organizations are not allowed “to illegally penetrate networks of other persons to break their natural work, steal data and conduct other activities, possessing a threat to network security.” An important role in this must also play providers themselves.

The Chinese state, the Law of cybersecurity, “attaches special importance to the protection of public systems of communications and information services, energy, transportation, water, Finance, social services and e-government, and other sectors, the output of the system or data theft which could undermine national security, the economy, the interests of society and of key information infrastructure”.

See also

XI Jinping: world needs to work together to combat crimes in cyberspace

The law lists a number of agencies responsible for information security in various areas. “The state provides a system of monitoring of cybersecurity, early warning and alert. Departments should coordinate the work of government institutions with the aim of strengthening Internet security, information collection and analysis, as well as notifications in accordance with the regulations”. They are also charged with the responsibility of developing plans for emergency response, regular exercises.

A separate article is devoted to the action at major network threats. Prescribed punishments (mainly fines up to 100 thousand yuan, is 823 thousand rubles) for violation of the requirements of the law for agencies, organizations and individuals, in cases if their actions do not entail criminal liability.

Reaction to the law in China

Chinese experts highly appreciate the cybersecurity Act, indicating, in particular, on strengthening of protection of individual information. “Currently, the protection of personal information is an important aspect. With the development of cloud technology, growing data volumes and also growth in the number of requests for personal information from businesses and organizations has increased the number of cases of use of personal information, its disclosure and transfer abroad. Despite the fact that prior to the entry into force of the law, the Chinese agencies have developed measures of regulation, they were not systematic and could be improved. The new law significantly makes up for these shortcomings,” — said the Deputy head of the China Institute of information security Zuo Xiaodong.

“Factors of leakage of personal data quite a lot. Among them is the vulnerability of sites on the Internet, hackers or fake pages, sales data fraud by the seller, etc. every year in the Chinese segment of the Internet vulnerability in web pages is leaking approximately 5.53 bn accounts. Most of them — personal information” — reminded Pei Zhiyong, an expert of Qihoo 360, one of the leaders in the Chinese market anti-virus software.

“The new law allows you to deal more effectively with illegal data collection, including distribution of applications for mobile devices with malicious code disguised as normal programs”, — says the representative of the Chinese Association of Internet If I.

“This article is of great importance in combating cyber crime and national security, stresses Zuo Xiaodong. — Providing real names is more efficient than the previously used user identification by phone number. The real name is revealed only in case of investigation, in the normal mode, the user goes on the Internet under a pseudonym.”

An important part of the law experts believe the tighter controls and security requirements, which, in their opinion, the interest of a large company. China has emerged a group of Internet companies with a dominant position in the national segment of the Internet: Alibaba, Baidu, Shanda Group, NetEase, Tencent, Sina, Tom, Sohu, and 360. In the case of cyber attacks or to establish control over the infrastructure of these companies, I guess in China, there is a risk of having resources through their control over the Chinese segment of the Internet and financial flows passing through Chinanet.

See also

Jack MA: Internet technologies will determine the development of countries in the next 100 years

“If the work of Chinese Internet companies or businesses will be disrupted or paralyzed, it is fraught with serious losses. At the current stage of development of the Internet has required the creation of a number of requirements, not to prevent “wild development”, as it was before”, — says the representative of the Chinese Association of Internet If I.

“Alibaba, Baidu, Tencent and other companies who have hundreds of millions of users, should bear the corresponding obligations. Internet companies should be the appropriate technological capabilities and service, their information platforms to combat hackers and prevent the loss of users. Also the necessary legal mechanisms, depriving a large company opportunities to impose conditions on agreements user”, — thinks I.

Experts note the importance of 37th article of the law prescribing that “the data collected in China, only store within China”. According to some Chinese experts, the law needs to be supplemented. “The system of real names on the Internet is not yet fully running, because not yet fully completed the creation of technology ID”, — said Zhu Wei. Not resolved the question of responsibility of Internet sites, there are no standards for the various sectors of the economy. As for the user agreements on the collection of information, yet there is no number of decrees, including the intellectual property rights to the information. Many companies do not keep a detailed record of the information exchange process, and this complicates the search for the source of information in case of an emergency.

Professor, faculty of law of Beijing normal University Liu Dalang believes that “it is necessary to solve the question of the relationship of the law with the already adopted legal instruments”. For example, liability for civil violations, the protection of personal information rules on market access of hardware and software, etc. the Coordination of these aspects is important to avoid problems during the implementation of the law, said the expert.

Criticism from the outside

Foreign critics of the law argue that its entry into force could lead to the closure of foreign technology companies, operating in different sectors of China’s economy. Some of the foreign companies do not agree to the storage of data on servers in China.

“The provisions are vague, ambiguous and could be interpreted broadly by regulatory authorities,” — noted in the American chamber of Commerce in China.

In the international human rights organization Human Rights Watch believe that the law will restrict freedom in cyberspace. “Despite the concerns of international corporations and human rights organizations, their repeated statements, the Chinese government does not make significant changes to the bill,” complained the Director of Human Rights Watch in China, Sophie Richardson.

In a letter to chamber of Commerce of the EU in China earlier sent to the Office of cyberspace China, said that the new law “will lead to greater uncertainties and risks”. The authors recommended that “to delay the entry of the law into force to ensure sufficient discussion.” However, other experts believed that China will not be able to secure full enforcement of the new rules. “It’s not like that the law will be fully respected from 1 June,” felt a senior policy Director in the Asia-Pacific region, BSA The Software Alliance Jared Ragland. For full compliance of the law, in his opinion, “lack of regulatory clarity”.

“It is clear that the law will come into force on 1 June, but I don’t think it will be strictly followed. The law will affect many international companies and Chinese organizations that transfer data across borders in the framework of the main activities,” wrote an expert legal company Norton Rose Fulbright Barbara Lee.

Andrei Kirillov, Alexey Selischev