Privacy & Information Security Law Blog

On December 27, 2015, the Standing Committee of the National People’s Congress of the People’s Republic of China published the P.R.C. Anti-Terrorism Law. The law was enacted in response to a perceived growing threat from extremists and terrorists, particularly in regions in Western China, and came into effect on January 1, 2016.

As its name suggests, the main goal of the law is to strengthen national security and to prevent terrorism. The law defines terrorism and declares it to be illegal, authorizing both civil and criminal sanctions. The law also takes certain actions that promote its objectives, such as (1) allowing for the designation of certain organizations as terrorist organizations, (2) establishing institutions such as a counter-terrorism intelligence agency and counter-terrorism units of the armed police forces and of the People’s Liberation Army to allow for the requisition of property in urgent circumstances, (3) mandating a system for incident response planning and (4) providing for international cooperation. It also empowers public security agencies to take actions such as launching investigations and even using weaponry in emergency or dangerous circumstances.

Certain provisions in the law require telecommunications system operators and Internet service providers to provide technical support and assistance, such as access to their technical interfaces and assistance with decryption, to public security and state security authorities which may be conducting investigations of terrorist activities or taking action to prevent them. The law also requires telecommunications system operators and Internet service providers to adopt network security systems and information content monitoring systems to prevent the dissemination of information containing terrorist or extremist content over their systems. If they discover information with terrorist or extremist content being disseminated over their systems, they must halt the dissemination, close the relevant websites, keep records of the incident and make a report to the relevant public security organizations. A fine of more than RMB ¥500,000 may be imposed on telecommunications system operators and Internet service providers who fail to provide technical interfaces, decryption and other technical support or assistance to competent government agencies, and the person in charge may be subject to a fine of up to RMB ¥500,000 and possibly detention of up to 15 days.

The Anti-Terrorism Law permits the People's Liberation Army to get involved in anti-terrorism operations overseas. It also restricts the right of media of various types to report the details of terrorist attacks. For instance, social media cannot report on details of terror activities that might inspire copycat attacks, and cruel and inhuman scenes cannot be depicted in their reports.

The Anti-Terrorism Law contains several provisions that are significant in the context of personal information protection. For instance, the law requires railway, road, water and air transport operators and postal offices, couriers or other logistics operators to conduct an examination of the identities of their clients, and to perform security checks and visual checks on the articles they transport and deliver. An operator listed above which fails to comply with the foregoing obligations may face a fine of up to RMB ¥500,000 (approximately $76,250 USD at current exchange rates), and the person in charge may face a fine of up to RMB ¥100,000.

Service providers in certain industry sectors, such as the telecommunications, Internet, finance, hotel, long-distance passenger transportation and automobile leasing sectors, are required to conduct an examination of the identities of their clients as well. Service providers which fail to examine their clients’ identities, or provide services to those who refuse to make this examination, may be subject to fines of more than RMB ¥500,000. The person in charge may face a fine of up to RMB ¥500,000.

The law permits the collection of financial personal information, including information that would be considered sensitive personal information in other jurisdictions, for purposes of investigating suspected terrorist activities. For instance, during such investigations public security organizations have the authority to investigate the financial information of suspects, such as information relating to their bank deposits and stock and bond holdings. Also during an investigation, public security organizations are given the authority to collect information about suspects including their portrait, fingerprints, iris images and biological samples such as blood samples. In addition, government authorities and other entities or individuals that may be involved are required to keep in confidence any state secret, trade secret or private personal information which may be obtained during the performance of their anti-terrorism investigations.

The Anti-Terrorism Law defines circumstances in which state security organizations have authority to collect personal information. In such circumstances, when there is a conflict with other data privacy regulations that may otherwise prohibit collection, the Anti-Terrorism Law presumably would control. The Anti-Terrorism Law represents a further step in the sector-by-sector development of China’s data privacy framework.