CFR Presents

Net Politics

CFR experts investigate the impact of information and communication technologies on security, privacy, and international affairs.

Print Print Cite Cite
Style: MLA APA Chicago Close


China’s New Cybersecurity Law

by Adam Segal
July 8, 2015

cybersecurity cyber net politics cfr china npc security national internet An officer stands outside the Great Hall of the People, the venue of National People's Congress, China's parliament, in Beijing, June 18, 2015. China's legislature released the first draft of a cybersecurity law Wednesday. (Jason Lee/REUTERS)


The National People’s Congress posted the draft of a new cybersecurity law (in Chinese) on Monday. The purpose of the law, according the NPC, is to maintain “cyberspace sovereignty.” The law is open for comments until August, and the important questions will be in how it is modified, interpreted, and implemented. But here are some of the key points:

  • Government will establish national security standards for technical systems and networks.
  • Real name registration to be enforced more strictly, especially with messaging apps where enforcement has been lax.
  • Internet operators must provide “support and assistance” to the government for dealing with criminal investigations and national security. Nicholas Bequelin, East Asia Director at Amnesty International, tells Reuters that Article 50 gives authorities the legal power to cut Internet access in to maintain order as Beijing did in Xinjiang in 2009.
  • “Timely warning and notification” system for cybersecurity incidents.
  • Greater investment in cybersecurity (including subsidies for cybersecurity companies, internet operators, etc.) and cybersecurity education.
  • The Cyberspace Administration of China (CAC) will review cybersecurity practices of key telecommunication operators, conduct regular emergency drills, and provide help in implementing the law. Employees must undergo background checks, and the CAC will review procurement.
  • User data for the key operators must be stored in China (if there’s a business imperative to store data overseas, they can apply for exceptions).
  • Collection and use of user data must “comply with the principles of legality, justice, and necessity” (遵循合法、正当、必要的原则) and operators must secure users’ agreement to have their data used. Data collected must be related to the service the Internet operator is providing. Collected user data must have adequate protections and data breaches must be responded to in a timely manner.

The foreign business community will be reading the law closely, trying to determine how the cybersecurity standards and procurement provisions will be implemented. The past few months will not give them great comfort, as Beijing has adopted a national security law and other provisions to make technology used in China “secure and controllable.”

Just weeks after the Strategic and Economic Dialogue ended, and months before President Xi Jinping’s visit to the United States, cybersecurity and information technology are becoming an even greater source of tension in the bilateral relationship.

Post a Comment No Comments

Post a Comment

CFR seeks to foster civil and informed discussion of foreign policy issues. Opinions expressed on CFR blogs are solely those of the author or commenter, not of CFR, which takes no institutional positions. All comments must abide by CFR's guidelines and will be moderated prior to posting.

* Required