Cybersecurity Policies in China

Jiang, Min

doi:10.1007/978-3-030-56405-6_5

CyberBRICS pp 183-226 | Cite as

Cybersecurity Policies in China

Authors
Authors and affiliations

Min Jiang

Chapter

First Online: 05 January 2021

193 Downloads

Abstract

Cybersecurity is a hotly debated concept worldwide with various policy dimensions. This chapter maps out China’s cybersecurity policies in five areas: personal data protection, consumer protection, cybercrime, threats to public order, and cyberdefense. It argues China is both cyber-ambitious and cyber-vulnerable. In an increasingly combative and conflict-prone world driven by the rivalry between powerful nations, alternative framework and strategies based on peace and cooperation are critical for solving myriad urgent cybersecurity problems.

This is a preview of subscription content, to check access.

Annex: Country Report – China

I. Data Protection

Scope

1. What national laws (or other type of normative acts) regulate the collection and use of personal data?

These mainly include the following categories:

National-level laws and decisions:

Criminal Law (1997) Amendment V (2005), VII (2009), and IX (2015)

Law of the People’s Republic of China on the Protection of Consumer Rights and Interests (1994) with Amendment in 2013

Decision of the Standing Committee of the National People’s Congress on Strengthening Information Protection on Networks (2012)

Cybersecurity Law of the People’s Republic of China (2017)

General Rules of the Civil Law of the People’s Republic of China (2017)

E-Commerce Law of the People’s Republic of China (2019)

Measures on Security Assessment of the Cross-Border Transfer of Personal Information (draft for comments, 2019)

Data Security Administrative Measures (draft for comments, 2019)

Judicial interpretations:

Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement on Citizens’ Personal Information (2017)

Administrative regulations:

Provisions on Protecting the Personal Information of Telecommunications and Internet Users (2013) issued by the Ministry of Industry and Information Technology

Measures on Security Assessment of the Cross-Border Transfer of Personal Information (June 13, 2019 draft) issued by the Cyberspace Administration of China

Industry standards:

Information Security Technology – Guidelines for the Protection of Personal Information in Public and Commercial Service Information Systems (GB/Z 28828-2012) (2013)

Information Security Technology – Personal Information Security Specification (GB/T 35273-2017) (2017)

Among them, the Decision of the Standing Committee of the National People’s Congress on Strengthening Information Protection on Networks (2012) is the earliest national law providing a broad legal framework for protecting personal data. The Cybersecurity Law of the PRC (2017) broadly regulates the collection, storage, transmission, and use of “personal information” by network operators and critical information infrastructure operators. Article 111 of the General Rules of the Civil Law of the PRC (2017) also broadly protects personal information. Personal Information Security Specification (GB/T 35273-2017) (2017), thereafter referred to as Specification (2017), is the most comprehensive interpretation of personal data regulations in China. However, the GDPR-like Specification (2017) is a technical standard to be followed voluntarily, not a compulsory law that one must comply with. A new draft (January 30, 2019) of the Specification is under consideration. The Cyberspace Administration of China (CAC) in 2019 also released a draft of Data Security Administrative Measures for public comment, thereafter referred to as Measures (2019). The Measures are consistent with other regulations and specifications in this area but, if approved, will be legally binding and have more enforcement power than the Specification.

2. Is the country a part of any international data protection agreement?

No.

3. What data is regulated?

Article 76 of the Cybersecurity Law of the PRC (2017) and Article 38.3 of the Measures (2019) define “personal information” as:

“all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person’s identity, including but not limited to natural persons’ full names, birth dates, national identification numbers, personal biometric information, addresses, telephone numbers, and so forth.”

Article 3.1 of the Specification (2017) defines “personal information” as:

“personal information, recorded by electronic or other means, that can be used, alone or combined with other information, to identify a specific natural person or reflect activities of a specific natural person.”

4. Are there any exemptions?

Yes. Article 8.5 of the Specification (2017) – Exemptions From Obtaining Authorized Consent Prior to Sharing, Transfer, and Public Disclosure of Personal Information – explains that the personal information controller does not need to obtain authorized consent from the personal information subject prior to sharing, transfer, or public disclosure of personal information in the following circumstances:

Those directly related to national security and national defense
Those directly related to public safety, public health, and significant public interests
Those directly related to criminal investigation, prosecution, trial, judgment enforcement, etc.
When safeguarding the major lawful rights and interests such as life and property of personal information subjects and other individuals and it is difficult to obtain consent from personal information subject;
When the personal information subject voluntarily opened the collected personal information to the general public
When the personal information is collected from legitimate public information channels, such as legitimate news reports and open government information

Article 27 of the Measures (draft, 2019) states the following exemptions:

The personal information was collected from legitimate and public channels in a manner that is not evidently against the will of the personal information subject.
The personal information has been made public by the personal information subject voluntarily.
The personal information has undergone anonymization.
The provision is necessary for law enforcement agencies to perform their duties in accordance with law.
The provision is necessary for the purposes of safeguarding national security, social and public interests, or the life and safety of the personal information subject.

5. To whom do the laws apply?

Article 2 of the Data Security Administrative Measures (2019 draft) states the law applies to entities that carry out “activities such as the collection, storage, transmission, processing, and use of data” as well as the protection, regulation, and administration of data security within China. The Measures (2019 draft) also states household and personal affairs are not covered by the law.

6. Do the laws apply to foreign entities that do not have physical presence in the country?

In general, no. However, in Appendix D “Privacy Policy Template” of the Specification (2017), Section 7 of the Appendix “How your information will be transferred globally” explains that for countries and territories without or with different personal data protection laws, China will provide at the bare minimum equal protection afforded to persons and entities within Chinese territory.

Further, Article 20 of the Measures on Security Assessment of the Cross-Border Transfer of Personal Information (draft, 2019) can have impact on foreign entities that collect data from Chinese subjects even though they don’t have physical presence in China:

“If the business activities of an organization located outside China result in the collection of personal information of domestic users through the Internet and other means, then that organization shall fulfil the responsibilities and obligations of network operators in these Measures through a legal representative or entity within the territory.”

Definitions

7. How are personal data defined?

Article 3.1 of the Specification (2017) defines “personal information” as follows:

All kinds of information, recorded by electronic or other means, that can be used, alone or combined with other information, to identify a specific natural person or reflect activities of a specific natural person.

8. Are there special categories of personal data (e.g., sensitive data)?

Yes. Article 3.2 of the Specification (2017) defines “personal sensitive information” as follows:

Personal information that, once leaked, illegally provided, or abused, can threaten personal and property security and/or easily cause personal reputational damage, physical and mental health damage, or discrimination.

9. How are the data controller and the data processor/operator defined?

Article 3.4 of the Specification (2017) defines “personal information controller” as follows:

An organization or individual that has the authority to determine the purposes and/or methods of the processing of personal information.

10. What are the data protection principles and how are they defined?

Article 4 of the Specification (2017) includes the following “Basic Principles of Personal Information Security”:

Personal information controllers should follow the basic principles below when processing personal information:

1)

Commensurability of powers and responsibilities principle: Bear responsibility for damage to the lawful rights and interests of the personal information subject caused by personal information processing.
2)

Purpose specification principle: Process personal information for legal, justified, necessary, and specific purposes.
3)

Consent principle: Obtain authorized consent from the personal information subject after expressly providing the personal information subject with the information including the purpose, method, scope, and rules of the processing.
4)

Minimization principle: Unless otherwise agreed by the personal information subject, only process the minimum types and quantity of personal information necessary for the purposes for which the authorized consent is obtained from the personal information subject. After the purposes have been achieved, the personal information should be deleted promptly according to the agreement.
5)

Openness and transparency principle: The scope, purposes, rules, etc. of personal information processing should be open to public in an explicit, intelligible, and reasonable manner, and outside supervision should be accepted.
6)

Ensuring security principle: Possess the appropriate security capacity taking into account the security risks [the controller] faces, and implement sufficient management and technical measures to safeguard the confidentiality, integrity, and availability of personal information.
7)

Subject participation principle: Provide the personal information subject with means to access, correct, and delete the personal information, to withdraw consent and to close accounts.

11. Does the law provide any specific definitions with regard to data protection in the digital sphere?

The law does not mention “digital sphere,” but it is generally understood that network and online activities engaged in “the collection, storage, transmission, processing, and use of data” occur in the digital sphere. The Data Security Administrative Measures (2019 draft) provides details for proper data collection, data processing, and use, as well as data security regulation and administration. Chapter 5 specifically provides definitions for “network operators,” “network data,” “personal information,” “personal information subject,” and “important data.”

Rights

12. Is the data protection law based on fundamental rights (defined in constitutional law or international binding documents)?

The Specification (2017) or Measures (draft, 2019) does not explicitly refer to the Chinese Constitution or international binding documents. “Introduction” of the Specification states the necessity for the Specification to also comply with other preexisting Chinese laws and regulations including all the rights and responsibilities of citizens outlined in Chap. 2 of the Constitution.

13. What are the rights of the data subjects according to the law?

Article 5.6 of the Specification (2017) states the data subject has the right to “access, correct, or delete data; to deactivate the account, to withdraw consent; to obtain a copy of the data; to restrain automated decision-making by the information system; etc.”

Article 7.7 of the Specification states the data subject has the right to “refuse to receive business advertisements delivered on the basis of their personal information.”

In Appendix D “Privacy Policy Template” of the Specification (2017), Section 5 “Your rights” specifies the following user rights:

1)

Access your personal information such as account information, search information, etc.
2)

Correct your personal information.
3)

Delete your personal information.
4)

Modify the scope of your consent such as the collection and use of extra personal information, and decline of business advertisements.
5)

Personal information subject deletes the account.
6)

Personal information subject obtains a copy of personal information.
7)

Restrain automated decision-making by the information system.
8)

Responds to the above requests.

II.

Obligations and Sanctions

14. What are the obligations of the controllers and processors/operators?

The main body of the Specification (2017) lays out in detail the obligations for “personal information controllers”: the collection of personal information (in Article 5); retention of personal information (in Article 6); use of personal information (in Article 7); processing, sharing, transfer, and public disclosure of personal information (in Article 8); as well as the handling of personal information during security incident (in Article 9).

Article 6 of the Measures (draft, 2019) states:

“Network operators must perform their obligations to protect data security, establish an accountability and assessment system for data security management, formulate data security plans, implement technical safeguards for data security, conduct data security risk assessments, formulate emergency response plans for cyber security incidents, promptly deal with security incidents and organize data security education and training.”

15. Is notification to a national regulator or registration required before processing data?

Yes, operators are expected to obtain approval for cross-border data transfer from provincial-level office of the Cyberspace Administration of China (CAC) according to Measures on Security Assessment of the Cross-Border Transfer of Personal Information (see Question #24 for this section).

16. Does the law require privacy impact assessment to process any category of personal data?

Yes. Article 10.2 of the Specification (2017) details the process of “carrying out personal information security impact assessments.” It should be understood however that compliance with the entire Specification is voluntary, not mandatory.

17. What conditions must be met to ensure that personal data are processed lawfully?

The explicit authorization and consent by the personal information subject is required.

Article 9 of the Measures (draft, 2019) states:

“Where the rules for the collection and use of personal information are included in a privacy policy, such rules shall be relatively focused with clear instructions for ease of understanding. In addition, network operators may collect personal information only if the user is aware of and explicitly consents to such rules.”

Article 5.3 of the Specification (2017) states that:

“Prior to the collection of the personal information, clearly provide the information subject with the following information and obtain the authorized consent from the personal information subject: the respective types of the personal information collected by different operational functions of the products or services; the rules of collecting and using the personal information (e.g., purpose of collection and use; manner and frequency of collection; storage location; storage period; [the controller’s] data security capabilities; information related to sharing, transferring, and public disclosure; etc.).”

18. What are the conditions for the expression of consent?

Article 3.6 defines “explicit consent” as:

“The explicit authorization by the personal information subject of specific personal information processing through a written statement or an affirmative action on the personal information subject’s own initiative.”

Note: Affirmative action includes the personal information subject, on his or her initiative, making a statement (in electronic form or on paper), checking a box, or clicking “agree,” “sign up,” “send,” “dial,” etc.

19. If the law foresees special categories of data, what are the conditions to ensure the lawfulness of processing of such data?

The Specification (2017) calls attention to “sensitive information” (defined in Article 3.2). It details in Article 5.5 the “explicit consent for collection of personal sensitive information” as well as the requirements for “personal sensitive information transfer and storage” in Article 6.3.

20. What are the security requirements for collecting and processing personal data?

As a basic principle of personal information security, Article 4 of the Specification (2017) states that information controllers should possess the appropriate security capacity to address potential security risks and implement sufficient management and technical measures to safeguard the confidentiality, integrity, and availability of personal information.

In terms of organizational arrangements, Article 10.1 states responsible departments and personnel should be designated to take measures to protect personal information including security assessment, training, and audits.

Article 10.2 spells out the details regarding “carrying out personal information security impact assessments.”

Article 10.3 asks information controllers to establish data security capabilities.

Article 10.4 specifies the main aspects of managing and training personnel for information security.

Article 10.5 spells out the requirements for security audits.

21. Is there a requirement to store (certain types of) personal data inside the jurisdiction?

Yes. Article 37 of the Cybersecurity Law of the People’s Republic of China (2017) specifies:

“Critical information infrastructure operators that gather or produce personal information or important data during operations within the mainland territory of the People’s Republic of China, shall store it within mainland China.”

22. What are the requirements for transferring data outside the national jurisdiction?

Article 37 of the Cybersecurity Law (2017) specifies:

“Where due to business requirements it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State cybersecurity and informatization departments and the relevant departments of the State Council to conduct a security assessment; where laws and administrative regulations provide otherwise, follow those provisions.”

The draft of a new law regulating cross-border personal data transfer – Measures on Security Assessment of the Cross-Border Transfer of Personal Information – specifies that network operators must apply for security assessment for cross-border transfer of personal data from the provincial-level cybersecurity regulator (provincial branch of Cyber Administration of China).

23. Are data transfer agreements foreseen by the law?

So far, China is not part of any international treaty for personal data/information protection. Its Cybersecurity Law (2017) recognizes the need for cross-border data transfer and asks information controllers to follow relevant laws to conduct security assessment (Article 37).

The Cyber Administration of China issued a draft of Measures on Security Assessment of the Cross-Border Transfer of Personal Information in 2019 for public comments for protecting the cross-border transfer of personal information. Article 20 of the new Assessment specifies:

“If the business activities of an organization located outside China result in the collection of personal information of domestic users through the Internet and other means, then that organization shall fulfil the responsibilities and obligations of network operators in these Measures through a legal representative or entity within the territory.”

24. Does the relevant national regulator need to approve the data transfer agreements?

Yes. Article 37 of the Cybersecurity Law (2017) specifies:

“Where due to business requirements it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State cybersecurity and informatisation departments and the relevant departments of the State Council to conduct a security assessment; where laws and administrative regulations provide otherwise, follow those provisions.”

The draft of a new law regulating cross-border personal data transfer – Measures on Security Assessment of the Cross-Border Transfer of Personal Information – specifies that network operators must apply for security assessment for cross-border transfer of personal data from the provincial-level cybersecurity regulator (provincial branch of Cyber Administration of China).

25. What are the sanctions and remedies foreseen by the law for not complying with the data transfer obligations?

For noncompliance, either by “storing network data outside the mainland territory or providing network data to those outside of the mainland territory,” Article 66 of the Cybersecurity Law (2017) states punishments can include:

Fines between 50,000 and 500,000 RMB
Temporary suspension of operations
Suspension of business for corrective measures
Closing down of websites
Revocation of relevant operations permits or cancellation of business licenses
Fines between RMB 10,000 and 100,000 for responsible personnel.

Amendment IX to the Criminal Law of the PRC (2015) also states:

“Any network service provider that fails to perform the information network security management obligation as prescribed in any law or administrative regulation and refuses to make corrections after being ordered by the regulatory authority to take correction measures shall be sentenced to imprisonment of not more than three years, criminal detention or surveillance in addition to a fine or be sentenced to a fine only under any of the following circumstances:

Causing the spread of a large amount of illegal information
Causing the leakage of users’ information, with serious consequences
Causing the loss of criminal case evidence, with serious circumstances
Any other serious circumstance.

Where an entity commits the crime as provided for in the preceding paragraph, a fine shall be imposed on it, and its directly responsible person in charge and other directly liable persons shall be punished in accordance with the provisions of the preceding paragraph.”

III.

Actors

26. What actors are responsible for the implementation of the data protection law?

Actors responsible for the implementation of the data protection provisions are not specified in the law or the Specification (2017).

27. What is the administrative structure of actors responsible for the implementation of the data protection law (e.g., independent authority, executive agency, judiciary)?

Not specified, but operators are expected to obtain approval for cross-border data transfer from the Cyberspace Administration of China (CAC) according to Measures on Security Assessment of the Cross-Border Transfer of Personal Information (see Question #24 above).

28. What are the powers of the actors responsible for the implementation of the data protection law?

Not specified. Overall, the Cybersecurity Law of the PRC (2017) broadly regulates the collection, storage, transmission, and use of “personal information” by network operators and critical information infrastructure operators. The country’s top cyber policymaking body, Cyberspace Administration of China (CAC), coordinates cybersecurity work including personal data protection laws.

IV. Consumer Protection

Scope

29. What national laws (or other type of normative acts) regulate consumer protection?

The following laws and policies regulate consumer protection:

National-level laws:

Law of the People’s Republic of China on the Protection of Consumer Rights and Interests (passed in 1994, amendments in 2009 and 2013)

Advertising Law of the People’s Republic of China (passed in 1995, revisions in 2015)

E-Commerce Law of the People’s Republic of China (2018)

Judicial opinions:

Ten Model Cases Involving the Protection of Consumer Rights Issued by the Supreme People’s Court (2014)

Ten Model Cases of Consumers’ Rights Protection Published by the Supreme People’s Court (2015)

Eight Model Cases involving Procuratorial Organs’ Cracking down on Crimes Infringing on Consumers’ Rights and Interests Published by the Supreme People’s Procuratorate (2019)

Administrative regulations:

Guiding Opinions of the General Office of the State Council on Strengthening the Protection of Financial Consumers’ Rights and Interests (2015)

Letter of the General Office of the State Council on Approval of the Establishment of the Inter-Ministerial Joint Meeting System for the Protection of Consumer Rights and Interests (2016)

30. Is the country a part of any international consumer protection agreement?

The China Consumer Association joined the non-for-profit international organization – International Organization of Consumers Unions – in 1987. As a UN member state, China abides by the United Nations Guidelines for Consumer Protection (2016).

31. To whom do consumer protection laws apply?

The Law of the PRC on the Protection of Consumer Rights and Interests (1994) applies to consumers and business operators. The Advertising Law of the People’s Republic of China applies to business operators and service providers that advertise their products and services. The E-Commerce Law (2018) applies to e-commerce activities in Chinese territories.

32. Do the laws apply to foreign entities that do not have physical presence in the country?

No.

Definitions

33. How is consumer protection defined?

The Law of the PRC on the Protection of Consumer Rights and Interests (1994) declares that: “The State shall protect consumers’ legal rights and interests against infringement.”

34. How are consumers defined?

The Law of the PRC on the Protection of Consumer Rights and Interests (1994, with 2013 amendment) does not clearly define “consumer.” In most circumstances, the law applies to natural persons within Chinese territory, not companies or legal persons.

35. How are providers and producers defined?

The Law of the PRC on the Protection of Consumer Rights and Interests (1994, with 2013 amendment) does not provide an explicit definition for providers or producers. In the context of the law, a provider or producer is “a business operator providing a commodity or service to a consumer.”

36. Does the law provide any specific definitions with regard to consumer protection in the digital sphere?

Article 25 and 28 of the Law of the PRC on the Protection of Consumer Rights and Interests (1994, with 2013 amendment) acknowledge the increasing frequency of online transactions and provide general guidelines for business operations and resolutions of related disputes, but it does not provide specific definition with regard to consumer protection in the digital sphere.

The new E-commerce Law (2018) extends the protection of consumer rights and interests to e-commerce activities in Chinese territory. It defines a number of relevant concepts including “e-commerce,” “e-commerce operators,” “e-commerce platform operators,” and “operators on platform” who are accorded different rights and obligations.

Rights

37. Is the Consumer Protection Law based on fundamental rights (defined in constitutional law or international binding documents)?

Neither the Law of the PRC on the Protection of Consumer Rights and Interests (1994, with 2013 amendment) nor the new E-commerce Law (2018) references the Chinese Constitution or other international binding documents. However, as a UN member state, China abides by the United Nations Guidelines for Consumer Protection (2016). The drafting of the new E-commerce Law also invited commentary from the United Nations Commission on International Trade Law (UNCITRAL), the USA, the European Union, Germany, Singapore, Japan, etc.

38. What are the rights of the consumer defined by the law with reference to digital goods and services?

Article 25 of the Law of the PRC on the Protection of Consumer Rights and Interests (2013 amendment) excludes the return of digital goods and services from the list of commodities that can be returned within 7 days of transactions.

Article 2 of the E-commerce Law of the PRC (2018) specifies that: “This Law shall not apply to financial products and services, or services providing news and information, audio and video program, publication and cultural products through information network.” The law covers tangible goods sold online as well as certain digital goods and services such as software, apps, or platforms (e.g., ridesharing, online payment). Presumably the transaction of digital content products such as online news, e-books, digital music, and online games falls under the E-commerce Law (2018), whereas the legitimacy of digital content to be made available to consumers is under the purview of content regulators like CAC or the State Administration of Radio, Film and Television (SARFT).

Various articles of the E-commerce Law of the PRC (2018) declare to protect a wide range of consumer rights and interests such as (only a sample):

1)

The right to accurate information and selection of products and services (Article 17)
2)

The right to search results of products and services not based on consumer characteristics (Article 18)
3)

The right to having bundled goods or services as an option rather than as a default (Article 19)
4)

The right to agreed-upon modes and means of delivery of goods and services with online sellers and platforms (Article 20)
5)

The right to refund of deposits (Article 21)
6)

The right to safety, accuracy, correction, and removal of personal information (Articles 23, 24, and 25)
7)

The right to easy access to service agreements and transaction rules on e-commerce platforms (Article 33)
8)

The right to provide feedback to amendments to platform agreement and transaction rules (Article 34)
9)

The right to personal and property safety, free from harm as a result of platform operators knowingly selling faulty goods or products (Article 38)
10)

The right to product or service reviews where platforms are forbidden to remove customer reviews (Article 39)
11)

The right to “advertised” products or services clearly labeled in search result displays (Article 40)
12)

The right to clear, comprehensive, and accurate information about establishing a contract (Article 50)

39. Is Consumer Protection Law applicable to users of zero-price services, i.e., free of charges?

No.

Obligations and Sanctions

40. Does the law establish specific security requirements to provide digital services or goods?

Article 30 of the E-commerce Law (2018) requires platform operators to provide network security, ensure transaction safety, prevent cybercrimes, and report incidents promptly to relevant authorities.

Article 38 of the E-commerce Law (2018) requires platform operators to conduct due diligence to ensure the safety of consumers and their property. If found irresponsible, for instance, knowingly selling faulty goods or products, platform operators could assume partial responsibility.

Article 54 of the E-commerce Law (2018) requires platform operators to comply with government requirements regarding electronic payment safety and assume responsibility as a result of harm to consumers.

Article 57 of the E-commerce Law (2018) requires platform operators to take precautions to secure consumer passwords, electronic signatures, and other security measures and be liable to losses proportional to their responsibility.

41. What are the sanctions and remedies foreseen by the law for not complying with the obligations?

In principle, Section 7 of the Law of the PRC on the Protection of Consumer Rights and Interests (1994, with 2013 amendment) outlines the sanctions and remedies foreseen by the law regarding noncompliance.

Section 6 of the E-commerce Law (2018) also specifies the sanctions and remedies pertaining to e-commerce, online transaction, and digital goods and services.

Actors

42. What bodies are responsible for the implementation of the Consumer Protection Law?

Article 32 of the Law of the PRC on the Protection of Consumer Rights and Interests (1994, with 2013 amendment) specifies the Administrative Department for Industry and Commerce to be the main department to lead the implementation of the Consumer Protection Law.

Article 6 of the E-commerce Law (2018) requires local governments above the county level to establish the division of duties concerning e-commerce regulation. A newly created department in 2018 – State Administration for Market Regulation – is tasked to coordinate e-commerce regulation efforts.

43. Is there a specific consumer protection body? If so, what is its administrative structure?

The State Administration for Market Regulation (SAMR) has the regulatory authority over a broad umbrella of areas including market competition, monopoly, intellectual property, drug safety, and standardization. Consumer protection now falls under its purview as it oversees the operations of nonprofit organizations such as China Consumer Association and China Association for Consumer Products Quality and Safety Promotion. The Department of Online Transaction Regulation under the SAMR is tasked to supervise e-commerce.

44. What are the powers of the bodies responsible for the implementation of the consumer protection law?

The Department of Online Transaction Regulation under the SAMR is tasked to formulate and implement institutional measures to regulate online commodity transactions and related services; enforce law in the online market; organize and guide the standardized management of online transaction platforms and online operators; monitor online markets; supervise, manage, and coordinate the administrative contracts and auctions according to law; and guide the construction of the consumption environment.

V.

Cybercrime

Scope

45. What national laws (or other type of normative acts) regulate cybercrime?

Cybercrime in China is regulated by a series of laws and policies at the following levels:

National-level laws and decisions:

1)

Articles 253-1, 285, 286, and 287 of the Criminal Law (1997)
2)

Amendments VII (2009) and IX (2015) to the Criminal Law
3)

Decision of the Standing Committee of the National People’s Congress on Preserving Computer Network Security (2000)
4)

Decision of the Standing Committee of the National People’s Congress on Strengthening Information Protection on Networks (2012)
5)

Anti-terrorism Law of the People’s Republic of China (2015)
6)

Cybersecurity Law of the People’s Republic of China (2017)

Judicial interpretations:

7)

Interpretations (II) of Several Issues on the Specific Application of Law in the Handling of Criminal Cases about Producing, Reproducing, Publishing, Selling and Disseminating Pornographic Electronic Information via the Internet, Mobile Communication Terminals and Sound Message Stations (2010)
8)

Opinions of the Supreme People’s Court, the Supreme People’s Procuratorate and the Ministry of Public Security on Several Issues concerning the Application of Law in the Handling of Criminal Cases of Internet Gambling (2010)
9)

Interpretations on Several Issues concerning the Application of Law in Hearing Civil Dispute Cases Involving Infringement of the Right of Dissemination on Information Networks (2012)
10)

Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Specific Application of Law in the Handling of Defamation through Information Networks and Other Criminal Cases (2013)
11)

Opinions of the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security on Several Issues concerning the Application of Criminal Procedures in the Handling of Cyber Crime Cases (2014)
12)

Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement on Citizens’ Personal Information (2017)

Ministerial regulations:

13)

Measures for Security Protection in the Administration of the International Networking of Computer Information Networks (1997) issued by the Ministry of Public Security
14)

Regulations on Internet Security Supervision and Inspection by Public Security Organs (2018) issued by Ministry of Public Security
15)

Rules of Obtainment of Electronic Data as Evidence by Public Security Authorities in Handling Criminal Cases (2019) issued by the Ministry of Public Security

46. Is the country a part of any international cybercrime agreement?

Yes. As a member state of the Shanghai Cooperation Organization, China agreed in 2012 at a Meeting of the Council of Heads of Government of the Member States to participate in efforts to fight against terrorism, separatism, extremism, and international cybercrime. China is also a member of the Interpol.

47. What cybercrimes are regulated?

First, cybercrime is covered under the Criminal Law (1997) and two amendments (VII and IX) including the following offenses, mainly:

1)

Illegally infringing on or selling personal information resulting in serious harm (Article 253-1)
2)

Illegally accessing computer systems to interfere with state affairs, defense, and cutting-edge technology areas (Article 285)
3)

Illegally accessing, changing, or controlling data held on computer systems (Article 285)
4)

Providing programs and tools to access or illegally control computer systems (Article 285, Amendment VII)
5)

Disabling or destroying computer systems (Article 286)
6)

Deleting and modifying memory, data transmission, and programs in computer systems resulting in damage (Article 286)
7)

Intentionally creating and disseminating computer virus resulting in damage (Article 286)
8)

ISPs repeatedly failing to fulfill their responsibility to safely manage information and network security according to laws and administrative regulations resulting in wide spread of illegal information, serious data leak, serious loss of criminal evidence, and other serious situations (Article 286-1, Amendment IX)
9)

Committing various crimes using computers including financial fraud, theft, corruption, embezzlement of public funds, and stealing state secrets (Article 287)
10)

Creating websites or online groups to commit fraud, teach methods of committing crimes, and make and sell goods forbidden by law (Article 287-1, Amendment IX)
11)

Distributing information about making or selling illegal drugs, guns, pornography, and other prohibited products (Article 287-1, Amendment IX)
12)

Distributing information to facilitate illegal activities such as fraud (Article 287-1, Amendment IX)
13)

Being an accomplice to computer crimes resulting in serious damage, e.g., providing Internet access, server custody, network storage, communication transmission, or any other technical support or providing advertising and payment settlement (Article 287-1, Amendment IX)
14)

An entity committing any crime described above (Article 287-2, Amendment IX)
15)

Fabricating or deliberately spreading, on the Internet or other media, false information regarding dangerous situations, epidemics, disasters, or police emergencies, which seriously disturb social order (Article 291-1, Amendment IX)

Cybersecurity Law (2017) carries articles similar to the above. In addition, a series of judicial interpretations provide detailed explanations for online pornography, online defamation, online gambling, and infringements of right to disseminate information online.

48. To whom do the laws apply?

Provisions dealing with cybercrime are in the Criminal Law. Hence, the jurisdiction principles for the Criminal Law (see Articles 6 to 11) apply to cybercrime.

49. Do the laws apply to foreign entities that do not have physical presence in the country?

Yes, in some instances. Article 8 of the Criminal Law states:

“This law may be applicable to foreigners, who outside PRC territory, commit crimes against the PRC state or against its citizens, provided that this law stipulates a minimum sentence of not less than a three-year fixed term of imprisonment for such crimes; but an exception is to be made if a crime is not punishable according the law of the place where it was committed.”

Definitions

50. How is cybercrime generally defined by the national law?

While the Criminal Law outlines different types of cybercrime, in the Opinions of the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security on Several Issues concerning the Application of Criminal Procedures in the Handling of Cyber Crime Cases (2014), cybercrime is defined as:

1)

Cases concerning crimes of endangering the security of a computer information system
2)

Cases concerning crimes of theft, fraud, and extortion that are committed by endangering the security of a computer information system
3)

Cases concerning crimes of publishing information on the network or establishing a website or a communication group mainly for committing crimes, committing crimes on an unspecific majority of people, or organizing, instigating, or assisting an unspecific majority of people in committing crimes
4)

Other cases in which major criminal activities are committed on the network

51. What are the cybercrimes provided for by the law and how are they defined?

No specific definitions are provided for various cybercrimes. See the answer to Question 3 in this section on cybercrime.

52. How is a computer system defined?

There is no specific definition for “computer system.” However, Article 76-1 of the Cybersecurity Law (2017) defines “network” as: “a system comprised of computers or other information terminals and related equipment that follows certain rules and procedures for information gathering, storage, transmission, exchange, and processing.”

53. How are computer data defined?

There is no specific definition for “computer data.” However, Article 76-4 of the Cybersecurity Law (2017) defines “network data” as: “all kinds of electronic data collected, stored, transmitted, processed, and produced through networks.”

54. How are forensic data defined?

Opinions of the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security on Several Issues concerning the Application of Criminal Procedures in the Handling of Cyber Crime Cases (2014) defines “forensic data” as two types of data during cybercrime investigations:

1)

Electronic data that can be displayed directly such as electronic documents, images, and webpages
2)

Electronic data that cannot be displayed directly such as computer programs, tools, and virus in computer information systems illegally attacked and controlled

55. How are service providers defined?

No, but Article 76-3 of the Cybersecurity Law (2017) defines “network operators” as “network owners, managers, and network service providers.”

56. Does the national law provide any other definitions instrumental to the application of cybercrime legislation?

No.

Rights

57. Is the cybercrime law based on fundamental rights (defined in constitutional law or international binding documents)?

Cybercrime laws in China do not explicitly reference the Chinese Constitution or international binding documents.

58. What are the rights of the victim and the accused?

Rights of the victim and accused should comply with other preexisting Chinese laws and regulations, including all the rights and responsibilities of citizens outlined in Chap. 2 of the Constitution.

Procedures

59. Is there a specific procedure to identify, analyze, relate, categorize, assess, and establish causes associated with forensic data regarding cybercrimes?

Section 5 (Articles 13-18) of the Opinions of the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security on Several Issues concerning the Application of Criminal Procedures in the Handling of Cyber Crime Cases (2014) and Rules of Obtainment of Electronic Data as Evidence by Public Security Authorities in Handling Criminal Cases (2019) outlines the detailed procedure to obtain forensic data regarding cybercrime.

60. In case of transnational crimes, how is cooperation between the national law enforcement agency and the foreign agents regulated?

Although China is not a part or observer of the Budapest Convention (or Convention on Cybercrime), it is a signee of the World Intellectual Property Organization Copyright Treaty (WIPO Copyright Treaty) in 1985 and the UN Convention Against Transnational Organized Crime in 2000.

In addition, China actively explores regional (e.g., through Shanghai Cooperation Organization) and international (e.g., through UN anti-crime framework) avenues to seek cooperation against transnational crimes including cybercrime. Through the Shanghai Cooperation Organization, China actively pursues avenues to conduct cybersecurity exercises.

61. Are there any exception to the use of mutual legal assistance procedure to investigate the crime?

According to Article 14 of the International Criminal Judicial Assistance Law of the People’s Republic of China (2018), mutual legal assistance can be refused in the following circumstances:

1)

According to the laws of the People’s Republic of China, the requested act is not a crime.
2)

At the time of receipt of the request, the inquiry, investigation, prosecution, and trial of the crime in the request are under way within the territory of the People’s Republic of China, an effective judgment has been made, the criminal procedure has been terminated, or the limitation of the offense has expired.
3)

The crime against which the request is made is a political offense.
4)

The crime against which the request is made is purely a military offense.
5)

The purpose of the request is to examine, investigate, prosecute, sue, or execute a sentence based on race, ethnicity, religion, nationality, gender, political opinion, or identity, or the parties may be unfairly treated for the above reasons.
6)

There is no substantive link between the requested matter and the case of assistance.
7)

Other circumstances under which the request can be refused.

62. Does the national law require the use of measures to prevent cybercrimes? If so, what are they?

Apart from specifying punishments for various parties implicated in cybercrime through the Criminal Law and other related laws to deter cybercrime (see Question #3), China’s national law (e.g., Cybersecurity Law) also requires network owners, operators, and ISPs to bolster cybersecurity measures and report crimes. In addition, Article 24 of the Cybersecurity Law (2017) effectively implements the “real-name registration” policy requiring users to provide real identity information to network operators upon signing agreements for products and services online.

Obligations and Sanctions

63. What obligations do law enforcement agencies have to protect the data of the suspect, the accused, and the victim?

Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement on Citizens’ Personal Information (2017) provides legal protection for citizens’ personal information investigated in criminal cases.

More specifically, according to Rules of Obtainment of Electronic Data as Evidence by Public Security Authorities in Handling Criminal Cases (2019) issued by the Ministry of Public Security, law enforcement agencies protect “state secrets, police work secrets, trade secrets, individual privacy, and confidentiality” (Article 4), while collecting and processing forensic electronic data. Procedurally, for instance, two or more inspectors are supposed to gather electronic evidence supervised by technical experts (Article 6), ask data owners or witnesses to provide signature when appropriate (Article 9), and so on.

64. What are the duties and obligations of the national prosecuting authorities in cases of cybercrime?

Opinions of the Supreme People’s Court, the Supreme People’s Procuratorate, and the Ministry of Public Security on Several Issues concerning the Application of Criminal Procedures in the Handling of Cyber Crime Cases (2014) outlines the duties of the Supreme People’s Procuratorate, China’s national prosecuting authorities in terms of jurisdiction (Article 2), data collection and prosecution (Article 5), and its relationships with the court and the police.

65. Does the law impose any obligations on service providers in connection with cybercrime?

Network operators are obliged under the Cybersecurity Law (2017) to keep logs for no less than 6 months. Operators are also expected to report cybercrime threats, attacks, and breaches to relevant authorities, initiate contingency plans, and take remedial measures (Article 25).

66. To which extent can a legal person be held liable for actions in connection with cybercrimes?

Depending on the cybercrime, the relevant offense may incur a penalty of life imprisonment and/or a maximum fine of 500,000 RMB (Articles 285, 286, and 287 of the Criminal Law). Under the Cybersecurity Law (2017), engaging in activities that jeopardize cybersecurity, or providing programs or tools specifically used to engage in activities that jeopardize cybersecurity, is punishable by a fine of up to 500,000 RMB.

Actors

67. What bodies implement the cybercrime legislation?

Presumably a wide range of governmental actors are involved in implementation including Ministry of Public Security, the Supreme Court, the Supreme People’s Procuratorate, State Security, and Cyber Administration of China (the country’s top authority of cybersecurity). More specifically, Regulations on Internet Security Supervision and Inspection by Public Security Organs (2018) issued by the Ministry of Public Security gives police forces considerable latitude to inspect network operators, Internet service providers, and organizational users to prevent cybercrime.

68. Is there a special public prosecutor office for cybercrime? If so, how is it organized?

Article 6 of the People’s Police Law of the People’s Republic of China (1995) assigns the police to protect the security of computer information systems. Between 2015 and 2017, the Ministry of Public Security has quickly established 1116 “cybersecurity police units” including “level one” units within major Chinese Internet companies such as Baidu, Tencent, and Sina tasked mainly to police online content and prevent cybercrime.

69. Does the cybercrime legislation create any specific body?

No.

VI.

Public Order

Definitions

70. How are public order, threats to public order, and the protection of public order defined?

Public order is not clearly defined in the Chinese Constitution, National Security Law of the PRC (2015), Cybersecurity Law of the PRC (2017), Emergency Response Law of the PRC (2006), or Measures for Security Protection Administration of the International Networking of Computer Information Networks (1997).

Article 5 of the Measures specifically forbids individuals to use the Internet to create, replicate, retrieve, or transmit information which “fabricates or distorts the truth, spreads rumors, and disturb public order.”

Article 3 of the Emergency Response Law of the PRC (2006) defines “emergency incidents” as threats to public order in general that demand management:

“An emergency incident as mentioned in this Law shall refer to a natural disaster, accidental disaster, public health incident or social safety incident, which takes place by accident, has caused or might cause serious social damage and needs the adoption of emergency response measures.”

Further, the Cybersecurity Law (2017) has mandated the establishment of an emergency monitoring and response information communication system (see Chap. 5).

71. Is the protection of public order grounded in constitutional norms?

Article 28 of the Constitution of the PRC states:

“The state maintains public order and suppresses treasonable and other counter-revolutionary activities; it penalizes criminal activities that endanger public security and disrupt the socialist economy as well as other criminal activities; and it punishes and reforms criminals.”

Measures

72. What cyber measures address threats to public order?

Article 12 of the Cybersecurity Law states:

“Any person and organization using networks shall abide by the Constitution and laws, observe public order, and respect social morality; they must not endanger cybersecurity, and must not use the Internet to engage in activities endangering national security, national honour, and national interests; they must not incite subversion of national sovereignty, overturn the socialist system, incite separatism, break national unity, advocate terrorism or extremism, advocate ethnic hatred and ethnic discrimination, disseminate violent, obscene, or sexual information, create or disseminate false information to disrupt the economic or social order, or information that infringes on the reputation, privacy, intellectual property or other lawful rights and interests of others, and other such acts.”

Article 58 of the Cybersecurity Law states:

“To fulfil the need to protect national security and the social public order, and to respond to the requirements of major security incidents within the society, it is possible, as stipulated or approved by the State Council, to take temporary measures regarding network communications in a specially designated region, such as limiting such communications.”

Actors

73. What public authorities are responsible for the implementation of the surveillance techniques?

The law does not make explicit reference to nationwide surveillance measures, but the Cybersecurity Law (2017) establishes institutional structures and procedures to monitor and provide early warning and emergency responses to cybersecurity incidents (see Section 5).

74. What are the obligations of these public authorities?

In general, Chinese laws give public authorities great power to implement surveillance systems in the name of cybersecurity.

Article 8 of the Cybersecurity Law (2017), for instance, states:

“State departments of cyber administration are responsible for comprehensively planning and coordinating cybersecurity efforts and related supervision and management efforts. The State Council departments for telecommunications, public security, and other relevant organs, are responsible for cybersecurity protection, supervision, and management efforts within the scope of their responsibilities, in accordance with the provisions of this Law and relevant laws and administrative regulations.”

75. Can private actors be involved in the implementation of cyber measures to address threats to public order?

Private network operators and service providers are encouraged to self-regulate.

Article 28 of the Cybersecurity Law (2017) states: “Network operators shall provide technical support and assistance to public security organs and national security organs that are safeguarding national security and investigating criminal activities in accordance with the law.”

Article 50 of the Cybersecurity Law (2017) specifies that state authorities can order network operators to stop the transmission of information prohibited by law both inside and from outside Chinese territories:

“State departments of cyber administration and relevant departments will perform network information security supervision and management responsibilities in accordance with law; and where they discover the publication or transmission of information which is prohibited by laws or administrative regulations, shall request that network operators stop transmission, employ disposition measures such as deletion, and store relevant records; for information described above that comes from outside the mainland People’s Republic of China, they shall notify the relevant organization to adopt technical measures and other necessary measures to block transmission.”

5.

Cyberdefence

Scope

76. Is there a national cyberdefence strategy or is cyberdefence mentioned in the national defense strategy?

Cyberdefence in China is regulated by a series of laws and policies at the following levels:

National-level laws:

1)

National Security Law of the People’s Republic of China (2015).

National strategies:

2)

China’s Military Strategy (2015), white paper released by the State Council Information Office of the PRC
3)

International Strategy of Cooperation on Cyberspace (2016) released by CAC
4)

China National Cyberspace Security Strategy (2017) released by CAC
5)

China’s National Defense in the New Era (2019), white paper released by the State Council Information Office of the PRC

77. What is the legal status of the national defense or cyberdefence strategy?

National Security Law of the PRC was passed in 2015 as an overarching framework for China’s security policies. The Cyberspace Administration of China (CAC) also released two sets of prominent strategies for international and domestic cyberspace security (see above). Two white papers, China’s Military Strategy (2015) and China’s National Defense in the New Era (2019), provide more details of China’s assessment of the current security situation as well as China’s defense missions, reforms, and spending. More recently, industry standards have been developed to implement and conduct security review for network products and services including Cybersecurity Review Measures (2019 draft) and Information Security Technology: Baseline for Classified Protection of Cybersecurity (2019).

78. What national laws or other normative acts regulate cyberdefence in the country?

Counterterrorism Law of the People’s Republic of China (2016)

79. Is the country part of any international cooperation agreement in the sphere of cyberdefence?

Through the Shanghai Cooperation Organization, China signed an agreement with member states including Russia on cooperation in the field of international information security to confront terrorism, separatism, and extremism.

80. Does the national cyberdefence strategy provide for retaliation?

No.

81. Is there any specific framework regulating threats to critical infrastructure?

Two have been drafted and under revisions:

1)

Regulation on the Protection of the Security of Critical Information Infrastructure (draft, 2017)
2)

Information Security Technology: Security Controls of Critical Information Infrastructure (draft, 2018)

Definitions

82. How are national security and national defense defined?

National Security Law of the PRC (2015) defines national security as “a status in which the regime, sovereignty, unity, territorial integrity, welfare of the people, sustainable economic and social development, and other major interests of the state are relatively not faced with any danger and not threatened internally or externally and the capability to maintain a sustained security status.”

National defense is not clearly defined.

83. How are cybersecurity and cyberdefence defined?

Cybersecurity Law of the PRC (2017) defines “cybersecurity” as “taking the necessary measures to prevent cyberattacks, intrusions, interference, destruction, and unlawful use, as well as unexpected accidents, to place networks in a state of stable and reliable operation, as well as ensuring the capacity for network data to be complete, confidential, and usable.”

“Cyberdefence” is not defined.

84. How are threats to national security and cyberthreats defined?

No.

85. How is a cyberattack defined?

The specifications of definition and description for network attack (2017) defines cyberattack as:

“An act that uses computers, routers and other network equipment to takes advantage of loopholes and security deficiencies in a network in order to steal, revise, and destroy information in storage or transmission; to slow down or intercept network services; or to damage, destroy or control network infrastructures” (Article 4).

86. Does the national law provide any other definitions instrumental to the application of cyberdefence legislation?

Article 76 of the Cybersecurity Law of the PRC (2017) provided definitions for “network,” “network security,” “network operator,” “network data,” and “personal information.”

National Framework

87. Is cyberdefence grounded on the constitutional provisions and/or international law?

It is not explicitly stated in the related legal documents but generally assumed that cyberdefence is part of national defense and is grounded in the Chinese Constitution.

88. Which specific national defense measures are related to cybersecurity?

Article 25 of the National Security Law of the PRC (2015) provides general language about the importance of cyberdefence.

The Cybersecurity Law of the PRC (2017) provides general guidance for cybersecurity, but not cyberdefence per se. Different chapters of the law address state support and promotion for network security; guidelines for network operators, critical infrastructure, and network information security; cybersecurity monitoring, forecasting, and emergency response; and legal responsibility of different actors.

89. Is there a national defense doctrine and does the law or strategy refer to it?

China’s National Defense in the New Era (2019), a white paper released by the State Council Information Office of the PRC, provides more specific details for national defense issues (e.g., international security assessment, its “defensive” national defense policy, missions and reforms in China’s national defense and armed forces, approach to defense spending, its vision for contribution to the international community) outlined in the National Security Law of the PRC (2015).

90. What measures are mentioned in the national law and strategy in order to implement cyberdefence?

The State Council white paper China’s National Defense in the New Era (2019) states: “Cyberspace is a key area for national security, economic growth and social development. Cyber security remains a global challenge and poses a severe threat to China. China’s armed forces accelerate the building of their cyberspace capabilities, develop cyber security and defence means, and build cyber defence capabilities consistent with China’s international standing and its status as a major cyber country. They reinforce national cyber border defence, and promptly detect and counter network intrusions. They safeguard information and cyber security, and resolutely maintain national cyber sovereignty, information security and social stability.”

91. How can Internet users’ online activities be limited for the reasons of protection of national security and cyberdefence?

Article 12 of the Cybersecurity Law (2017) stipulates a wide range of user online activities that can be limited for the sake of protecting national security and cyberdefence:

“Any person and organization using networks shall abide by the Constitution and laws, observe public order, and respect social morality; they must not endanger cybersecurity, and must not use the Internet to engage in activities endangering national security, national honour, and national interests; they must not incite subversion of national sovereignty, overturn the socialist system, incite separatism, break national unity, advocate terrorism or extremism, advocate ethnic hatred and ethnic discrimination, disseminate violent, obscene, or sexual information, create or disseminate false information to disrupt the economic or social order, or information that infringes on the reputation, privacy, intellectual property or other lawful rights and interests of others, and other such acts.”

92. Does the national law or strategy foresee any special regime to be implemented in case of emergency in the context of cyberdefence?

Chapter 5 of the Cybersecurity Law (2017) outlines the general guidelines for various entities including network operators, state agencies, and provincial governments in the case of cybersecurity emergencies.

The State Council’s white paper China’s National Defense in the New Era (2019) affirms: “cooperation agreement in the sphere of identifying and cutting off the channels used by the individuals involved in terrorist, separatist and extremist activities to enter the Shanghai Cooperation Organization member states.”

Actors

93. What actors are explicitly mentioned as playing a role regarding cyberdefence in the law or national cyberdefence strategy or defense strategy?

The State Council’s white paper China’s National Defense in the New Era (2019) outlines the divisions of the People’s Liberation Army (PLA) including army, air force, joint logistic support force, navy, rocket force, and strategic support force (SSF). Among them, the SSF centralizes strategic space, electronic, and cyber warfare missions.

94. Is there a specific cyberdefence body?

The Strategic Support Force (SSF) of the People’s Liberation Army (PLA), formed in 2016

95. What are the tasks of the aforementioned actors?

China’s National Defense in the New Era (2019) asserts:

“The PLASSF is a new type of combat force for safeguarding national security and an important driver for the growth of new combat capabilities. It comprises supporting forces for battlefield environment, information, communications, information security, and new technology testing. In line with the strategic requirements of integrating existing systems and aligning civil and military endeavours, the PLASSF is seeking to achieve big development strides in key areas and accelerate the integrated development of new-type combat forces, so as to build a strong and modernized strategic support force.”

References

AFP. (April 11, 2019). Russia passes bill to allow Internet to be cut off from foreign servers. The Guardian. Available at <https://is.gd/hOduIB>. Accessed 04 November 2019.
Alsabah, N. (2016). Information control 2.0: The cyberspace administration of China tames the internet. Merics China Monitor. Available at <https://is.gd/QkblLb>. Accessed 04 November 2019.
Austin, G. (2018). Cybersecurity in China: The next wave. Cham: Springer.CrossRefGoogle Scholar
Bauer, J. & Eeten, M. (2009), Cybersecurity: Stakeholder incentives, externalities, and policy options. Telecommunications Policy, 33(10–11), 706–719.CrossRefGoogle Scholar
Callo-Muller, M. (2018). GDPR and CBPR: Reconciling personal data protection and trade. APEC. Available at <https://is.gd/wYvtUP>. Accessed 04 November 2019.
Cao, S. & Leng, S. (September 16, 2019). Cybersecurity week kicks off in China. Global Times. Available at <http://www.globaltimes.cn/content/1164607.shtml>. Accessed 04 November 2019.
Chen, S. (October 12, 2017). China to build giant facial recognition database to identify any citizen within seconds. South China Morning Post. Available at <https://is.gd/Ac1Ekj>. Accessed 04 November 2019.
CNCERT. (2019). 2018 summary of China’s Internet network security status. National Computer Network Emergency Response Technical Team/Coordination Centre of China. Available at <https://is.gd/z10SHh> [Chinese]. Accessed 04 November 2019.
Cyberspace Administration of China (CAC). (2017). Cybersecurity Law of the PRC [English trans. by R. Creemers, P. Triolo, & G. Webster]. New America Foundation. Available at <https://is.gd/Nva3H8>. Accessed 04 November 2019.
Cyberspace Administration of China (CAC) (2019). The 44th Statistical survey report on Internet development in China. Cyber Administration of China. Retrieved from <https://is.gd/Ra07Ai>. [Chinese]
Cyberspace Administration of China (CAC). (July 22, 2019). Measures on Credit Information Management for Seriously Untrustworthy Internet Information Services Entities (Draft for solicitation of comments). Available at <https://is.gd/YMcaUF> [Chinese]. Accessed 04 November 2019.
Demchak, C. (2016). Uncivil and post-Western cyber Westphalia: Changing interstate power relations of the cybered age. The Cyber Defence Review, 1(1), 49–74.Google Scholar
Economist, The. (May 6, 2017). The world’s most valuable resource is no longer oil, but data. The Economist. Available at <https://is.gd/PQ6Vrj>. Accessed 04 November 2019.
eMarketer. (January 22, 2019). China to surpass US in total retail sales. Available at <https://is.gd/Da7ask>. Accessed 04 November 2019.
Fichtner, L. (2019). What kind of cyber security? Theorising cyber security and mapping approaches. Internet Policy Review, 7(2), 1–19.Google Scholar
Ford, C. (2019). Huawei and its siblings, the Chinese tech giants: National security and foreign policy implications. U.S. Department of State. Available at <https://is.gd/R9QnTs>. Accessed 04 November 2019.
Goldsmith, J. & Wu, T. (2006). Who controls the Internet? Illusions of a borderless world. New York, NY: Oxford University Press.CrossRefGoogle Scholar
Goodman, M. (2015). Future crimes: Inside the digital underground and the battle for our connected world. New York: Anchor.Google Scholar
Hayward, F. (September 26, 2019). China unveils 500 megapixel camera that can identify every face in a crowd of tens of thousands. Telegraph. Available at <https://is.gd/coBnaM>. Accessed 04 November 2019.
Hong, Y. (2017). Networking China: The digital transformation of the Chinese economy. Urbana Champagne: University of Illinois Press.CrossRefGoogle Scholar
Hong, Y. Q. (February 1, 2018). The politics and economics behind APEC’s CBPR. Research Alliance for Data Governance and Cyber Security. Available at <https://is.gd/SXJPdl>. Accessed 04 November 2019. [Chinese]
Inkster, N. (2016). China’s cyber power. London: Routledge.Google Scholar
Jenkins, N. (August 17, 2015). China shutters 50 websites for “inciting panic” over the Tianjin disaster. Time. Available at <https://is.gd/MjIRYw>. Accessed 04 November 2019.
Ji, X. (2014). Analysis of the status and trends of crime. China Criminal Law Magazine, 14(3), 116–124.Google Scholar
Jiang, M. (2010). Authoritarian informationalism: China’s approach to Internet sovereignty. SAIS Review of International Affairs, 30(2), 71–89.CrossRefGoogle Scholar
Jiang, M. & Fu, K. W. (2018). Chinese social media and big data: Big data, big brother, big profit? Policy & Internet, 10(4), 372–392. https://doi.org/10.1002/poi3.187CrossRefGoogle Scholar
Kaplan, F. (2017). Dark territory: The secret history of cyber war. NY: Simon & Schuster.Google Scholar
Kovacs, A. (2016). India and the Budapest Convention: To sign or not? Considerations for Indian stakeholders. Internet Democracy Project. Available at <https://is.gd/ffGBeA>. Accessed 04 November 2019.
Liang, F., Das, V., Kostyuk, N. & Hussain, M. (2018). Constructing a data-driven society: China’s social credit system as a state surveillance infrastructure. Policy & Internet, 10(4), 415–453.CrossRefGoogle Scholar
Lindsay, J. (2014). The impact of China on cybersecurity: Fiction and friction. International Security, 39(3), 7–47.CrossRefGoogle Scholar
Lindsay, J., Cheung, T., & Reveron, D. (Eds.) (2015). China and cybersecurity: Espionage, strategy, and politics in the digital domain. Oxford, UK: Oxford University Press.Google Scholar
Liu, Y. & Lin, L. (2018). How China should respond to GDPR. Information and Communications Technology and Policy, 9, 74–77. [Chinese]Google Scholar
Mai, J. (January 29, 2020). Coronavirus ‘rumour’ crackdown by Wuhan police slammed by China’s top court. South China Morning Post. Retrieved from https://www.scmp.com/news/china/society/article/3048042/chinas-top-court-hits-out-wuhan-police-over-coronavirus-rumour
Mozur, P. (July 8, 2018). Inside China’s dystopian dreams: A.I., shame and lots of cameras. New York Times. Available at <https://is.gd/keI3nH>. Accessed 04 November 2019.
Oppermann, D. (2010). Virtual attacks and the problem of responsibility: the case of China and Russia. Carta Internacional, 5(2), 11–25.Google Scholar
Qin, A. (February 20, 2019a). Military strategy behind Russia’s preparation to cut itself from the Internet: Lessons for China? Kunglunce Web. Available at <https://is.gd/sgLaSJ>. Accessed 04 November 2019.
Qin, A. (June 12, 2019b). High vigilance for American cyberwar at its last stage of preparation. Kunglunce Web. Available at <https://is.gd/QbyeYi>. Accessed 04 November 2019.
Raine, L., Anderson, J., & Connolly, J. (October 29, 2014). Cyber attacks likely to increase. Pew Research Centers” Internet American Life Project. Available at <https://is.gd/0TkJzx>. Accessed 04 November 2019.
Raul. A. (Ed.) (2018). Privacy, data protection and cybersecurity law review (5th Ed.). London: Law Business Research.Google Scholar
Schia, N. & Gjesvik, L. (2017). China’s cyber sovereignty: Policy brief. Norwegian Institute of International Affairs.Google Scholar
Singer, P. & Friedman, A. (2014). Cybersecurity and cyberwar: What everyone needs to know. Oxford, UK: Oxford University Press.CrossRefGoogle Scholar
Sina Financial. (March 14, 2019). Consumer complaints and consultation requests over 10 million in 2018. Sina. Available at <https://is.gd/aOCjg0>. Accessed 04 November 2019.
Sputnik International. (March 13, 2018). China to continue cybersecurity drills within SCO. Sputnik International. Retrieved from <https://is.gd/7Ij51U
State Council. (2016). Inter-ministerial joint conference to help protect consumer rights. State Council of the PRC. Available at <https://is.gd/1NGXGJ>. Accessed 04 November 2019.
Tencent. (March 5, 2016). China’s online black market participants exceed 400,000; Tencent implements five measures to ensure security. Tencent Daqing Net. Available at <https://xian.qq.com/a/20160305/035854.htm [Chinese]>. Accessed 04 November 2019.
U.S. Department of Justice. (2014). U.S. charges five Chinese military hackers for cyber espionage against U.S. corporations and a labor organization for commercial advantage. Available at <https://is.gd/uNhOUl>. Accessed 04 November 2019.
Xinhua Net (August 6, 2015). Study strategies: 5 keywords to understand President Xi’s new proposal on cyber security. Xinhua Net. Retrieved from <https://is.gd/sEcug7>. [Chinese]
Xinhua Net. (September 16, 2017). Insiders explain how to “hit where it hurts” when it comes to cybercrime. Xinhua Net. Available at <https://is.gd/tXlkGW> [Chinese]. Accessed 04 November 2019.
Xinhua Net. (August 28, 2018). Cyber black and gray markets cause annual loss of nearly RMB 100 billion in China. Xinhua Net. Available at <https://is.gd/SBfwib> [Chinese]. Accessed 04 November 2019.
Xu, K. (2019). Effects and functions of Personal Information Security Specification. China Information Security, 3, 44–47. [Chinese]Google Scholar
Xue, H. (2019). An instant analysis of Chinese Electronic Commerce Law. CyberBRICS Project. Retrieved from <https://is.gd/5PUOu3>.Google Scholar
Wang, C. (2018). Comparing GDPR’s personal data rights and Cybersecurity Law’s personal information rights. China Information Security, 7, 41–44. [Chinese]Google Scholar
Wang, H. (February 14, 2017). China has established 1116 “cybersecurity police units.” Guangmin Daily. Available at <https://is.gd/FwebOV> [Chinese]. Accessed 04 November 2019.
Yu, Z. & Wu, S. (2018). Historical summary of cybercrime legislation, judicial interpretation and theories. Politics & Law, 1, 59–78. [Chinese]Google Scholar

Copyright information

Authors and Affiliations

Min Jiang
- 1
Email author

1.UNC CharlotteCharlotteUSA

Cybersecurity Policies in China

Abstract

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite chapter