On December 27, 2015, the Standing Committee of the National People’s Congress (NPC), China’s top legislative body, enacted a Counter-Terrorism Law (see the Chinese version here, and an unofficial English translation here), which took effect on January 1, 2016.  The adoption of this law, a year after the first draft was released for public comment, followed closely the adoption of a new National Security Law and a draft Network Security Law.

The Counter-Terrorism Law reinforces the government’s broad powers to investigate and prevent incidents of terrorism and requires citizens and companies to assist and cooperate with the government in such matters. The law imposes additional and specific obligations on companies in certain sectors, including those providing telecommunications, Internet, and financial services.  Non-compliance or non-cooperation can lead to significant penalties, including fines on companies and criminal charges or detention for responsible individuals. In some respects, the new law provides greater, higher-level legal authority to pre-existing regulations and practice. In others, it imposes new obligations or makes existing obligations more specific (e.g., penalties).

The law’s broadly-worded requirements create some uncertainty as to their implications for companies’ data protection and security policies. The final version of the law removes some of the more controversial requirements of the draft versions, including the requirement that telecommunications and Internet services providers install “backdoors” into their products, register encryption keys with the government, and keep servers and data related to Chinese users within the country. Nonetheless, the law imposes new requirements that require careful attention. For example, telecommunications and Internet services companies must:

• Provide technical support and assistance, including handing over access or interface information and decryption keys; and

• Establish content monitoring and network security programs and adopt precautionary security measures to prevent the dissemination of information on extremism, report terrorism information to the authorities in a timely manner, keep original records, and promptly delete such messages to prevent further circulation.

Companies in many other sectors, such as freight, transportation, and hospitality (including car rental), as well as providers of telecommunications, Internet, and financial services, are required to conduct identity checks of their customers or clients and refuse to provide services to those that decline to provide such information. It is unclear how these new provisions will interact with other provisions that require companies to collect certain types of personal data only with permission from customers.

These specific requirements are framed against the backdrop of more general obligations to assist government authorities in counter-terrorism investigations and operations. As is common with high-level Chinese laws, the language in the new Counter-Terrorism Law, including the definition of “terrorism” itself, is broad, leaving significant discretion in the hands of the responsible agencies. The contours of its implementation in practice, including its implications for companies handling user data and information, may become clearer as implementing regulations are issued.