China's Cybersecurity Law Isn't Just About Cybersecurity

The law — which includes data localization mandates, cybersecurity best practices, and data transfer restrictions — has similarities to other cyber laws such as the EU's General Data Protection Regulation (GDPR). But in this case, it's also being used to police internet content and behavior.

China's “cybersecurity law not only regulates cybersecurity issues, but also cyber crime issues such as online hate crime, extremism, terrorism, dissemination of obscene and sexual information, and fake news,” says Lennon Chang, a lecturer in criminology at Monash University in Australia. “It also regulates behavior that is damaging to national security — such as separation of Taiwan and Tibet — and [behavior considered] 'anti-socialism.'”

The Marriott incident wasn't the first time China's cybersecurity law was used to regulate Internet content. In August 2017, for example, the Cyberspace Administration of China (CAC) opened an investigation into three Chinese social media websites — WeChat, Weibo and Baidu Tieba — for violating the cybersecurity law's rules on spreading information on terror, rumors and pornography.

Xiaoyan Zhang, counsel at Reed Smith's IP, tech and data group, singled out Article 47 of the law as one with provisions enabling enforcement outside the scope of traditional cybersecurity issues. The article, she explained, requires covered companies to “report user content violations to the authorities, and content violations there means a user's content that could potentially be politically harmful.”

Article 12 of the law can also be applied beyond the realm of enterprise security. The provision prohibits any online activity such as those that could subvert national security, undermine national unity, and entice violence or ethnic hatred. It also prohibits the dissemination or creation of false information with the intent to “to disrupt the economic or social order.”

While such articles can be quite specific, there is some ambiguity over which entities come under their purview.

The cybersecurity law pertains to two classes of enterprises — “critical information infrastructure operators” and “network operators.” But Aaron Tantleff, partner at Foley & Lardner, notes that like any large regulation, it will be up to the regulators to fill in the details and offer clarity on the “ambiguity around how companies will be classified.”

Such vague language in the law can potentially expand its scope and enforcement and complicate compliance efforts for local and foreign companies. Sarah (Xiaohua) Zhao, partner at Faegre Baker Daniels, notes that with the cybersecurity law, “there is no a clear roadmap to follow yet. New laws are issued frequently.”

Chang, though, believes the law was not “made intentionally vague.” Rather, it “is just the way laws are drafted in China.”

Companies operating in China, after all, should be acquainted with the government's wide ability to regulate as it sees fit. “In China, everything is controlled by the government; it is still a government-run country no matter what, no matter what kind of law comes along,” Zhao says. The role of the government in China then may be a reason why the scope of the country's cybersecurity law is broader and more malleable than cybersecurity regulations in Europe and the United States.

To be sure, the cybersecurity law is not the first or only law granting Chinese regulators the ability to police online behavior and content. “The law gives the government stronger powers of censorship, but most of the power regulators have was given long before the law was introduced,” Chang says. “This law has simply given them more legitimacy to do crack down on political-related issues.”

Zhang notes other regulations that enable regulators to crack down on online behavior include a “regulation released recently on mobile app providers, which has a similar provision requiring mobile app providers to report unlawful user content to government authorities.”

Of course, the cybersecurity law is one of most impactful regulations in China, because of both the number of enterprises to which it applies and the steep consequences of noncompliance.

Zhang explains that like the GDPR, “China's cybersecurity law fines companies for violating its mandates. But the fines in the [law] are relatively smaller compared to the fines in GDPR.”

However, Zhang adds, “along with the fines, the business could potentially risk authorities revoking their operational business license and shutting down their internet [presence].”

Some, though, see the possibility of shutting down noncompliant businesses operating in China as more of a threat to ensure compliance than an actual action regulators would take. “I don't think the law will focus primarily on closing down businesses or blocking them from operating in the country in lieu of fines,” Chang says. “The law gives the regulator power to do this, but under special circumstances.”

Still, Chang believes that “if the regulators were to enforce the law strictly” one could expect “many websites” operating in the country to be shut down in the months and years to come.

*****

Rhys Dipshan writes for our ALM sibling, Lawtechnology News, in which this article also appeared. He can be reached at [email protected], and on Twitter @R_Dipshan.