Understanding China’s Cybersecurity Law: flawed by design

In late 2016, China passed the Cybersecurity Law (CSL), which officially came into effect on June 1 of this year, over the objections and concerns of experts around the world. The law aims to protect cybersecurity — a term the Chinese government has left very broadly defined — but it gives the government significant authority with very few safeguards for citizens, including those necessary to protect human rights. That’s especially damaging given that China is already notorious globally for its over-broad exercise of state power, including through its determinations on the censorship and surveillance of its own people.

Some observers have compared this law to Europe’s General Data Protection Regulation (GDPR), an incredibly important data protection law that Access Now worked hard to see pass. In fact, the CSL is very different from the GDPR, not only in the issues it addresses but also its underlying values.

Below, we provide a brief overview of the law, including  a discussion of how it compares to the GDPR, and how the values that shaped the law led to failure to protect human rights.

What the CSL covers

The law was passed by the Standing Committee of National People’s Congress, effectively the second highest level legislative body in China below the National People’s Congress. It’s ambitious in scope and shows what issues the Chinese government believes are encompassed within cybersecurity policy. The legislation applies to network operators (defined broadly as “network owners, managers, and network service providers”) and critical information infrastructure (which is not clearly defined). It touches on a number of interrelated issues, including data breach response and notifications, as well as more tangential topics like cross-border data transfers, protection of personal information, digital identification, requirements for ISP content blocking and moderation, and more.

This is the first comprehensive Chinese law on cybersecurity, broadly defined as “necessary measures to prevent network attacks, intrusions, interferences, destructions and illegal use, and accidents, maintaining the network in a state of stable and reliable operations, as well as safeguarding the completeness, confidentiality, and availability of network data.” It aims to maintain the security of network operations (such as critical information infrastructure) and network information (such as personal data and online contents), and applies to all construction, operation, maintenance, and usage of networks, together with cybersecurity supervision and management, that occur within the territory of mainland China.

Even though CSL is a new law, it is more like a compilation and confirmation of requirements and provisions that already exist in China. For example, the concept of “cyberspace sovereignty,” on which the CSL is built, existed in Chinese law and policy as early as 2010 — it was a key aspect of China’s 2015 National Security Law. The CSL also requires network operators to ask internet users to provide their real names in order to get service. That’s a policy China previously adopted in 2009, when the government ordered news websites to require that users log in with their true identities before they could post comments on these sites. Many other provisions, like the requirement that network operators collect data and that the private sector block content, were a part of the 2012 National People’s Congress Standing Committee Decision on Strengthening Network Information Protection.

CSL: it’s no GDPR

In Europe, data protection is considered a human right. Under this rubric, the GDPR provides for a broad spectrum of users’ rights with regard to their data and sets out obligations for companies to respect those rights. The GDPR was passed in 2016 and it’s now in the implementation phase until 2018, when it will become applicable.

Like the GDPR, the CSL addresses protection of personal information. But that doesn’t mean the CSL is GDPR-like. The most obvious difference is that the CSL includes protection of personal information within a cybersecurity frame, whereas the EU splits data protection and cybersecurity between the GDPR and the Network and Information Security Directive (“NIS”) respectively. Accordingly, the CSL focuses on national interests, while the GDPR’s focus is on the individual. The CSL aims to secure infrastructure and by extension the data that passes through the infrastructure; the GDPR, meanwhile, is user-centric and seeks to protect human rights.

There may be surface similarities in the CSL and the GDPR on data protection, but in practice the differences between them are substantial. They both broadly define “personal information/data,” provide for “consent” requirements for data collection and usage, entitle individuals the rights of rectification and erasure, and limit outbound data transfer. However, the CSL’s protections for individuals are extremely limited. For example, while both CSL and GDPR provide for consent requirements, consent means different things. The GDPR defines consent as opt-in, which needs to be “freely given, informed and unambiguous … by a statement or by a clear affirmative action.” In contrast, the CSL does not provide the same level of detail and may allow opt-out consent.

Another big difference between the two is scope. While the GDPR regulates government agencies (public authorities) that collect and process personal data in more or less the same manner as business entities, that is not the case with the CSL, which exclusively applies to network operators. The failure to apply these provisions more broadly actually increases the government’s authority rather than limiting it.  

While the CSL has little in common with the GDPR, at least as it is applied, a comparison to the EU’s NIS is more apt. We have previously explained how cybersecurity and personal data protection can diverge and complement each other. Both the CSL and the NIS impose heightened requirements for protecting certain essential or critical infrastructure and services. As we have discussed, the NIS specifically requires that companies, in complying with its provisions, also comply with EU data protection rules. Unfortunately, without a standalone data protection law, the CSL cannot provide the equivalent protections for personal information.

Cybersecurity legislation flawed by design

While we applaud China taking action to protect personal information in the law, it is obvious that the protections under the CSL are not adequate, especially when compared to the GDPR. That failure is due in part to how the law is designed: it does not put users at the center of cybersecurity policy. As we explain above, there are naturally internal conflicts between cybersecurity and personal data protection, but this law is structured to put the human rights of the people it’s supposed to protect at risk. It favors state power and the stability of the regime over other considerations, including the impact of the law on people’s fundamental rights to privacy and free expression.

Stay tuned for our next post, when we will dig more deeply into how the law fails to protect human rights, and what it means for the future of the global internet as a vehicle for enjoying those rights.