See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/327639960

Assessing China's Cybersecurity Law

Article in Computer Law & Security Review · September 2018

CITATIONS READS

33 521

3 authors, including:

Guosong Shao
Shanghai Jiao Tong University
13 PUBLICATIONS 1,327 CITATIONS

SEE PROFILE

All content following this page was uploaded by Guosong Shao on 19 September 2023.

The user has requested enhancement of the downloaded file.

Available online at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/CLSR

Assessing China’s Cybersecurity Law

Aimin Qi a, Guosong Shao b,∗, Wentong Zheng c

a r t i c l e i n f o a b s t r a c t

Article history: In November 2016, China passed its first Cybersecurity Law, aiming to strengthen cyberspace
governance through a number of initiatives, including Internet operator security protection,
personal information protection, special protection of critical information infrastructure, lo-
Keywords: cal storage of data, and security evaluation for data export. This Article discusses the major
Cybersecurity Law concepts and principles of the Cybersecurity Law. It also discusses the tensions and con-
Cyberspace sovereignty troversies inherent in the law. All in all, the Cybersecurity Law exhibits distinctive Chinese
National security characteristics. It is premised on the concept of cyberspace sovereignty and emphasizes se-
Personal information curity over free flow of data and freedom of speech. It provides a basic legal framework for
Critical information infrastructure cyberspace governance in China, to be supplemented by implementing regulations in years
Free flow of data to come.
Freedom of speech © 2018 Aimin Qi, Guosong Shao, Wentong Zheng. Published by Elsevier Ltd. All rights
reserved.

Cybersecurity is becoming an increasingly significant is- computers worldwide were attacked by the WannaCry ran-
sue confronting governments and businesses alike around the somware worm, resulting in billions of dollars in damages.2
world. Over the last several years, a series of high-profile cy- In the same year, Equifax, one of three major credit reporting
bersecurity incidents helped push the issue to the forefront agencies in the United States, suffered a cybersecurity breach
of public attention. During the 2016 U.S. presidential cam- in which highly sensitive personal and financial information
paigns, hackers breached the computer systems of the Demo- for around 143 million U.S. consumers was compromised.3 In
cratic National Committee and leaked thousands of DNC doc- 2018, semiconductor giant Intel revealed that its chips con-
uments on Wikileaks.1 In 2017, hundreds of thousands of tain a feature that makes them vulnerable to hacking.4 Most

∗
Corresponding author: Guosong, Shao, School of Media & Communication, Shanghai Jiao Tong University, 800 Dongchuan Road,
Shanghai 200240, China.
E-mail address: [email protected] (G. Shao).
1
See Tom Hamburger & Karen Tumulty, Wikileaks Releases Thousands of Documents About Clinton and Internal Deliberations,
The Washington Post (Jul. 22, 2016), https://www.washingtonpost.com/news/post- politics/wp/2016/07/22/on- eve- of- democratic-
convention- wikileaks- releases- thousands- of- documents- about- clinton- the- campaign- and- internal- deliberations/?utm_term=
.5ad08eddb51b.
2
See Jonathan Crowe, WannaCryRansomware Statistics: The Numbers Behind the Outbreak, Barkly.com (May 2017), https://blog.barkly.com/
wannacry-ransomware-statistics-2017.
3
See Gillian B. White, A Cybersecurity Breach at Equifax Left Pretty Much Everyone’s Financial Data Vulnerable, The Atlantic (Sept. 7, 2017),
https://www.theatlantic.com/business/archive/2017/09/equifax- cybersecurity- breach/539178/.
4
See Ian Jing Cao, Intel Says Broad Range of Chips are Vulnerable to Hack, Downplays Impact, Bloomberg (Jan. 3, 2018), http://www.latimes.
com/business/la- fi- intel- chip- flaw- 20180103- story.html.

https://doi.org/10.1016/j.clsr.2018.08.007
0267-3649/© 2018 Aimin Qi, Guosong Shao, Wentong Zheng. Published by Elsevier Ltd. All rights reserved.
 computer law & security review 34 (2018) 1342–1354 1343

recently, in March 2018, it was revealed that a data analytics than forty international companies published open letters op-
firm harvested personal information of 50 million Facebook posing the law during the law’s drafting stage.10
users and used the information to help Donald Trump’s pres- This Article provides an in-depth evaluation of China’s ap-
idential campaign.5 proach to cybersecurity as embodied in the Cybersecurity Law.
Governments around the world have responded to cyberse- The Article proceeds as follows. Part I introduces the legisla-
curity concerns by tightening cybersecurity laws and regula- tive background, purpose, and framework of the law. Part II
tions. More than ninety countries have enacted special laws elaborates on major principles of the law. Part III discusses the
to safeguard cybersecurity. Among the major cybersecurity tensions and controversies which the law is faced with. Part IV
laws are the U.S. Cybersecurity Information Sharing Act (CISA) concludes the paper.
(2015), the European Union Directive on Security of Network
and Information Systems (NIS Directive) (2016) and the Cyber-
security Basic Act of Japan (2014). 1. Overview
China is a late comer on the global cybersecurity scene.
Over the past two decades, the rapid growth of the Inter- 1.1. Legislative background
net has brought about fundamental changes to the everyday
lives of the Chinese people. However, the Internet also poses China built its first connection to the Internet in 1994 and
enormous problems for the Chinese society, including per- has since become one of the largest Internet markets in
ceived threats to its political, economic, military, and social the world.11 As of 2014, China’s proportion of the Internet
security as well as the legal rights and interests of citizens.6 economy to GDP surpassed that of the United States.12 Today,
Prior to 2017, China enacted several laws and regulations in China has the most Internet users in the world—710 million,
response to these problems.7 However, because of their in- compared to 460 million in India and 290 million in the United
herent ambiguity and fragmented jurisdictions, these laws States.13
and regulations are insufficient in dealing with the increas- While enjoying the convenience of search engines, e-
ing challenges facing cyberspace. In November 2016, China’s commerce, social networks, big data, and cloud computing,
efforts to strengthen cybersecurity culminated in the enact- Internet users are also exposed to various cyber threats
ment of the Cybersecurity Law of the People’s Republic of such as hacker attacks, surveillance, and leakage of personal
China.8 information. China is one of the countries that suffer the
The Cybersecurity Law is the main building block of China’s most serious threats from the Internet. According to National
emerging cyberspace strategies.9 In drafting the Cybersecurity Internet Emergency Center (CNCERT), there were 126,916 cy-
Law, China partially borrowed the legislative experience of the bersecurity incidents within and beyond the borders of China
United States, the United Kingdom, and other countries while in 2015, with year-on-year growth of 125.9 percent.14 The
maintaining distinctive Chinese characteristics. Many of the majority of these threats come from inside China, with a total
principles embodied in the law, however, reflect tensions be- number of 126,424 cases and year-on-year growth of128.6
tween conflicting goals. Some of the principles are downright percent.15 Some of these incidents have caused significant
controversial, prompting concerns in the international busi- social impact. For example, in 2013, the personal information
ness communities. As an indication of such concerns, more of over one million customers of YTO Express, a major courier
firm in China, was leaked and sold.16 In 2014, China’s leading

5
See Carole Cadwalladr & Emma Graham-Harrison, Re- 10
See   40                [Forty Compa-
vealed: 50 Million Facebook Profiles Harvested for Cambridge nies and Organizations Oppose China’s Cybersecurity Law], 
Analytic in Major Data Breach, The Guardian (Mar. 17, 2018),  [United Morning Post] (Nov. 12, 2016), http://www.zaobao.
https://www.theguardian.com/news/2018/mar/17/cambridge- com/realtime/china/story20161112-689426.
analytica- facebook- influence- us- election. 11
See Jaime A. Flor Cruz & Lucrezia Seu, From Snail Mail
6
See  [Press Office of the State Council],  to 4G, China Celebrates 20 Years of Internet Connectivity,
[White Paper on Internet in China], Feb. 26, 2014, CNN (Apr. 23, 2014), https://www.cnn.com/2014/04/23/world/asia/
http://www.cac.gov.cn/2014-02/26/c_126192365.htm. china- internet- 20th- anniversary/index.html.
7
These laws and regulations include The NPC Standing Com- 12
  :        GDP       [McKenzie:
mittee Decision on Maintaining Network Security (2000), Reg- China Surpasses the U.S. in Internet-to-GDP Ratio],    
ulations on Computer Information System Security Protection [Sina Finance] (Jul. 25, 2014), http://tech.sina.com.cn/i/2014- 07- 25/
(revised in 2011), The Decision on strengthening Network Infor- 10509516789.shtml.
mation Security by the NPC Standing Committee (2012), Regula- 13
Russell Flannery, What Makes China’s Internet Growth So Fast
tions Regarding Telecom and Internet Users’ Personal Information and Volatile? Forbes (Oct. 10, 2017), https://www.forbes.com/
Protection by the Ministry of Industry and Information Technol- sites/russellflannery/2017/10/10/what- makes- chinas- internet-
ogy (2013), The National Security Law of the P.R.C. (2015), and The growth- so- fast- and- volatile/#5d3db66e4852.
Anti-Terrorism Law of China (2015). 14
   : 2015     12 [National
8
See     [The Cybersecurity Law of the Internet Emergency Center: Cybersecurity Incidents Totaling Over
People’s Republic of China], http://www.npc.gov.cn/npc/xinwen/ 120,000 in 2015],  [Sina Finance] (May 25, 2016), http://
2016-11/07/content_2001605.htm [hereinafter Cybersecurity Law]. finance.sina.com.cn/roll/2016- 05- 25/doc- ifxsqtya6047103.shtml.
9
See            [National Cyberspace Se- 15
Id.
curity Strategies], http://www.xinhuanet.com/politics/2016-12/27/ 16
            [Personal Information of 1 Mil-
c_1120196479.htm;            [International lion YTO Express Customers Leaked],[Morning News]
Cyberspace Cooperation Strategies], http://www.xinhuanet.com/ (Oct. 23, 2013), http://news.ifeng.com/mainland/detail_2013_10/
politics/2017-03/01/c_1120552767.htm. 23/30573231_0.shtml.
1344 computer law & security review 34 (2018) 1342–1354

online travel booking agency, Ctrip.com, disclosed that it The establishment of the legislative purposes of the Cyber-
found and fixed a security loophole that made users’ credit security Law was not without controversies. During the law’s
card information vulnerable to hacking.17 drafting period, forty-six international organizations from the
The burst of these alarming cybersecurity incidents has United States, Europe, Asia, and Oceanic regions signed a let-
not only awakened people’s awareness of cybersecurity, but ter opposing the draft law and insisted on revising the draft
also strengthened the Chinese government’s determination law in accordance with international trade regulations on the
to improve cyberspace governance. From the perspective of assumption that the law would raise trade barriers. Never-
the Chinese government, a comprehensive law dealing with theless, upon consultations with experts, the Chinese govern-
cyber threats is necessary to ensure cybersecurity. In particu- ment formally passed the law in November 2016. The over-
lar, since Xi Jinping became President, he has emphasized the seas groups then asked for suspension of the newly enacted
importance of promoting cybersecurity laws on several impor- law. In spite of these controversies, the Chinese authority in-
tant occasions, including the World Internet Conference and sisted on implementing the law and declared that the govern-
the meetings of the Central Leading Group for Cyberspace Af- ment would supplement the law with corresponding regula-
fairs. tions and standards in time.
Meanwhile, Chinese scholars have laid the groundwork
for a comprehensive cybersecurity law. Over the years, Chi- 1.3. Legislative framework
nese scholars have explored the definition and implications
of cyberspace sovereignty,18 and have introduced the con- The Cybersecurity Law guides government agencies, commer-
cept of state territorial network sovereignty.19 They have also cial organizations and citizens on how to access the Internet.
explored issues concerning personal information protection, It is a manifestation of the government’s will on cyberspace
cross-board data transfer and critical information infrastruc- governance. In terms of its content, the Cybersecurity Law
ture protection.20 These research efforts offer a solid theoret- has seven chapters and seventy-nine articles, and its frame-
ical foundation for the Cybersecurity Law. work follows the traditional legislative model-general provi-
sions followed by specific provisions. The general provisions
1.2. Legislative purposes of the Cybersecurity Law stipulate the purpose and scope of
the legislation, the national policy on cybersecurity protec-
Article 1 of the Cybersecurity Law states that the purposes of tion, the enforcement authorities, the basic principles of the
the law are “to ensure cybersecurity, to safeguard cyberspace legislation, and special protections for juvenile Internet users.
sovereignty, national security, and social and public interests, The specific provisions contain provisions in six areas, includ-
to protect the lawful rights and interests of citizens, legal per- ing cybersecurity, network operations security, network infor-
sons, and other organizations, and to promote the healthy de- mation security, monitoring and emergency responses, legal
velopment of the informatization of the economy and soci- liabilities, and supplementary provisions.
ety.”21 The Cybersecurity Law embodies the national security It is worth noting that the Cybersecurity Law only provides
principle promulgated in China’s National Security Law and a general legal framework for dealing with cybersecurity con-
considers cyberspace sovereignty as its highest priority. The cerns. Its basic function is to build China’s cybersecurity legal
law accomplishes this goal through its emphasis on protect- system, not to solve any specific cybersecurity issues. This in-
ing the security of network operations, the security of criti- evitably leads to ambiguous and incomplete legal rules. Com-
cal information infrastructure, and the security of online in- plementary rules and regulations will be necessary to deal
formation. In the meantime, the Chinese government actively with specific cybersecurity issues. A number of regulations
participates in international cyber cooperation to promote the are expected to be promulgated and implemented, includ-
development of the Internet economy while maintaining na- ing the Critical Information Infrastructure Protection Regula-
tional cyberspace sovereignty. These legislative purposes re- tions, Measures on the Security Assessment of Cross-Border
flect a multi-dimensional perspective on cybersecurity that Transfer of Personal Information and Important Data, Catalog
encompasses both security and development interests. of Critical Network Equipment and Specialized Cybersecurity
Products, and Information Security Technology Guidelines for
17
Zhang Ye, Ctrip Hit by Security Loophole, Global Times (Mar. 24, Data Cross-Border Transfer Security Assessment. These reg-
2014), http://www.globaltimes.cn/content/850298.shtml. ulations would operationalize the principal provisions of the
18
See, e.g., Zhang Xinbao & Xu Ke,   law and greatly advance the law’s legislative goals.
 [The Governance Model of Cyber Sovereignty and Its Institu-
tional Implementation], [China Social Sciences],
2016(8), 139-158. 2. Major principles
19
See, e.g., Hu Li & Qi Aimin, “   ”      
  [The Emergence of Cyberspace Territories and the
As China’s first basic Internet law governing cybersecurity, the
Construction of State Territorial Network Sovereignty], 
Cybersecurity Law contains several major principles and in-
[Law Forum], 2016(2), 59-66.
20
See, e.g., Qi Aimin,   [Research on Personal novations, such as cyberspace sovereignty, a hierarchical sys-
Information Protection Laws],  [Hebei Legal Science], tem for cybersecurity protection, a critical information infras-
2008(4), 15-33;Liu Jinrui,  tructure protection system, a security assessment system for
 [The Basic Approach and Institutional Implementation of the cross-border data transfers, and a security review system for
Chinese Legislation on Network Critical Infrastructure Protection], network products and services. The discussions below high-
 [Global Law Commentaries], 2016(5), 116-133.
21 light these major principles of the law.
Cybersecurity Law, supra note 8, art. 1.
 computer law & security review 34 (2018) 1342–1354 1345

2.1. Cyberspace sovereignty the right of jurisdiction, the right of self-defense, the right of
independence, and the right of equality.
Article 1 of the Cybersecurity Law stipulates that the law’s pur- The right of jurisdiction refers to a nation’s right to manage
pose is to protect cyberspace sovereignty. The principle has the networks within its territory. Article 2 of the Cybersecurity
been proposed for many years in the country. In a white pa- Law provides that “this law applies to the construction, oper-
per released by the Chinese government in early June of 2010, ation, maintenance, and usage of networks, as well as cyber-
the government states that the Internet is a critical infras- security supervision and management within the mainland
tructure of a country, the network within the Chinese terri- territory of the People’s Republic of China.”25 This provision
tory ought to be under China’s jurisdiction, and China’s In- ensures territorial jurisdiction over network-related matters
ternet sovereignty should be respected and protected.22 Af- in China, whether they are civil, criminal, or administrative
terwards, the sixth United Nations General Assembly issued in nature. According to this provision, individuals whose ac-
Document A/68/98 on June 24th, 2013, which passed a res- tivities are related to the Internet within the Chinese terri-
olution drafted by a group of government experts concern- tory (including Internet service providers, network operators,
ing the development of the information and telecommuni- Internet users, and regulators, etc.), materials (including net-
cations industries. Article 20 of Document A68/98 stipulates work infrastructure), network information (including personal
that national sovereignty and international norms and princi- information and important data), as well as cyber activities
ples derived from national sovereignty shall apply to informa- themselves (such as unlawful and criminal cyber activities tar-
tion and communication technology activities at the national geting information system) are all subject to this jurisdiction.
level, as well as to jurisdiction over information and commu- Consequently, as long as the cyber activities occur within the
nications technology infrastructure within the country’s ter- territory of mainland China, no matter what identities or na-
ritory. According to Fang Binxing, a member of the Chinese tionalities the actors have, they are all subject to the law.
Academy of Engineering, this document actually establishes The right of self-defense refers to a sovereignty state’s right
the cyberspace sovereignty of a country.23 to defend against cyber-attacks and threats from the outside.
Furthermore, President Xi Jinping delivered an opening Article 5 of the Cybersecurity Law stipulates that “the State
speech to the First World Internet Conference in November takes action to monitor, prevent, and dispose of cybersecurity
2014, stating that China is willing to work with other coun- risks and threats arising both within and without the main-
tries and regions in the world to improve international coop- land territory of China. The State protects critical information
eration, respect Internet sovereignty, and maintain cyberse- infrastructure against attacks, intrusions, interference, and
curity. This was the first time the Chinese government pro- destruction. The State punishes unlawful and criminal cyber
posed a concept of cyberspace sovereignty. After that, China activities in accordance with the law, preserving the security
released a new National Security Law in July 2015, which in Ar- and order of cyberspace.” This provision affirms China’s right
ticle 25 clearly defined the concept of cyberspace sovereignty of defense in cyberspace and allows the Chinese government
and spelled the goal of building a network and information to monitor, defend against and punish foreign cyber-attacks
security system. This finally made cyberspace sovereignty and threats. Furthermore, Article 75 provides that for those
an important component of national sovereignty, protected who conduct attacks, intrusions, interference, destructions or
by China’s legal system.24 In November 2016, the promulga- other activities for the purpose of endangering the critical
tion of the Cybersecurity Law formally established the princi- information infrastructure of the People’s Republic of China,
ple of cyberspace sovereignty, which was supplemented par- whether they are organizations or individuals, if they have
tially by rules on localization of data storage and cross-border caused serious consequences, the Chinese government shall
data transfers. Besides, with the promulgation of China’s Cy- take measures in accordance with the law to either freeze
berspace Security Strategy in December 2016 and the Inter- their assets or to take other necessary punitive measures. In
national Cyberspace Cooperation Strategy in March 2017, the other words, Article 75 implements the right of self-defense
principle of cyberspace sovereignty was officially enshrined in specified in Article 5, and provides the legal basis for penaliz-
the national cyberspace strategies and became a cornerstone ing overseas cyber-attacks and surveillance.
of China’s cyberspace policies. The right of independence refers to the right of operating a
As a natural extension of national sovereignty on the nation’s networks independently, without being subordinate
Internet, cyberspace sovereignty requires compliance with to the power of other countries. So far, there are only thirteen
the main national sovereignty principles, such as the equal- DNS Root Name Servers in the world, and the United States
ity of nations, peaceful settlement of disputes, and respect owns ten of them. Theoretically speaking, if the United States
of other nations’ internal affairs. Specifically speaking, cy- blocked a certain country’s domain name on the root server,
berspace sovereignty encompasses the following four rights: the country’s top domain name websites would instantly dis-
appear on the internet. In this sense, the United States has
a global monopoly on the Internet, and the rest of the world
cannot achieve complete independence in the cyberspace. It
22
Press Office of the State Council, supra note 6. is thus argued that cyberspace sovereignty should represent
23
Zhi Zhenfeng,    [Cyberspace Sovereignty
an independent form of a country’s sovereignty. A country is
Has Rootes in Modern Legal Jurisprudence],   [Guang-
ming Daily], Dec. 17, 2015.
24
See[The National Security Law of 25
Cybersecurity Law, supra note 8, art. 2. Note that the Cybersecu-
the People’s Republic of China] art. 25, http://www.npc.gov.cn/npc/ rity Law applies only in mainland China, not in Hong Kong, Makau,
xinwen/2015-07/07/content_1941161.htm. and Taiwan.
1346 computer law & security review 34 (2018) 1342–1354

within its rights to manage issues concerning cybersecurity, security incidents, prevent cybercrimes and unlawful activ-
to formulate relevant laws and regulations, to protect its in- ity, and preserve the integrity, secrecy and usability of online
formation systems and information resources against outside data.”30 The Cybersecurity Law specifies the following obliga-
threats, interference, attacks or damages, as well as to pro- tions for network operators:
tect the lawful rights and interests of citizens in cyberspace.
In sum, countries should respect one another’s cyberspace 2.2.1. Hierarchical system for protecting cybersecurity
sovereignty and should not interfere with other counties’ in- China implemented a hierarchical information security pro-
ternal affairs. tection system before it promulgated the Cybersecurity Law.
The right of equality requires countries to access and con- In 1994, the State Council promulgated the Rules on Protec-
nect to one another’s Internet on an equal basis. The right tion of Computer Information Systems to provide for a hi-
of equality ensures that different countries have equal juris- erarchical protection system. In 1999, the Ministry of Public
diction over their own network systems, and that the man- Security issued the Guidance for Classifying Protection Lev-
agement of one country’s network does not do harms to an- els for Computer Information Systems. The Guidance pro-
other country’s networks. However, because of the borderless vides for five levels of security protection for computer infor-
and interdependent nature of the Internet, the Internet poli- mation systems: user self-protection, system audit, security
cies initiated by the United States may benefit its own inter- tagging, structured protection, and access verification protec-
ests at the expense of developing countries. This gives the tion. These five protection levels impose increasingly higher
United States much more power in comparison with other requirements in terms of access control, identity authentica-
countries in global Internet governance. In view of this sit- tion, and data integrity. In 2007, the Ministry of Public Security,
uation, Article 7 of the Cybersecurity Law proposes to pro- together with other relevant ministries, formulated the Mea-
mote a peaceful, secure, open, and cooperative cyberspace, sures on Hierarchical System for Information Security Pro-
and to establish a multilateral, democratic and transparent In- tection, which stipulates that the protection level for a com-
ternet governance system.26 China’s International Cyberspace puter information system should depend on the importance
Cooperation Strategies also provides that “countries, big or of the information system to national security, economic de-
small, strong or weak, rich or poor, are all equal members velopment, and social life, and the adverse impact of the se-
of the international community and are all entitled to equal curity breach on national security, social order, public inter-
participation in developing international order and rules in ests, as well as lawful rights and interests of the citizens, le-
cyberspace through international governance mechanisms gal persons, and other organizations. This provision classi-
and platforms, to ensure that the future development of cy- fies security protection of information systems into five lev-
berspace is in the hands of all peoples.”27 These provisions els, and requires operators and users of information systems
demonstrate the Chinese government’s advocacy for an equal to use products that conform to national standards, to formu-
and orderly cyberspace. late safety rules, and to conduct self-assessment and inspec-
tion of security risks.
2.2. Network operators’ security obligation The Cybersecurity Law legally confirms the hierarchical
system for protecting cybersecurity, which requires network
According to the Cybersecurity Law, network operators are operators to act in accordance with the hierarchical system for
defined as network owners, managers or service providers.28 cybersecurity protection. Specifically, operators have the fol-
This definition represents an expansion of the scope of net- lowing obligations under the hierarchical system: establish-
work operators. Specifically, the definition of network opera- ing internal security management systems and operational
tors not only includes traditional telecom operators, but also procedures, ascertaining the responsible entities who are in
covers all entities that can provide products and services charge of network security, taking technical measures to pre-
through the Internet, such as entities providing information or vent computer viruses, network attack, network intrusion,
website design services as well as individuals or organizations and other forms of behavior that endanger network security;
operating websites. Notably, Article 2 of the Cybersecurity Law taking technical measures to monitor and record all network
specifies that all network operators, whether they be foreign- operating activities and cybersecurity incidents, preserving
funded or domestically-funded, should all take responsibil- relevant weblogs for not less than six months as required, and
ity for performing their legal obligations.29 Similarly, Article 10 taking measures to categorize, duplicate, and encrypt impor-
stipulates that “the construction and operation of networks, tant data.31 With the enactment of the Cybersecurity Law, the
or the provision of services through networks, shall be done Chinese government is expected to promulgate implementing
in accordance with the provisions of laws and administrative rules to strengthen the hierarchical protection system.
regulations, and in accordance with the mandatory require-
ments of State standards. They should also adopt technical
2.2.2. Security review of network products or services
measures and other necessary measures to safeguard cyber-
To prevent cybersecurity incidents and improve the security
security and operational stability, effectively respond to cyber-
of network products and services, the Cybersecurity Law sets
out clear rules on network product or service providers’ secu-
26
Cybersecurity Law, supra note 8, art. 7. rity obligations. Article 22 of the law stipulates that network
27
International Cyberspace Cooperation Strategies, http://www.
gocatti.com/archives/3639.
28 30
Cybersecurity Law, supra note 8, art. 76. Id. art. 10.
29 31
Id. art. 2. Cybersecurity Law, supra note 8, art. 21.
 computer law & security review 34 (2018) 1342–1354 1347

products and services shall comply with the relevant manda- will take advantage of this provision and force them to hand
tory national standards. Network product or service providers over core technologies and trade secrets. If these business se-
shall not install malicious programs. Upon discovering that crets are obtained by competitors or criminals, it will cause
their products or services have security flaws or vulnerabil- them a huge loss.33 In light of this concern, one provision was
ities, they shall immediately adopt remedial measures and added to the final version of the Cybersecurity Law, which pro-
promptly inform users and report to the competent authori- hibits information obtained by cybersecurity authorities from
ties. They shall continuously provide security maintenance for being used for purposes other than protection of cybersecu-
their products and services, and shall not terminate security rity.34 Strict legal liabilities will be imposed for violations of
maintenance within the legally required period or the period Article 30.35 This might alleviate foreign companies’ concerns
agreed upon by the parties. These requirements are minimal to some extent. In addition to the national security review, Ar-
requirements that any network product or service providers ticle 36 of the Cybersecurity Law also requires that when pur-
have to meet. By comparison, in July 2017, Singapore released chasing network products or services, critical information in-
a draft Cyber Security Act that would establish a dual licens- frastructure operators shall sign a security and confidentiality
ing scheme that imposes different qualification requirements agreement with the provider, clarifying duties and responsi-
for investigative cybersecurity service providers as opposed to bilities for security and confidentiality. Due to the importance
non-investigative cybersecurity service providers.32 This lat- and complexity of network security review, the Chinese gov-
ter approach would increase the entry barrier to the cyber- ernment has also promulgated Provisional Measures on Secu-
security industry and improve overall security level, and will rity Review for Network Products and Services to implement
prompt firms to hire specialized personnel to maintain net- the security review provisions of the Cybersecurity Law.
work security. However, this approach might lead to the loss of
market competitiveness, especially for small businesses, due 2.2.3. Network real-name system
to excessive network security maintenance costs. China started to enact a network real-name system more
In addition to the above general obligations, the Cyberse- than ten years ago. In 2003, many local authorities supervising
curity Law also imposes a testing and certification scheme for Internet cafes all over China required all Internet users to
critical network equipment and cybersecurity products. Arti- provide personal identity cards for real-name registration. In
cle 23 of the law provides that critical network equipment and 2004, the Ministry of Education released Opinions on Further
cybersecurity products shall comply with the national stan- Strengthening the Management of Campus Networks in
dards and mandatory requirements, and be inspected and cer- Higher Education, which clearly proposed the implemen-
tified by a qualified institution, before being sold or provided. tation of the real-name system on the networks of higher
This requirement is different from the general requirement education institutions. By March 2005, led by Tsinghua Uni-
for network products and services in that it requires security versity’s Shuimu Tsinghua BBS, a group of major universities
inspection and certification. In response to allegations by for- began to shift to intra-school communication platforms based
eign institutions that this requirement will increase business on a real-name system. Subsequently, China’s local govern-
costs and trade barriers, the Chinese government plans to for- ments like Hangzhou and Beijing also promulgated rules and
mulate a catalog of critical network equipment and cyberse- regulations concerning the real-name system. In 2012, China
curity products and to promote inter-accreditation of security released the Decision of the NPC Standing Committee on
inspection and certification results, so as to facilitate the re- Strengthening the Protection of Online Information, which
view process. At present, the Chinese government has issued requires network service providers to obtain real identity
the first edition of the catalog of critical network equipment information from their customers when they provide Internet
and cybersecurity products, which includes key equipment access, landline or mobile phone services, and information
like routers, servers, anti-spam product safety database sys- dissemination services. In accordance with this provision,
tems, and other special products. the State Internet Information Office promulgated the Inter-
The Cybersecurity Law also targets the network products net User Account Name Management Regulations in 2015.
and services security purchased by critical information in- Similarly, Article 7 of the Administrative Regulations on
frastructure operators. Article 35 of the law requires that net- Mobile Internet Information Services, released in June 2016,
work products or services purchased by critical information also requires mobile Internet application providers to obtain
infrastructure operators that might impact national security customers’ real identity information. The Cybersecurity Law
shall undergo a national security review organized by the affirms the real-name principle. Article 24 of the Cybersecu-
state cybersecurity authorities and relevant departments of rity Law provides that network operators handling network
the State Council. According to this Article, network opera- access and domain registration services for users, operators
tors or network products or services providers need to submit handling stationary or mobile phone network access, and
relevant contents to the Chinese government for review pur- operators providing users with information publication or
poses, which might include software source code protected by instant messaging services, shall require users to provide
intellectual property laws, encryption algorithms, design de- real identity information when signing agreements with
tails, and trade secrets, etc. Many overseas network operators
including Microsoft, Intel, and IBM are concerned that China 33
Georges Haour, Why China’s new cyber-security law is bad news
for business? Fortune (Dec. 1, 2016) http://fortune.com/2016/12/01/
32
See Cybersecurity Bill, July 2017, https://www.csa.gov.sg/∼ china- cybersecurity- law- business/.
34
/media/csa/cybersecurity_bill/draft_cybersecurity_bill_2017. Cybersecurity Law, supra note 8, art. 30.
35
ashx?la=en. Id. art. 73.
1348 computer law & security review 34 (2018) 1342–1354

users or confirming provision of services. Where users do not a similar concept of identification. According to this defini-
provide real identity information, network operators must tion, personal information must be identifiable. It should be
not provide them with relevant services.36 This was the first noted that even if a piece of information cannot be identifi-
time that a real-name system was formally written in the law able individually, it is still personal information if it can iden-
with the aim to stem widespread illegal phenomena in the tify the identity of a natural person when combined with other
cyberspace such as rumors, defamation, invasion of privacy, information. With the improvement of identification technol-
and telecommunications frauds. However, the real-name ogy and the continuous integration of data, information that
registration system may cause real damage to privacy. In was previously unable to identify individuals may be identi-
December 2001, for instance, six million individuals’ user- fied again, which makes the definition of personal informa-
names and passwords for the CSDN website were posted tion more dynamic and situational.40 Therefore, information
online. After that, the same situation happened to Renren, that may be able to identify individuals should be combined
Douwan, 178.com, 7K7K smart games, and other well-known with specific application scenarios and technical conditions to
websites.37 It is argued that if users were not forced to register determine whether it constitutes personal information. How-
with their real identities on those websites, the information ever, if a network operator has implemented an anonymous
leaks would not cause real harm to users. processing of personal information so that a particular person
cannot be identified, the information will no longer be consid-
2.3. Protection of personal information ered personal information and will be allowed to be offered to
others without the permission of relative users.41 This provi-
In the information age, data has become a basic social re- sion thus provides a legal basis for enterprises to take advan-
source. The establishment and improvement of personal in- tage of and share data by means of anonymity.
formation protection laws and other relevant regulations have
become an important task for all the nations in the era
2.3.2. The principles of personal information protection
of big data. China started late in enacting personal infor-
Although China already has a large number of rules on the
mation protection. According to incomplete statistics, there
collection, processing and use of personal information, the
are more than 100 laws concerning personal information in
Cybersecurity Law is the first one that confirms the principle
China. Besides the Decision of the NPC Standing Committee
of personal information protection in the form of law. Article
on Strengthening the Protection of Online Information and
41 of the law provides that network operators should collect
the General Principles of Civil Law of the People’s Republic of
and use personal information in lawful manners, disclose how
China, other personal information protection provisions are
they collect and use personal information, and make clear the
scattered in criminal laws, administrative regulations, depart-
purpose, manner and scope of the collection and use of in-
mental regulations and judicial interpretations. These laws
formation. Network operators shall not collect personal in-
and regulations suffer from low efficiency, lack of coverage,
formation unrelated to the services provided by them, shall
overlapping jurisdiction, and failure to provide effective legal
not collect and use personal information in violation of laws
protection for personal information. The Cybersecurity Law
and administrative regulations and agreement of both parties,
provides legal protection for personal information specifically,
and shall deal with personal information in accordance with
and this is the first time that China has defined and protected
the provisions of laws and administrative regulations and the
personal information under the law besides the General Prin-
agreement with the users. This provision draws upon the rela-
ciples of Civil Law of the People’s Republic of China. The Cy-
tive provisions of the European GDPR of 2016 as well as the U.S.
bersecurity Law has the following highlights:
Consumer Privacy Protection Act of 2015, and establishes the
2.3.1. The scope of personal information international principles for the collection, use and handling of
Personal information is defined under the Cybersecurity Law personal information of network operators, i.e., the principles
as various information recorded in electronic or other means of openness, informed consent, clear purpose, and limitation
that can lead to the identification of a natural person, in- of purpose.
cluding but not limited to the natural person’s name, date
of birth, identity card number, personal biometric informa- 2.3.3. Providing institutional space for the development of the
tion, address, telephone number and so on.38 This definition big data industry
is largely in line with the current mainstream view of personal According to the personal information protection law, legisla-
information in China.39 Article 4 of the European Union’s lat- tors should promote the free flow and reasonable use of in-
est General Data Protection Regulations (GDPR) also adopted formation while protecting the individual’s interests.42 Law
should not become a stumbling block to the development of
36
Id. art. 24. the big data industry, which is also the purpose of 13th Five-
37
CSDN 600            [6 Million Cus- year Plan of the National Economic and Social Development
tomers’ Data Leaked at CSDN],  [Netease Technology] (Dec.
23, 2011), http://tech.163.com/11/1223/02/7LU5RGHI000915BF.
40
html. Paul M. Schwartz & Daniel J. Solove, The PII Problem: Pri-
38
Cybersecurity Law, supra note 8, art. 76. vacy and a New Concept of Personally Identifiable Information, 86
39
See Qi Aimin, ——  [Sav- N.Y.U. Law Review 1814 (2014).
41
ing Personalities in the Information Age—General Comments on Cybersecurity Law, supra note 8, art. 42.
Personal Information Protection Laws]   [Peking Uni- 42
Qi Aimin, ——   [The Origins of
versity Press] (2009). Information Law]   [Wuhan University Press] (2010).
 computer law & security review 34 (2018) 1342–1354 1349

of the PRC and the State Council Action Plan for the Promo- Cybersecurity Law stipulates that no individuals or organiza-
tion of Big-data Development. Article 42 of the Cybersecu- tions shall steal or illegally acquire personal information or
rity Law provides that network operators shall not disclose, sell or illegally provide personal information to third parties.
tamper with, or destroy collected personal information, and This provision is a reaffirmation of the protection of personal
shall not provide personal information to others without the information in the Criminal Law, and also provides the basis
agreement of the users. In addition, the Article establishes the for claims of personal information infringement.
principle of data security, requiring network operators to take Unfortunately, the Cybersecurity Law has a weaker penalty
technical and other necessary measures to ensure the safety for illegal acts. According to Article 64 of the law, network oper-
of users’ personal information collected, and to prevent the ators who violate the above-mentioned personal information
disclosure, damage and loss of information. In case of per- protection requirements will be fined no than 10 times the il-
sonal information leakage, damage, and loss, immediate re- legal income. In accordance with Article 83 of the European
medial measures should be taken to inform the users and re- GDPR, if the operator violates the regulations concerning per-
port to the relevant authorities. This provision is consistent sonal data protection, the Data Protection Agency will impose
with the international community’s approach to network se- fines of 2% of the company’s global turnover capped at 10,000
curity incidents and is of great significance in effectively curb- EUR or 4% of the company’s global turnover capped at 20,000
ing personal information leakage in China. At the same time, EUR, depending on the nature of the offenses.43 The GDPR is
this provision provides an exception where the information called the most stringent data protection regulations in his-
is unable to identify a particular person. This exception is ar- tory. By comparison, China’s punishment is relatively weak.
guably beneficial to the development of the big data industry. There are still doubts about whether personal information
protection can meet the expectations. In addition, although
2.3.4. Right to correct and delete Article 45 of the Cybersecurity Law provides that government
Article 43 of the Cybersecurity Law provides that if a person authorities and their staff members must not disclose or sell
discovers that a network operator violates the laws, adminis- personal, private, or business confidential information that is
trative regulations, or the parties’ agreement in collecting and acquired in the course of carrying out their law enforcement
using his personal information, he shall have the right to re- duties, this provision does not specify the corresponding le-
quire the network operator to delete his personal information. gal liability, which has to be supplemented by detailed imple-
If the network operator collects and stores his personal in- menting regulations in the future.
formation incorrectly, he has the right to require the network
operator to delete or correct it. This provision partially draws 2.4. Critical information infrastructure protection
upon the right to correction under Article 16 and the right to
be forgotten under Article 17 of the European GDPR. It is worth Critical Information infrastructure plays a key role in society
noting that the right to deletion was written into law for the and attacks on or destructions of critical information infras-
first time. In the big data era, the right to deletion will help net- tructure could be a lethal blow to a country’s political and
work users strengthen their control of personal information. social life. On July 11, 2017, China’s State Internet Informa-
However, the right to correction and deletion is only part of the tion Office promulgated a draft Critical Information Infras-
personal information rights. In the future, China should speed tructure Safety Protection Regulations to solicit public views
up the enactment of a unified personal information protection on combating breaches of critical information infrastructure
law and add the right of inquiry, blockade and opposition, so in China by overseas organizations or individuals. Ensuring
as to build a better system of personal information rights. the safety of critical information infrastructure through leg-
islation has become a social consensus. The EU Network and
2.3.5. Prohibition against sale of personal information
Information Systems Security Directive employs the concept
In both theory and practice, personal information is protected
of Operators of Essential Services to distinguish from Digi-
as personality rights, which require that personal informa-
tal Service Providers and sets different obligations for them.
tion not be sold. China’s 2009 amendments to the Criminal
Singapore’s draft Network Security Act also provides a defi-
Law expressly prohibits the sale of personal information, but
nition of critical information infrastructure and specifies the
its scope is limited to State organs or personnel of finan-
authority charged with certifying critical information infras-
cial, telecommunications, transportation, education, medical
tructure. The Cybersecurity Law specifically provides for crit-
and other institutions. This limitation does not effectively
ical information infrastructure protection. The main provi-
curb sales of personal information. For this reason, the 2015
sions include:
amendments to the Criminal Law Amendment broadens the
scope and applies it to any organizations or individuals, and
2.4.1. Definition and scope of critical information infrastruc-
also integrates it into the crime of infringing upon citizens’
tures
personal information. With social concerns being aroused by
Article 31 of the Cybersecurity Law states that information in-
the Xu Yuyu incident, the Supreme People’s Court of China
frastructure in public communications, information services,
and the Supreme People’s Procuratorate jointly released the
energy, transportation, water conservancy, finance, public ser-
Interpretation of Several Issues Concerning the Application of
vices, e-government and other critical industries and fields, or
Law in Criminal Cases of Infringing Upon Citizen’s Personal
Information in May 2017, and made detailed stipulations on
43
the definition and sentencing of the crime of infringing upon General Data Protection Regulation, Art. 83, http:
//eur- lex.europa.eu/legal- content/EN/TXT/PDF/?uri=CELEX:
citizens’ personal information. In this respect, Article 44 of the
32016R0679&from=EN.
1350 computer law & security review 34 (2018) 1342–1354

other information infrastructure that is key to national secu- mainly include: (a) stable and reliable business operation,
rity and public interests, receives priority protection under the planning, adoption, and use of security measures;45 (b) es-
law. In nature, critical information infrastructure is different tablishing security management agencies and security man-
from network operators and has more stringent requirements agement personnel to educate, train and evaluate employees,
in terms of security, network products and services procure- backing up critical systems and databases in case of emergen-
ment, data storage, and data transfers. In China, the Office of cies, developing contingency plans and conducting drills;46
the Central Leading Group for Cyberspace Affairs established (c) security review of network products or services procure-
the Guidance for National Network Safety Inspection Opera- ment: network products and services involving national se-
tion in June 2016. According to this guidance, critical informa- curity should be reviewed for security by government au-
tion infrastructure refers to “operating information systems thorities;47 (d) confidentiality requirements for network prod-
or industrial control systems that provide network informa- ucts and services procurement: signing security confidential-
tion services to the public or support energy, communications, ity agreements with providers, and making clear security and
finance, transportation, utilities and other important indus- confidentiality obligations and responsibilities;48 (e) storage
tries. These systems affect the normal operation of important of domestic data: personal information and important data
industries and, once breached, will cause serious losses. As a collected and generated by operators of critical information
result, the scope of critical information infrastructure in this infrastructure should be stored within the territory;49 (f) se-
guidance is quite broad. It includes not only governmental curity assessment for transfer of data overseas: data exports
websites, but also popular online platforms providing instant with legitimate business reasons should undergo security as-
messaging, e-commerce, search engine, email, map, and other sessment;50 and (g) security assessment: conducting a secu-
services. This means that a large number of influential com- rity assessment at least once a year and reporting assessment
mercial network services that are used by average people are results and suggestions for improvements.51
likely to be considered critical information infrastructure.
Regarding methods of certification, China’s draft Critical 2.4.3. Local storage of data and data export security assess-
Information Infrastructure Security Protection Regulations re- ment
quire relevant authorities to develop guidelines on certifying While local storage of data may be necessary for purposes of
critical information infrastructure identity and carry out the national security and social stability, cross-border transfer of
certification. In Singapore, under the draft Internet Security data is an inevitable requirement of international economic
Act, the certification and decertification of critical informa- cooperation. Promoting the free flow of data on a global scale
tion infrastructure are carried out by the Commissioner of Cy- for the development of the digital economy has become a de-
bersecurity. Other network security authorities are not autho- velopment strategy for many countries and regions. However,
rized to conduct the certification. The Singapore law also em- in order to reinforce national sovereignty and cyberspace se-
powers members of the Network Security Council to obtain curity, countries in the world have enacted laws to restrict the
information about computers or computer systems. When foreign storage and trans-border transmission of specific data.
the Network Security Council has reasons to suspect that a Regarding the issue of data storage and cross-border transmis-
computer or a computer system is critical information infras- sion, the United States had long been advocating and promot-
tructure, it has the right to require the owner of the com- ing the free flow of data around the world. However, the EU
puter or computer system to submit information on the spe- has taken a very different approach. Both the 1995 Data Pro-
cific functions, service objects, technical parameters and other tection Directive and the 2016 GDPR have made strict restric-
aspects of the computer or computer system.44 By contrast, tions on the transmission of personal data from EU compa-
China takes a more rational approach by having regulators nies to overseas partners. One of these restrictions is that the
and industry authorities share the certification authority. Sin- receiving country in a cross-border data transfer transaction
gapore’s practice of giving the certification and decertifica- must be certified to have adequate protection for personal in-
tion authority to one government agency may jeopardize the formation. It requires that full protection of personal data be
objectivity of the decisions. In addition, Singapore’s law may guaranteed by the receiving country before the implementa-
also lack reasonable restrictions on the access of cybersecurity tion of a cross-border data transmission. Since 2015 the Eu-
commissioners to the relevant information, especially busi- ropean Court of Justice (ECJ) declared invalid the Safe Harbor
ness secrets and other business information. Agreement between Europe and the United States in 2000, the
two sides have reached a new Privacy Shield Agreement on
2.4.2. Legal obligations of critical information infrastructure cross-border transmission of data.
operators The Cybersecurity Law, for the first time, imposed a lo-
The mandatory obligations of network operators that are con- cal data storage requirement in the form of law. Article 37
sidered critical information infrastructure under the Cyber- of the law provides that the personal information and im-
security Law have received much attention. Once identified
as part of critical information infrastructure, a network op-
45
erator will be charged with more onerous network security Cybersecurity Law, supra note xxx, art. 33.
46
obligations than average network operators. These obligations Id. art 34.
47
Id. art 35.
48
Id. art 36.
44 49
Singapore’s draft Cybersecurity Bill, Part 3, critical infor- Id. art 37.
mation infrastructure https://www.csa.gov.sg/∼/media/csa/ 50
Id.
51
cybersecurity_bill/draft_cybersecurity_bill_2017.ashx?la=en. Id. art 38.
 computer law & security review 34 (2018) 1342–1354 1351

portant data collected and generated by operators of critical could all be assigned a nationality. Moreover, they are regarded
information infrastructure shall be stored within the territory. as essential strategic resources of a particular country, jus-
If the data need to be transmitted abroad because of busi- tifying the country’s jurisdiction. From this perspective, cy-
ness needs, a security assessment shall be carried out in ac- berspace sovereignty would be a necessary principle.54
cordance with the methods formulated by the State network Between cyberspace sovereignty and Internet openness,
and information authorities. This requirement provides basic the Chinese government appears to be inching towards the
rules for data storage and cross-border transmission. former. The Chinese government believes that despite the dra-
In addition, Article 37 of the Cybersecurity Law stipulates matic changes the Internet has brought about, the Internet
that other laws or regulations may also apply to the transmis- still needs to be regulated due to the prevalence of illegal ac-
sion of data across borders. Specifically, the data required to tivities in cyberspace. Therefore, the Cybersecurity Law clearly
be stored locally in accordance with other laws or regulations stipulates the principle of cyberspace sovereignty, which has
include: population and health data (Section 10 of the Provi- set the basis for the Chinese government to regulate the en-
sional Measures on Population Health Information Manage- tire Internet.55 Responding to some criticisms from the inter-
ment), credit information (Section 24 of the Rules on Credit national community, some Chinese scholars argue that one
Industry Administration), personal financial information (Ar- needs to look no further than the U.S. control over domain sys-
ticle 6 of the People’s Bank of China Notice on the Protection tems to realize that the sovereign states have never ceased to
of Personal Financial Information), map data (Section 34 of the control the cyberspace.56
Rules on Map Management), online publication data (Article 8
of the Regulations on the Administration of Online Publishing 3.2. Market competition and security review
Services); data related to online car-hailing business (Article
27th of the Provisional Measures on Online Car-hailing Oper- During the drafting period of the Cybersecurity Law, some for-
ation Service Management). eign organizations were strongly opposed to security review
of Internet products or services. They argued that the security
review would increase operation costs and limit foreign com-
3. Tensions and controversies panies’ market access, which would lead to unfair competitive
advantages given to Chinese companies and violations of the
3.1. Internet openness and cyberspace sovereignty market openness commitment made by the Chinese govern-
ment.
Internet openness and cyberspace sovereignty have been con- The fact is that as a latecomer to the Internet industry, the
sidered contradictory with each other. When the Internet was core computer hardware and software programs used by both
created, the majority view was that the government would be Chinese citizens and enterprises rely heavily on foreign man-
driven away from the new space and traditional boundaries ufacturers. Take the computer operating systems for an exam-
would be broken given the decentralized nature of the Inter- ple. Due to the lack of R&D efforts by domestic manufacturers,
net. They perceive cyberspace as a global public space and in- the operating systems adopted by Chinese computer users are
sist that the Internet should not be controlled by any single dominated by Microsoft Windows and Apple Mac OS. In this
country.52 This poses a serious challenge to the legal and po- context, there is no doubt that the Chinese government is con-
litical concept of sovereignty. Ever since John P. Barlow pub- cerned with the hidden safety risks of the network products
lished the Declaration of the Independence of Cyberspace in and services purchased from abroad. Such concerns are not
1996, Internet openness has become a buzz word in the world. groundless. The disclosures made by Edward Snowden reveal
Nevertheless, problems begin to soar as more and more in- that there are backdoors inserted in foreign security software,
dividuals and countries enter the cyberspace. People are in- which are used as spying tools for foreign intelligence agen-
creasingly calling for global governance of the Internet since cies.57 In 2007, the backdoor inserted in the simplified Chinese
they come to realize that Internet openness should be un- operating system of Microsoft Windows was detected by the
der the rule of law or the premises of the Internet could be Norton security software, and it was identified as being specif-
destroyed by uncontrolled openness. Furthermore, it is ar- ically written for mainland China.58 In 2017, the ransomware
gued that although a state is incapable of implementing na-
tional sovereignty towards cyberspace itself, it could exercise 54
Xie Xinzhou,             [Building an In-
sovereignty over basic network infrastructure and all related
ternational Cyberspace Conducive to Mutual Benefits],    
activities within its territory.53 Another view is that although (People’s Daily) (Mar. 17, 2016).
there is no boundary on the Internet, entities such as ba- 55
Fang Binxing et al.,     [Research on Cyberspace
sic network infrastructure, netizens, and internet companies Sovereignty],  [China Engineering Sciences], No. 6,
2016.
56
See Zhang Xinbao & Xu Ke,    
52
The White House, International Strategy for Cyberspace: Pros-  [The Governance Models of Cyberspace Sovereignty and Its In-
perity, Security, and Openness in a Networked World, available stitutional Implementation],        [China Social Sci-
at:https://obamawhitehouse.archives.gov/sites/default/files/ ences], 2016(8), 139-158.
rss_viewer/internationalstrategy_cyberspace.pdf. 57
    [Government Procurement To Say No
53
See Tallinn Manual 2.0 on the International Law Applica- to Certain Software],  [Legal Net] (Aug. 13, 2014) http://www.
ble to Cyberspace Operations (Michael N. Schmitt eds., 2n ed., legaldaily.com.cn/IT/content/2014-08/13/content_5717899_2.htm.
2010), http://assets.cambridge.org/97811071/77222/frontmatter/ 58
Jiang Qiping, "":? [Mys-
9781107177222_frontmatter.pdf. terious Microsoft Backdoor: Secret Program Killed by Norton?],
1352 computer law & security review 34 (2018) 1342–1354

WannaCry exploited the 445 port vulnerability of Microsoft’s cations must be established in France. In October 2015, Ger-
Windows system and attacked the network systems of hun- many adopted a new data retention law, which provides that
dreds of Chinese universities, government agencies and gas telecommunication providers must retain data such as phone
stations.59 numbers, the time and place of communication, and the IP ad-
The Cybersecurity Law actually sets different obligations dresses for either 4 or 10 weeks, and the data shall be stored in
for internet operators and operators of critical information in- servers located within Germany. Finally, the GDPR launched in
frastructure, and only the Internet products or services pur- 2016 by the EU strengthens the principle of data localization,
chased by critical information infrastructure operators shall stating that personal data can only be transferred to coun-
be under strict national security review. The review sys- tries outside the EU when an adequate level of protection is
tem, according to the Office of the Central Leading Group guaranteed.
for Cyberspace Affairs, “aims to safeguard state cyberspace To advocates of free flow of data, however, data localiza-
sovereignty, national security, public interests and rights of tion restrictions may function as trade protection since it can
citizens, legal persons and other organizations, instead of re- be utilized by a country to boost its local economy by propping
stricting the access of overseas companies, technology and up its domestic companies.61 It is also argued that forced data
products to China’s market or restricting the free legal and localization may even stifle free speech and political dissent
orderly flow of data.”60 It is clearly stated in the Decision of given that the information locally retained can be accessed
the CCCPC on Several Major Issues Concerning Comprehen- easily by government authorities.62 For its part, the U.S. sup-
sively Deepening Reforms at the third plenary session of the ports eliminating as many barriers to data flows as possible
18th CPC Central Committee that the relationship between while considering data localization laws as another barrier to
the government and the market should be to let market play trade.63 At present, the U.S. is seeking new data localization
a decisive role in allocating resources, and let the government laws within a renegotiated and modernized NAFTA.64 For the
come in where the market falls short. Neither individuals nor EU, the rules on personal information protection introduced
the market can provide cyber protection alone, and cyberse- by the GDPR are not perfect. In June 2018, with the passage
curity regulations are considered an essential part of national of the Regulation on the Free Flow of Non-personal Data, EU
security and even global cyber security. Therefore, security re- member states and parliament reached an agreement on a
view for Internet products and services could be justified as new principle that abolishes data localization restrictions.65
being necessary to defend national security. In actual imple- The regulation covers only non-personal data, however. This
mentation, however, Internet operators covered by the review includes any data not relating to an identified or identifiable
are not clearly defined and circumstances where key informa- person, such as anonymised data and machine to machine
tion infrastructure operators might “jeopardize national se- data. Combined with the GDRP, the new rule aims to facilitate
curity” when buying Internet products and services are not the free flow of data in Europe, an important step towards cre-
clearly stipulated. This has influenced the implementation of ating Europe’s digital single market.
the law, causing uncertainty and puzzlement among both do- In the case of China, Article 37 of the Cybersecurity Law
mestic and foreign enterprises. requires personal information and important data collected
by operators of critical information infrastructure to be stored
3.3. Free flow and local storage of data within China’s border. This data localization rule allows China
to restrict market access for cloud computing if the required
It is argued that although free flow of data can facilitate the data localization requirements are not met. The Chinese gov-
growth of digital economy, cross-border transmission of data ernment believes that allowing foreign companies to collect
might endanger the national security and law enforcements information from China without restrictions will put its citi-
of a country as well as the privacy or other personal rights zens’ privacy, national security and long-term economic de-
of its citizens. This is why many countries and regions set
up restrictions on cross-border flow of data. For example, In 61
Bret Cohen, Britanie Hall, & Charlie Wood, Data Localization
the U.K., for example, the Company Act of 2006 states that
Laws and Their Impact on Privacy, Data Security, and the Global
if accounting records are kept at a place outside the U.K., Economy. ANTITRUST, Vol. 30, No. 1, 2017.
accounts and returns must be sent to, kept at, a place in 62
See, e.g., Jillian C. York, What’s Going on in Central Asia?, Elec. Fron-
the U.K., and must at all times be open to such inspection. tier Found (Nov. 29, 2012), https://www.eff.org/deeplinks/2012/
Through a decree amending the Code of Electronic Commu- 11/whatsgoing- on- in- central- asia; Kaveh Waddell, Kazakhstan’s
nications, France has included a territorial restriction requir- New Encryption Law Could Be a Preview of US Policy, ATLANTIC (Dec.
8, 2015), https://www.theatlantic.com/technology/archive/2015/
ing that the systems for interception of electronic communi-
12/kazakhstans- new- encryptionlaw- could- be- a- preview- of- us-
policy/419250/.
   [People’s Net] (Jun. 12, 2007), http://it.people.com.cn/GB/ 63
William Alan Reinsch, A Data Localization Free-for-All?
42893/5851803.html. March 9, 2018, https://www.csis.org/blogs/future- digital- trade-
59
 Wannacry ()     policy- and- role- us- and- uk/data- localization- free- all.
 [Ransomware Wannacry Hits Chinese Universities, Govern- 64
Erica Alini, NAFTA, Trump and the Cloud: What the Ne-
ment Agencies, and Enterprises], [China Net] (May 13, 2017), gotiations Mean for Your Personal Data, GLOBAL NEWS, Au-
http://science.china.com.cn/2017-05/13/content_9480800.htm. gust 2017, https://globalnews.ca/news/3660107/nafta-trump-
60
 [National Net- the- cloud- data- privacy-canada/.
65
work and Information Office Gives Press Interview on the Cyber- European Commission, Digital Single Market: EU Negotiates Reach
security Law],  [People’s Net] (May 31, 2017), http://politics. a Political Agreement on Free Flow of Non-personal Data. June 19, 2018.
people.com.cn/n1/2017/0531/c1001-29309728.html. http://europa.eu/rapid/press-release_IP-18-4227_en.htm.
 computer law & security review 34 (2018) 1342–1354 1353

velopment at risk. Also, it is argued that China among many The real-name online registration system stipulated in Ar-
countries enacts the data location rule not only as a means to ticle 24 of the Cybersecurity Law aims at preventing the spread
reduce its comparative disadvantage in Internet data hosting, of irresponsible and illegal contents. The problem is that it
but also as a means to reduce its comparative disadvantage in may become an obstacle to the free expression of public opin-
Internet signals intelligence.66 In spite of this, during the leg- ions. For instance, in November 2010, Wang Peng, a Gansu
islative process of this rule, 46 foreign corporate groups led by province youth who criticized local officials using his real
the American Chamber of Commerce went to great lengths to name on the Internet, was detained in a much publicized
oppose the rule’s enactment out of fear that their business re- criminal case.68 Although he was acquitted later, this incident
lated to the data locally stored in China would be largely jeop- became one of the reasons why many people opposed and
ardized by the law. The protest was not successful as China feared the real-name system. The real-name registration sys-
finalized the rule. tem factually started in Korea in 2008 after actress Choi Jin-
However, the data localization rule prescribed by the Cy- sil committed suicide reportedly due to malicious comments
berspace Law does raise several reasonable concerns. Firstly, about her on Internet bulletin boards. The system was then
does this law apply to operators of non-critical information enacted for the purpose of minimizing the amount of neg-
infrastructure? Secondly, the law does not define what consti- ative information to make individuals responsible for their
tutes important data. Thirdly, the specific content of security online behaviors. In 2012, however, the Constitutional Court
assessment and evaluation procedures is uncertain. In April of Korea ruled that the real-name system stipulated by rele-
2017, China’s State Internet Information Office issued the draft vant laws is unconstitutional, citing its violation of freedom of
Measure on the Security Assessment for Personal Information speech in cyberspace.69 Whether and what the Chinese gov-
and Important Data to Be Transmitted Aboard to implement ernment can learn from the Korean experience so far remain
the Cybersecurity Law.67 The draft measure appears to extend unclear.
the localization requirement to "network operators" which are As far as the online remarks review system goes, Article
far more broadly defined under the law to include network ser- 47 of the Cybersecurity Law provides that Internet operators
vice providers and owners or operators of any systems that should suspend services immediately upon noticing viola-
gather, store, transmit, exchange, or otherwise process infor- tions of laws, prevent further spread of the information, save
mation. While the concept of "personal data" is specifically record and report to authority. Article 48 forbids any individ-
prescribed in the Cybersecurity Law, the term of "important ual or organization from posting information banned by laws
data" remains undefined in the draft Measure. In addition, due or administrative regulations. These security review systems,
to the aforementioned ambiguity, how to carry out the secu- however, inevitably give rise to concerns that the government
rity assessment of cross-data transmission remains unclear in might use them to conduct speech censorship and suppres-
the draft Measure. Given the significant degree of uncertainty sion. There are costs associated with suppression of speech.
as to the scope and effect of the data localization restriction, If citizens could not freely express their opinions, lawmak-
the impact of the rule on domestic and foreign businesses is ers and policymakers will not be able to accurately assess the
difficult to assess at this stage. needs of the citizenry. Also, suppression of speech may lead
to political and social tensions that may find outlets in more
3.4. Freedom of speech and internet censorship socially disruptive ways. But apparently, the Chinese govern-
ment believes that the costs of censorship are outweighed by
Chinese citizens are arguably enjoying more freedom of the threats to national security and China’s approach to cy-
speech as they have a chance to leverage numerous new bersecurity is heavily tilted towards the latter.
media tools to acquire information and express opinion
on topics of interest. Meanwhile, the Chinese government
is becoming much more responsive to the public opinion, 4. Conclusion
especially those voiced in cyberspace, for the purpose of
improving governance and maintaining legitimacy. While The Cybersecurity Law aims to strengthen cyberspace gov-
the Internet has facilitated the dissemination of information, ernance through a number of initiatives, including Internet
it has also enabled the spread of information containing operator security protection, personal information protection,
pornography, violence, terrorism, and threats to national special protection of critical information infrastructure, local
security and has caused tremendous harms to public safety storage of data, security evaluation for data export and gov-
and national security. Therefore, the Cybersecurity Law sets ernment regulation of cybersecurity. This Article discusses the
up a real-name online registration system and a system for major concepts and principles of the Cybersecurity Law. It also
reviewing online contents. discusses the tensions and controversies inherent in the law.

66
John Selby, Data Localization Laws: Trade Barriers or Legitimate Re-
sponses to Cybersecurity Risks, or Both? INT’L JOURNAL OF LAW AND
INFORMATION TECHNOLOGY, Vol. 25, No. 3, 2017, https://doi.org/
68
Xu Yunping & Zhou Zhizhong,        “   ”
10.1093/ijlit/eax010. [Reporting Civil Servant Exam Cheating Was Actually Subject to
67
China’s State Internet Information Office,    "Inter-Provincial Detention”], People.com. December 3, 2010 http:
   ( ) [The draft Measure on the Se- //legal.people.com.cn/GB/13384966.html.
69
curity Assessment for Personal Information and Important Data Online Real-name System Unconstitutional, KOREA TIMES, Au-
to Be Transmitted Aboard], http://www.cac.gov.cn/2017-04/11/c_ gust 23, 2012. http://www.koreatimes.co.kr/www/news/nation/
1120785691.htm. 2012/08/117_118115.html.
1354 computer law & security review 34 (2018) 1342–1354

All in all, the Cybersecurity Law exhibits distinctive Chinese and freedom of speech. It provides a basic legal framework
characteristics. It is premised on the concept of cyberspace for cyberspace governance in China, to be supplemented by
sovereignty and emphasizes security over free flow of data implementing regulations in years to come.

View publication stats