China has issued a new regulation setting out wide-ranging police powers to inspect internet service providers and users, as the government tightens its grip on the country’s heavily restricted cyberspace.
Under the new rule, effective from November 1, central and local public security authorities can enter the premises of all companies and entities that provide internet services and look up and copy information considered relevant to cybersecurity.
The regulation was issued by the Ministry of Public Security last month and released on its website on Sunday. It comes more than a year after a controversial cybersecurity law was introduced that has caused widespread concern among foreign companies operating in China.
Despite its broad scope, the legislation gives few details about implementation, making it all the more difficult for companies trying to avoid its repercussions.
Foreigners in China WeChat group investigated after racial slurs, Nanking massacre references
Analysts said the new regulation sheds some light on how the law will be implemented.
“That’s obviously how Chinese laws go. First there is a big concept, then there is a sweeping law, and then implementing regulations will come in to flesh out the details,” said William Nee, a China expert with Amnesty International.
“What this regulation does is in one way … ensure that users aren’t going to become victims of hacking due to company negligence, but it’s also designed to more effectively implement China’s censorship directives and its surveillance state.”
Under the new regulation, police can enter the business sites, machine rooms and offices of internet service providers ranging from internet information providers and internet cafes to data centres.
Police can then require the managers to explain all items they inspect, to look up and copy all relevant information, and they can check how technical measures to safeguard network and information security are running.
Apart from on-site inspections, the police can now also conduct remote detection of any network security vulnerabilities in the companies, but they are required to give them advance notice and make sure it will not disrupt or damage the operations of their networks.
US should focus on China’s cybersecurity law, not its tech programme, says group representing Apple, Google and more
The regulation details what the police will be checking for, a list that includes: whether companies have kept a record of all user register information and their internet logs; if they have taken measures to prevent viruses and hacking; if they have taken precautionary measures against information that is banned from publication or transmission; and if they have provided technical support and assistance to the police in safeguarding national security, investigating terrorist activities or other crimes.
Police can also carry out special inspections during times of “major cybersecurity safeguard tasks”.
Wu Han, a partner at law firm King and Wood Mallesons in Beijing, said the regulation would add to concerns among foreign internet service businesses in China.
“For a business that has just entered a new country, knowing that the country’s police can carry out on-site inspections or remote surveillance on its cyber information – of course it is going to be concerned,” he said.
But Wu added there was not much new in the regulation. “The public security authorities have long conducted similar inspections on cybersecurity, and they have long had the authority to do so,” he said, citing a clause in the police law that says police have the duty to “supervise and manage security and protection work on computer information systems”.
He gave the example of China’s internet police commonly using remote detection to scan for security flaws during major international events.
This week, Nikkei Asian Review reported that the cybersecurity law had been a big challenge for Japanese companies since it came in. “There have been a number of cases where Japanese companies’ bases in Shanghai or Guangzhou have been raided by authorities,” Li Tianyi, vice-president of a Chinese unit of Internet Initiative Japan, told the newspaper.
How cybersecurity and data storage laws could pull the plug on Southeast Asia’s digital economy
Public security authorities are listed as one of the agencies responsible for safeguarding and supervising cybersecurity under the law. It also requires “network operators” to provide public security and state security authorities with technical support and assistance to protect national security, and for criminal investigations.
“But the cybersecurity law is ambiguous on whether such ‘support’ includes passing on user data to the authorities. So under the new regulation, there will be concerns regarding user data privacy,” Wu said. He added that although police can copy information related to cybersecurity during inspections, that does not mean they can take user data from a business site without a legitimate reason.
The regulation states that police officers and police internet security contractors cannot release any private or commercial data they collect to a third party.