The U.S. flag flutters on a car in Beijing, China, on April 13, 2013.
Department of State
China has passed a new cybersecurity law that gives it greater control over the internet, including by requiring local storage of certain data.
Human rights groups and trade associations in the U.S. and other countries have warned of the implications of the law both for internet businesses and human rights in the country.
[ Make threat intelligence meaningful: A 4-point plan. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ]
The National People’s Congress Standing Committee passed the new cybersecurity law today, according to reports.
“Despite widespread international concern from corporations and rights advocates for more than a year, Chinese authorities pressed ahead with this restrictive law without making meaningful changes,” said Sophie Richardson, China director of Human Rights Watch.
HRW has described the new cybersecurity law as a “regressive measure that strengthens censorship, surveillance, and other controls over the internet.” The final draft of the new law would, for example, require a large range of companies to collect real names and personal information from online users, including from users of messaging services, as well as censor content, HRW said.
The law will also place burdens of storing data locally for foreign internet companies. It requires “critical information infrastructure operators” to store users’ “personal information and other important business data” in China, which are terms that are vague.
“The final draft narrows the scope to only data that is related to a firm’s China operations, but the term ‘important business data’ is undefined, and companies must still submit to a security assessment if they want to transfer data outside the country,” HRW said.
Under the new rules, companies will also be required to monitor and report to authorities network security incidents, which are not defined in the law. The requirement that the companies provide “technical support,” a term that is again undefined, to investigating security agencies raises fears of surveillance, according to HRW. The new regulations also provide the legal basis for large-scale network shutdowns in response to security incidents, it added.
In August, industry associations from the U.S., Europe and other countries wrote to the Chinese government to protest the draft cybersecurity law and provisions for insurance systems that were also proposed. The letter said the data retention and sharing and law enforcement assistance requirements “would weaken technical security measures and expose systems and citizens’ personal information to malicious actors.”
Online activities prohibited under the new provisions include those that are seen as attempts to overthrow the socialist system, split the nation, undermine national unity, advocate terrorism and extremism, according to a news report.
Chinese officials could not be immediately reached for comment.
The country already blocks access to a number of foreign internet services including Facebook and Twitter.