China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime
[Originally published as a Feature Article: China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime, by Carolyn K. Luong, in Orange County Lawyer Magazine, April 2020, Vol. 62 No.4, page 31.]
By Carolyn Luong
U.S.-China relations have been a trending topic throughout the past year due to several conflicts involving the alleged encroachment upon free speech principles and perceived threats to U.S. national security. The NBA and Activision-Blizzard, both U.S.-based organizations, fielded criticisms in October of 2019 for supposed political censorship motivated by the fear of losing Chinese customers. Furthermore, as the U.S. races to build out its 5G infrastructure, the U.S. government has explicitly restricted U.S. corporations from conducting business with Chinese technology manufacturer Huawei upon apprehension that Huawei equipment may contain backdoors to enable surveillance by the Chinese government.
Dr. Christopher Ford, Assistant Secretary of the U.S. State Department’s Bureau of International Security and Nonproliferation remarked in September that, “Firms such as Huawei, Tencent, ZTE, Alibaba, and Baidu have no meaningful ability to tell the Chinese Communist Party ‘no’ if officials decide to ask for their assistance—e.g., in the form of access to foreign technologies, access to foreign networks, useful information about foreign commercial counterparties . . . .” These Chinese firms in response firmly deny any allegations of contemplated or actual instances of required cooperation with the Chinese government to compromise user information or equipment.
However, even disregarding any speculative corporate espionage, Chinese companies do not have a perfect track record when it comes to securing users’ privacy and data. In 2014, Chinese laptop maker Lenovo was widely reproached for bundling Superfish’s VisualDiscovery adware program with Lenovo’s OEM Windows laptops. Not only did Superfish’s VisualDiscovery cause computers to be more vulnerable to cyberattacks by intercepting browser data, but it did so for the purposes of delivering targeted advertising without due notice or consent to Lenovo’s customers. According to industry analysts, this security mishap did not appear to be politically motivated on Lenovo’s part, but instead was unintentional and careless.
China’s Emerging Data Privacy and Cybersecurity Framework: New Obligations for Businesses
Throughout 2015 and 2016, in response to globally trending attention on cybersecurity breaches as well as the perception of poorly secured Chinese technology such as in the Lenovo incident, the National People’s Congress (NPC)—the primary Chinese legislative authority—deliberated over drafts of a new cybersecurity regulation. The result of those legislative efforts was the Cybersecurity Law (CSL)—China’s first comprehensive law on digital privacy and security, which came into effect June 1, 2017. It consolidated earlier piecemeal laws related to systems security and introduced additional obligations focused on privacy protection.
The CSL applies to “network operators,” defined under its Article 76(3) to mean “network owners, managers, and network service providers.” In practice, network operators encompass more than just telecommunications and internet service providers (ISPs). “Network operators” can be broadly interpreted to mean any entity that transmits data through the internet—virtually any business or organization. The CSL imposes several standard obligations on these network operators, including protection of personal information, data breach notification, and restrictions on cross-border data transfers.
The CSL also requires companies to implement security protocols found in China’s Multi-Level Protection Scheme (MLPS). In 2007, China first established the MLPS, which sets five different levels of information security requirements for network operators. These five requirement levels vary in stringency according to the national security threat posed if personal information in the network were to be leaked or disclosed without authorization. CSL Article 21 requires network operators to comply with the security protocols corresponding to its MLPS level. For instance, these protocols can include the designation of an organizational contact who is responsible for firm-wide cybersecurity or the adoption of increasingly technical measures to prevent security incidents.
Under Article 31 of the CSL, even greater security measures are imposed upon operators of “critical information infrastructure” (CII). CII is defined as infrastructure that “might seriously endanger national security, national welfare, the people’s livelihood, or the public interest” if destroyed or leaked. These can include “public communication and information services, power, traffic, water resources,” among other sectors. The enhanced security requirements imposed on CII operators include maintaining disaster recovery backups, forming incident response plans, purchasing State-reviewed network products and services, and signing security and confidentiality agreements with partnered vendors.
In certain instances, China’s new framework may even be comparatively stricter than the European Union’s General Data Protection Regulation (GDPR). Under the GDPR, personal information may only be processed when it is justified by one of six lawful bases under Article 6 of the GDPR. Two critical lawful bases that businesses may use to justify data collection and processing are (1) processing of data necessary to perform a contract and (2) processing that is in the legitimate interest of a data controller. However, under proposed revisions to China’s Personal Information Security Specification (PISS), one of several implementing guidelines for the CSL, both of these two bases will not be allowed as legal justification for data processing. In other words, consent will be the preferred lawful basis for data processing in China. Furthermore, valid consent must be obtained without coercion or bundling and, for certain business functions, valid consent will require just-in-time notice and opt-in for each processing activity.
Drafting a robust legal framework is only half the battle. Enforcement is an entirely different matter. According to the Wall Street Journal, Chinese regulators appeared to hold the cybersecurity regulations in abeyance pending trade talks with the United States early last year. The success of ongoing trade negotiations will likely affect the severity of these laws on U.S. tech companies.
China’s Growing Investment in High-Tech Government Surveillance Systems
Whereas China has been imposing increasingly strict regulations on businesses related to their data collection practices and security infrastructure, China’s government continues to launch initiative upon initiative to adopt more technologically advanced (and arguably more invasive) mass surveillance systems.
A New York Times report from July 8, 2018 details the pervasiveness of technology-enabled surveillance in everyday life. Police patrols wearing special “smart glasses” and multiple cameras installed at airports, train stations, and other public areas have the ability to recognize individuals’ faces, voices, gaits, or even their registered cars, which can then link to a nationwide citizen database. The technology has been used successfully to shame violators of minor infractions, like jaywalking, and to apprehend suspects of more serious offenses, like theft, drug trafficking, and murder. According to the New York Times, the same technology is also used to monitor ethnic minorities like Uighur Muslims in China’s Xinjiang province.
Whatever the use, China is heavily investing in further technologies to increase its grasp on citizens’ data. According to the Financial Times, China’s nationwide security spending reached RMB 1.24 trillion (USD $176.17 billion) in 2017, nearly 20 % higher than its defense budget. Spurred by government investment, this security infrastructure will continue to grow, with estimates that the government will install 300 million cameras by 2020 and spend an additional $30 billion on surveillance technology.
The Clash Between Private-Sector Security Obligations and Government Surveillance: China’s MLPS 2.0, Cryptography Law, and the Encryption Backdoor
In the aftermath of the shooting on December 2, 2015 in San Bernardino, California, the U.S. Federal Bureau of Investigation (FBI) requested Apple’s assistance in unlocking an iPhone belonging to one of the shooters. Specifically, the FBI obtained a court order compelling Apple to bypass a security measure that would be triggered after ten incorrect password attempts and would erase all device data. Apple refused the court order. It argued that the implementation of special software to bypass the security measure would undermine the encryption of the device by providing a backdoor and leaving Apple devices vulnerable to hacking by malicious actors. Apple CEO Tim Cook has stated, “The reality is that if you have an open door in your software for the good guys, the bad guys get in there, too.”
Just as American corporations are conflicted with the compromises between an individual’s privacy and matters of national security, so too are Chinese entities grappling with the paradox of ensuring users’ data security while enabling government surveillance at the same time. China’s recently advanced data privacy and cybersecurity regulations are enforcing encryption and security best practices in private corporations. However, these laws also mandate transparency for government actors to monitor users’ data in the name of safety and national security.
On December 1, 2019, China implemented an update to the MLPS, entitled MLPS 2.0. Under the MLPS 2.0, the categories of CII operators are broadened, meaning that more organizations are subject to government purview and oversight of the organization’s data collection, storage, and security policies. More controversially, this regulation grants full rights to government inspection of, access to, and copying of sensitive company data. Furthermore, it has set the stage for another forthcoming law.
Companies have been gearing up for the California Consumer Protection Act (CCPA), yet another data privacy and security law is a mere whisper in contrast to the buzz surrounding the CCPA. China’s Cryptography Law (also known as the Encryption Law) tiptoes in vague terms around the idea of having a legally mandated encryption backdoor. Article 31 provides for the Chinese State Cryptography Administration (SCA) and affiliated agencies to have complete access to encrypted servers. Such a law may prompt U.S. lawmakers to pass their own encryption access laws as they have largely made known their dissatisfaction with tech companies, such as Apple, for refusing to cooperate with demands for a decryption solution.
Companies that handle personal data—and nowadays, most companies do—are walking a precarious tightrope heading into the next decade. They must ensure that they meet growing market concerns for users’ privacy and security of personal data while simultaneously placating lawmakers’ concerns that encryption will serve as a sanctuary for crime and terrorism.
It will be a difficult line to balance.
Carolyn Luong is a data privacy lawyer and associate with Metaverse Law. She can be reached at email@example.com.
The views expressed herein are those of the Author(s). They do not necessarily represent the views of the Orange County Lawyer magazine, the Orange County Bar Association, The Orange County Bar Association Charitable Fund, or their staffs, contributors, or advertisers. All legal and other issues must be independently researched.
- Addition of Entities to the Entity List, 84 Fed. Reg. 22,961 (May 21, 2019) (to be codified at 15 C.F.R. pt. 744).
- Christopher A. Ford, Assistant Sec’y, Bureau of Int’l Sec. and Nonproliferation, Huawei and its Siblings, the Chinese Tech Giants: National Security and Foreign Policy Implications, Remarks at the Multilateral Action on Sensitive Technologies (MAST) Conference (Sept. 11, 2019) (transcript available at https://www.state.gov/huawei-and-its-siblings-the-chinese-tech-giants-national-security-and-foreign-policy-implications/).
- Thomas Claburn, Remember when Lenovo sold PCs with Superfish adware? It just got a mild scolding from FTC, The Reg. (Sept. 5, 2017, 7:08 PM), https://www.theregister.co.uk/2017/09/05/lenovo_gets_wristslap_from_ftc_for_superfish_adware_debacle/.
- Zhonghua Renmin Gongheguo Wangluo Anquan Fa (中华人民共和国网络安全法) [Cyber Security Law of the People’s Republic of China] [hereinafter Cyber Security Law], (promulgated by the Standing Comm. Nat’l People’s Cong., Nov. 7, 2016, effective June 1, 2017) 2016 Standing Comm. Nat’l People’s Cong. Gaz. 324 (China), unofficial English translation available at https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-cybersecurity-law-peoples-republic-china/.
- Nick Marro, The 5 Levels of Information Security in China, China Bus. Rev. (Dec. 5, 2016), https://www.chinabusinessreview.com/the-5-levels-of-information-security-in-china/.
- See Cyber Security Law, supra note 4, arts. 32-39.
- Griffen Thorne, GDPR Meets its Match . . . in China, China L. Blog (July 14, 2019), https://www.chinalawblog.com/2019/07/gdpr-meets-its-match-in-china.html.
- Gil Zhang & Kate Yin, More updates on the Chinese data protection regime in 2019, Int’l Ass’n of Privacy Prof’ls (Feb. 26, 2019), https://iapp.org/news/a/more-positive-progress-on-chinese-data-protection-regime-in-2019/.
- Yoko Kubota, American Tech Shudders as China Cyber Rules Are Expected to Get Tougher, Wall St. J. (July 29, 2019, 11:36 PM), https://www.wsj.com/articles/chinas-cybersecurity-regulations-rattle-u-s-businesses-11564409177.
- Paul Mozur, Inside China’s Dystopian Dreams: A.I., Shame and Lots of Cameras, N.Y. Times (July 8, 2018), https://www.nytimes.com/2018/07/08/business/china-surveillance-technology.html.
- Emily Feng, Security spending ramped up in China’s restive Xinjiang region, Fin. T. (Mar. 12, 2018), https://www.ft.com/content/aa4465aa-2349-11e8-ae48-60d3531b7d11.
- Interview by Robert Siegel with Tim Cook, CEO, Apple (Oct. 1, 2015), available at https://www.npr.org/sections/alltechconsidered/2015/10/01/445026470/apple-ceo-tim-cook-privacy-is-a-fundamental-human-right.
- Steve Dickinson, China’s New Cybersecurity System: There is NO Place to Hide, China. L. Blog (Oct. 7, 2019), https://www.chinalawblog.com/2019/10/chinas-new-cybersecurity-system-there-is-no-place-to-hide.html.
- Zhonghua Renmin Gongheguo Mima Fa (中华人民共和国密码法) [Cryptography Law of the People’s Republic of China], (promulgated by the Standing Comm. Nat’l People’s Cong., Oct. 26, 2019, effective Jan. 1, 2020) 2019 Standing Comm. Nat’l People’s Cong. Gaz. 342 (China), unofficial English translation available at https://www.chinalawtranslate.com/en/cryptography-law/
- Steve Dickinson, China’s New Cryptography Law: Still No Place to Hide, China L. Blog (Nov. 7, 2019), https://www.chinalawblog.com/2019/11/chinas-new-cryptography-law-still-no-place-to-hide.html.
- Angelique Carson, Tech companies push back against lawmakers’ demands for encryption backdoors, Int’l Ass’n of Privacy Prof’ls (Dec. 11, 2019), https://iapp.org/news/a/tech-companies-push-back-against-lawmakers-demands-for-encryption-backdoors/.