Student Reflections: Haining Xu
Boundary-Setting of Governmental Powers in China’s Cybersecurity Law: An Ongoing Process
By Haining Xu
Ph.D. candidate in Koguan Law School of Shanghai Jiao Tong University
The MIT-SJTU joint course has been the most unforgettable memory for me in the 2017 midsummer. During the five-day course, I experienced impressive cross-disciplinary and cross-cultural learning, which has widely broadened my horizon. One the last day, all the students were divided into several groups to discuss a final project: presenting to the “Joint Commission on CN-US Internet Policy Research and Dialogue.” My group consisted of a few Chinese students and an American student. In our discussion, we talked a lot about what the substantive questions and challenges are for the CN-US Internet Policy Dialogue. We have noticed that some multinational corporations which have achieved great success in US failed in China. And Google who dropped out from Chinese inland market in 2010 is a typical example. Google’s story is only the tip of the iceberg. Below the sea level, it indicates the discrepancies and conflicts of socio-cultural values for the two countries, especially regarding the role of governments in Internet policy. The class discussion made me delve deep into my thoughts to understand some recent big news and why it causes so much concerns for many multinational corporations.
China’s Cybersecurity Law takes effect on June1. This piece of legislation covers all presently key aspects in cybersecurity area. In cybersecurity area, three points are attracting the most attention: optional security of critical information infrastructure; personal data and privacy protection; and safeguarding national security and social and public interests.
However, since many articles are in vagueness which causes much uncertainty about enforcement and requirements in practice, the new Cybersecurity Law causes great concern for many enterprises, especially those multinational corporations who have engaged in the Chinese market for a long time. These enterprises are worrying about two aspects. First, it is quite confusing for them to design and implement a new enterprise-wide security strategy regarding the new Cybersecurity Law. Second, in their viewpoint, vagueness about key definitions, requirements of enforcement and ways of judging companies’ behaviors often means that the boundaries of government powers are undefined. And the Chinese supervisory departments with high authority would be likely to interpret the uncertain spaces of the Cybersecurity Law according to their own interests. Therefore, many multinational corporations are adopting a wait-and-see strategy. In a word, the most important question about China’s new cybersecurity law is how to define the boundaries of government powers.
As I’ll explain below, such concerns are totally understandable, however truly unnecessary in some degree. A more specific regulatory system is emerging over time. And boundary-setting of government powers in China’s Cybersecurity Law is an ongoing process, which makes sense for the following reasons.
The Supporting Legislative and Policy System of China’s Cybersecurity Law
Given the pressing circumstances and the need for cybersecurity protection, the new Cybersecurity Law mainly provides a systematic framework, fundamental principles and high-level standards for cybersecurity protection. And it aims to set up core concepts about pressing issues in cybersecurity protection.
The previous system of China’s cybersecurity laws and regulations was huge and decentralized on the whole. Cybersecurity Law is an important milestone in legislative history, however it is imperfect. That is to say, Cybersecurity Law should be understood in the context of related laws and legal documents.
- When the new Cybersecurity Law came into effect, three relevant legal documents took effect on the same day, which in some degree can be seen as extensions and supplements of some specific contents in the new Cybersecurity Law. Some articles of the three documents stipulate more clearly about government powers in some related areas.
Let’s look at each of these:
- Internet Information Content Management Administrative Law Enforcement Procedures issued by China’s State Internet Information Office.
This is the first procedural department regulation issued under Cybersecurity Law. Previously, the responsibilities of Internet information content management were relatively scattered. Now the Measure provides clear operational guidelines for administrative enforcement. Moreover, it not only aims to enhance the transparency of law enforcement, but also marks the Internet information content management law enforcement moving toward an era of “unified coordinated law enforcement”. The administrative departments shall strictly abide the stipulation of these procedures when they use their powers in each link of enforcement. In this way, enterprises don’t need to worry too much about a grey zone in administrative enforcement by government.
- Measures for network security products and services review (trial) issued by China’s State Internet Information Office.
According to these measures, the network and service of the network and information system that are related to national security shall be examined regarding Internet security. This measure aims to improve the safety and control of Internet products and services, which would guard against cyber security risks and to safeguard national security. The Procedures cover operational details including examination scope, examination content, examination institutions, network products and the service provider’s rights and obligations, and legal responsibility, etc. In this way, the detailed procedures refine the boundaries of government powers in administrative examination and enforcement, which make up the relating articles in Cybersecurity Law.
- Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases of Infringing on Citizens’ Personal Information. It is the first judicial interpretation on fighting against crimes related to a citizen’s personal information.
The Interpretation clarifies not only the scope of “personal information” but also the judicial standards of providing citizens’ personal information illegally. The citizen’s name, identification number, communication contact, address, account password, property status, whereabouts, and trajectory are included in the scope of personal information. Therefore, the government can define the object and scope of law enforcement precisely.
- Post-promulgation Era of Cybersecurity Law
According to the Director of the cyber security coordination bureau of the national Internet information office, relevant departments are working to draft a series of supporting regulations including critical information infrastructure protection measures, personal information and safety assessment method for important data export, key equipment and network security product items, etc. The national standardization department is working to organize the formulation of national standards for personal information safety. Overall, the work is progressing as planned. In subsequent supporting laws and regulations, numerous details are expected to specify the scope of government powers.
The Role of Government and the Value of Law in China
Let’s have a look at the role of government and the value of law in China. That may help us understand deeply how Chinese governmental powers are defined and limited by laws and regulations. For thousands of years, China was a country with vast territory and abundant resources, founded on agriculture basis, which highly demanded social stability. And rulers throughout Chinese history took the governance goal of social stability very seriously. In such a historical and social context, the prime objective for Chinese government is to stabilize social order. And law is absolutely a tool for solving social conflicts and disputes. As is widely known, Cybersecurity is of great concern for social stability and national interest. And it makes sense that Cybersecurity Law reflects strong regulatory philosophy. Strong regulations typically result in the governmental powers overstepping the boundaries, which may damage the interests of citizens and enterprises. In consequence, the design of legal articles should be prudent. With cybertechnology developing rapidly, cybersecurity laws and regulations need to be updated now and then. In this case, appropriate generality in Cybersecurity Law regarding specific and controversial issues could be a temporary expedient. And the legislators can make those controversial issues clear, including setting specific boundaries on governmental powers in other laws and policies. However, the temporary vagueness of legal provisions doesn’t mean that regulatory powers could be abused at the government’s interests.
A Possible Route to Clarify Boundaries of Governmental Powers
Focusing on the implementation of Cybersecurity Law, a multi-level mode of legislation should be adopted, to define boundaries of governmental powers in every aspect. This could decrease the vagueness effectively. Furthermore, accepting rationalization proposals from enterprises and citizens is very important since they are the most relevant stakeholders in setting boundaries.
For other Student Reflections or to see the Course Syllabus and Photos from the trip – see the Foundations of Internet Policy: a comparative perspective.Tags: China