The new regulation, which was issued by the Ministry of Public Security last month and posted on its website Sunday, lays out how the Chinese government will monitor internet service providers to ensure they are taking precautionary measures to ensure safety and security for people on their networks, as well as to protect national security and "social and public interests." It will become active on November 1.
"What this regulation does is in one way… ensure that users aren't going to become victims of hacking due to company negligence, but it's also designed to more effectively implement China's censorship directives and its surveillance state," said William Nee, a China expert with Amnesty International.
The regulation gives public security authorities the ability to enter businesses, machine rooms and offices of ISPs — which can include anywhere from internet cafes to data centers — and requires the managers to explain all of the items authorities inspect and to look up and copy all relevant information for them, and empowers police to check on the ISP's network and information security, the South China Morning Post reported Friday.
Further, police agencies or internet security contractors are prohibited from sharing any information they do collect with a third party.
According to the Post, police will be checking for: "whether companies have kept a record of all user register information and their internet logs; if they have taken measures to prevent viruses and hacking; if they have taken precautionary measures against information that is banned from publication or transmission; and if they have provided technical support and assistance to the police in safeguarding national security, investigating terrorist activities or other crimes."
Police can, with advance notice and a promise not to affect operations, carry out remote detection of any network security vulnerabilities in a given ISP company.
China's cybersecurity law took effect on June 1, 2017, building on a patchwork of existing rules to create a framework for regulating internet security — both for users and for the government.
While wide in scope, the law provides few details about how it's to be practically implemented. "That's obviously how Chinese laws go," Nee said. "First there is a big concept, then there is a sweeping law, and then implementing regulations will come in to flesh out the details."
The 2017 law requires companies to take steps to protect user data as well as their own systems, and for sensitive information related to the county's national security to be stored on servers in Chinese territory. Failure to comply can earn violators some steep fines or even force them to suspend operations, Nikkei Asian Review noted.
However, Wu Han, a partner at law firm King and Wood Mallesons in Beijing, told the Post the new regulation didn't add much that was new. "The public security authorities have long conducted similar inspections on cybersecurity, and they have long had the authority to do so," he said noting, the police already have the duty to "supervise and manage security and protection work on computer information systems," such as they do before big international events being held in the country.
"More than 11,000 people have been arrested over the past two years on suspicion of violating personal information, which shows that Chinese authorities are making an effort to expose data abuse," Takafumi Ochiai, an attorney well-versed in Chinese regulation, told the Review.
"The Cybersecurity Law has relevant regulations on the content security of the internet," Zhu Wei, vice-chair of the Internet Research Center at China University of Political Science and Law in Beijing and an adviser to the Cyberspace Administration, told Sputnik in August 2017. "The service providers have failed to fulfill their legal responsibilities, as they continue to allow harmful information such as false rumors and pornographic content to exist on their platforms."