The Impact of China's 2016 Cyber Security On Foreign

ARTICLE IN PRESS
computer law & security review ■■ (2017) ■■–■■
Available online at www.sciencedirect.com
ScienceDirect
w w w. c o m p s e c o n l i n e . c o m / p u b l i c a t i o n s / p r o d c l a w. h t m
The impact of China’s 2016 Cyber Security Law

on foreign technology firms, and on China’s big
data and Smart City dreams
Max Parasol *
China Law Research Group, University of Technology, Sydney, Australia
Lawyer and Law Lecturer, Monash University, Melbourne, Australia
A B S T R A C T
Keywords: Chinese officials are increasingly turning to a policy known as Informatisation, connecting
China industry online, to utilise technology to improve efficiency and tackle economic develop-
Big data mental problems in China. However, various recent laws have made foreign technology firms
The Internet of Things uneasy about perceptions of Rule of Law in China. Will these new laws, under China’s stated
Smart Cities policy of “Network Sovereignty” (“网络主权” “wangluo zhuquan”) affect China’s ability to attract
Network Sovereignty foreign technology firms, talent and importantly technology transfers? Will they slow China’s
Rule of Law technology and Smart City drive? This paper focuses on the question of whether interna-
Cyber Security Laws tional fears of China’s new Cyber Security Law are justified. In Parts I and II, the paper analyses
why China needs a cyber security regime. In Parts III and IV it examines the law itself.
© 2017 Max Parasol. Published by Elsevier Ltd. All rights reserved.
China’s Cyber Security Laws cannot be understood without

1. Introduction understanding its Informatisation strategy. In Part II, this
paper charts China’s Informatisation Strategy and Network Sov-
In Part I, this paper provides background context by introduc- ereignty policies. This paper unpacks the Chinese policy
ing China’s Smart City drive. Smart Cities and associated statement that connecting industry online and cyber security
technologies have deliberately been chosen for analysing are truly “two wings of one body”. It is argued that the current
China’s Cyber Security Law for two reasons. Firstly Smart Cities Chinese Government values technological progress as China’s
must utilise all the technologies that China has officially stated key development task and accordingly recent controversial laws
are necessary for its development namely: the Internet of that worried foreign technology firms and governments were
Things, cloud computing, big data and spatial geographic in- amended to avoid impeding technological goals, including
formation systems. Big data informing these policy decisions China’s 2015 Anti-Terrorism Law. In Parts III and IV, this
is often collected from millions of smart devices, including paper objectively assesses China’s Cyber Security Law at length.
mobile phones, that necessitate a cyber security regime. The law was passed by the National People’s Congress on 7
Secondly Smart Cities can offset many of the political prob- November 2016, taking effect on 1 June 2017. While some
lems that besiege the Chinese Government and cause citizen provisions of this Law appear to tighten government control
unrest, namely air quality, traffic congestion, access to health- over Chinese and foreign technology firms, this paper pres-
care and efficient government services. This intersection of ents evidence that suggests China will not harm its inno-
incredibly complex policy decisions that keeps Chinese leaders vation agenda through excessive control over data and cyber
awake at night, merits our direct attention. technology.
* UTS Faculty of Law, University of Technology Sydney (UTS), City campus, 15 Broadway, Ultimo, NSW 2007, Australia.
E-mail address: maxparasol@rocketmail.com.
http://dx.doi.org/10.1016/j.clsr.2017.05.022
0267-3649/© 2017 Max Parasol. Published by Elsevier Ltd. All rights reserved.
Please cite this article in press as: Max Parasol, The impact of China’s 2016 Cyber Security Law on foreign technology firms, and on China’s big data and Smart City dreams,
Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.05.022
ARTICLE IN PRESS
2 computer law & security review ■■ (2017) ■■–■■
There is a complete circle to be drawn. The Chinese Gov- China’s distinct online, e-commerce, payment and logistics
ernment must appease a population now expecting more from ecosystem.4
its leadership in terms of economic development and better Cyber technologies will define the 21st century. Cyber se-
quality of life while at the same time protecting them from cyber curity must therefore be part of everything that we create.While
risks in an increasingly inter-connected world.These are complex this can be linked to national and global security, it is also through
policy considerations to balance. this lens that fears surrounding China’s Cyber Security Law
To fulfil these demands, this paper contends that China must can be reduced. As Smart Cities utilise key public infrastruc-
rely on assistance from both foreign and local technological ture, a close reading of China’s new Cyber Security Law indicates
innovators. These firms will therefore play a role in shaping that cyber security concerns focused on “critical infrastruc-
the cyber security compliance debate in China. The text of the ture” were a primary policy driver for the new law.
Cyber Security Law and subsequent regulatory developments The Chinese Government has focused its attention on an in-
allow for such negotiations over interpretation and enforce- novation agenda, and that may be hard for the international
ment. Negotiations may continue for another 18 months. community to grasp. Observers must look for the intent behind
the law from the wider Chinese policy context, and the massive
task of ensuring network security among China’s billions of con-
nected devices.5
2. Part I: why China needs a Cyber Security
Regime 2.2. China’s history of legislative petri dishes
There are over 300 Smart City pilot projects6 across China. They
The following background is necessary to understand why
build upon China’s history of what I call ‘law in a petri dish’,
China needs a cyber security regime, especially in relation to
or the legislative laboratory that China has created since 1978
China’s national policy of using the internet and big data to
in China’s Special Economic Zones and Technology Develop-
resolve long-standing development problems.
ment Zones.7 These national level programs started with the
The enactment of the Cyber Security Law in 2016 arguably
Special Economic Zones for three cities in 1978, as part of China’s
reflected more than a legislative attempt to regulate the in-
economic reform, and were extended to the Economic and Tech-
ternet for the purpose of censorship. The law was passed by
nological Development Zones in 14 cities in 1984. The phrase
the National People’s Congress on 7 November 2016, but did
“Special Economic Zone” itself belies their role in Chinese law
not take effect until 1 June 2017. There have been a number of
and development history. They evolved as a place for political
attempts to lobby the Cyberspace Administration of China (CAC)1
and economic policy experimentation.
to delay implementation. On 15 May 2017, global technology
Wei-Wei Zhang in Transforming China: Economic Reform and
companies represented by 54 trade groups from Europe, Asia
its Political Implications sums up the experimental role of the
and the US petitioned China to delay the enactment of the Cyber
Special Economic Zones:
Security Law.2 Their major argument is that it could discrimi-
nate against foreign businesses. This paper argues that China
The SEZs became, effectively, laboratories in which the opera-
will continue the ongoing compliance debate with foreign tech-
tion of the market economy was carried out. The intention of the
nology companies and that reports of CAC “[i]ndiscriminately
state was to extend methods that proved successful in the zones
requiring businesses to hand over source codes” are inaccurate.3
to other parts of the country. Should the experiment fail, its adverse
impact could be minimized since the zones were located far away
2.1. Billions of connected devices from China’s political and economic centres. The strategy was
The Cyber Security Law was a necessity for Smart Cities and 4
This is according to Chinese Government statistics released in
associated technologies to develop in a safe and secure way. January 2017. See: Steven Millward, ‘China now has 731 million in-
China has 731 million internet users according to government ternet users, 95% access from their phones’, (TechinAsia, 23 January
statistics in January 2017. Further, 695 million users use the in- 2017) <https://www.techinasia.com/china-731-million-internet
ternet through mobile devices. They rarely use cash and rely on -users-end-2016>accessed 23 January 2017.
5
China has been predicted to have 10 billion connected devices
by 2020. Mary Lennighan, ‘China to have 10bn connected devices
1
Discussed in detail below, CAC is the office that outlines China’s by 2020’, (Total Telecom, 24 February 16), <https://www.totaltele.com/
cyber strategy. view.aspx?ID=492917> accessed 25 March 2017.
2 6
The letter was signed by 54 trade groups including the US- At present, there are more than 300 pilot Smart Cities in China.
China Business Council, American Chamber of Commerce in China, ‘Sector Report: Smart Cities in China’ (2016) EU SME Centre, <http://
BusinessEurope, the Japan Chamber of Commerce and Industry and www.cbbc.org/cbbc/media/cbbc_media/KnowledgeLibrary/Reports/
the Korea-China Business Council.see: Eva Dou, ‘Global Tech Com- EU-SME-Centre-Report-Smart-Cities-in-China-Jan-2016.pdf> accessed
panies Call on China to Delay Cybersecurity Law’, (Wall Street Journal, January 2017, p20.
15 May 2017) <https://www.wsj.com/articles/global-tech-companies 7
The Chinese Government allowed two provinces of the four prov-
-call-on-china-to-delay-cybersecurity-law-1494837117> accessed 18 inces, Shenzhen in Guangdong Province and Xiamen, Fujian
May 2017. Province, to adopt “special policies” (teshu zhengce 特殊政策) and to
3
Michael Martina and Cate Cadell, ‘Amid industry pushback, China implement “flexible measures” (linghuo cuoshi 灵活措施). These unique
offers changes to cyber rules: sources’ (Reuters, 19 May 2017) <http:// powers were aimed at attracting foreign capital and technology.
www.reuters.com/article/us-china-cyber-law-idUSKCN18F1VZ> They were granted preferential tax measures and enjoyed higher
accessed 21 May 2017. foreign-exchange retention rates.
ARTICLE IN PRESS
computer law & security review ■■ (2017) ■■–■■ 3
relatively successful in attracting foreign capital, pioneering reform ICT,11 including how it can be accessed and used and its role
experiments and creating from scratch an export-oriented economy.8 in economic and social development. Efforts are needed to
promote e-government, to encourage citizen use of online public
Major Chinese planning documents are incredibly ambi- services and participation in decision-making.”12 “Smart City”
tious. Ambitious targets are set and usually reached, according is a vague term applied to everything from urban design to traffic
to the official statistics. Legislative laboratories also allow China management policy. It is the use of information technologies
to constantly trial legislative tasks in small pilot zones. This to solve urban problems incorporating intelligent and sustainable
bodes well for successful Smart City projects tested on a small urban development.13 A Smart City is a digitally connected city.
scale and implemented with technocratic efficiency. In ten years However it is as much about town planning for city growth as
we may be describing the great success of Smart Cities in the it is about technology. “In its widest understanding, smart city
same way that commentators now describe the legal and po- integrates the whole range of services a city needs and wants
litical reforms associated with China’s Special Economic Zones.9 to offer in a way that follows state of the art public administration
requirements – including the use of most recent technology”.14
2.3. “Smart Cities” “智慧城市”
The goals of “good city management” are therefore ideally also
the “leading goals of smart city development.”15 While the defi-
As part of its innovation agenda, the Chinese govern-
nition of a Smart City varies greatly within the literature,
ment has been strongly promoting the development of Smart
sustainability is one key phrase associated with a Smart City.16
Cities. There are various definitions of a “Smart City”. It is of-
Modern technology trends have increased the recent devel-
ten argued that while the most important element of a Smart
opment of Smart Cities. Government-employed Smart City
City is often described as technology, in practice citizen
strategies are regarded as a powerful catalyst to develop and
participation and engagement is the most important ele-
utilise technologies – such as the Internet of Things (IoT),17 cloud
ment. For China to build effective Smart Cities, access to open
and accurate big data10 and the development of articulate
11
Smart City strategies is of paramount importance. “A wide- Information and Communications Technology (ICT) is an ex-
spread program is needed to build public awareness of tended term for information technology (IT), stressing the integration
of telecommunications (telephone lines and wireless signals), com-
puters as well as necessary enterprise software, middleware, storage,
8
Wei-wei Zhang, Transforming China, Economic Reforms and its Po- and audio-visual systems, which enable users to access, store, trans-
litical Implications. (St. Martin’s Press, New York, 2000), p.21. mit, and manipulate information.
9 12
Policy makers for Smart City construction in China include the Christine Zhen-Wei Qiang, China’s Information Revolution: Man-
central government, various ministries and regional/city-level gov- aging the Economic and Social Transformation (World Bank Publications,
ernments, especially in pilot Smart Cities. In addition the private Washington, DC, 2007), p85.
13
sector is heavily involved, this is discussed below. Several minis- Anthony, M., Townsend, Smart Cities: Big Data, Civic Hackers, and
tries have been involved in developing policies, standards and the the Quest for a New Utopia (W. W. Norton & Company, New York, 2013).
14
evaluation process, including:The National Development and Reform Kang Yanrong, Jeanette Whyte, Thomas Hart, ‘Comparative Study
Commission (NDRC); The Ministry of Industry and Information Tech- of Smart Cities in Europe and China’, White Paper, EU-China
nology of the People’s Republic of China (MIIT); The Ministry of Policy Dialogues Support Facility II (PDSF), March 2014, p16. <http://
Housing and Urban-Rural Development of the People’s Republic of euchina-ict.eu/wp-content/uploads/2015/01/Smart_City_report
China (MOHURD); The Ministry of Finance.Local/City Govern- _draft-White-Paper-_-March-2014.pdf> accessed 2 February 2015.
15
ments also play an important role. For example, the Shanghai ibid.
16
Municipal Government published its action plan for promoting and Smart Cities often refer to intelligent and sustainable urban de-
accelerating Smart City development in 2011. In 2014, the second velopment: ibid.
17
edition of the action plan covering 2014–2016 was announced. Internet of Things (IoT) is the interconnection via the internet of
Shanghai published its action plan for promoting and accelerat- computing devices embedded in everyday objects, enabling them
ing Smart City development in 2011. To achieve these targets from to send and receive data.Cisco estimates that there were about 200
a technical perspective, Shanghai aims to focus on the construc- million things connected to the Internet in the year 2000 and that
tion and development of the following areas:Broadband; WLAN; Ipv6 this number has increased to approximately 10 billion by 2013. Cisco
access; Big data; Cloud-computing; IoT; and Network security.‘Sector sees the next wave of dramatic Internet growth will come from a
Report: Smart Cities in China’ (2016) EU SME Centre, <http:// combination of machine-to-machine (M2M), person-to-machine
www.cbbc.org/cbbc/media/cbbc_media/KnowledgeLibrary/Reports/ (P2M), and person-to-person (P2P), which they describe as the In-
EU-SME-Centre-Report-Smart-Cities-in-China-Jan-2016.pdf> accessed ternet of Everything (IoE): Joseph Bradley, Joel Barbier, Doug Handler,
January 2017, p10. ‘Embracing the Internet of Everything To Capture Your Share of $14.4
10
In May 2013 a group of international scholars brainstormed two Trillion’, Cisco White Paper, 2013. <http://www.cisco.com/c/dam/
definitions of big data in a session on Data Science and Big Data en_us/about/ac79/docs/innov/IoE_Economy.pdf> accessed 2 March
at the Xiangshan Science Conference (2013) in Beijing. The first defi- 2015.According to Chinese policy documents, Internet of Things (IoT)
nition, for academic and business communities, is “a collection of is a new infrastructure, which expands the services and applications
data with complexity, diversity, heterogeneity, and high potential provided by the present communication networks and the Inter-
value that are difficult to process and analyze in reasonable time,” net. Sensing and identifying the physical world by utilising sensor
and the second, for policymakers, is “a new type of strategic re- technologies and intelligent devices, IoT through transmission and
source in the digital era and the key factor to drive innovation, which interconnection of networks performs computing, processing and
is changing the way of humans’ current production and knowledge mining, in such a way as to realise information inter-
living”:‘Report on the 462nd Session: Data Science and Big Data.’ action and seamless interaction between human and objects as
(Xingshan Science Conference, Chinese.Academy of Sciences, Beijing, well as between objects, thereby serving the purposes of real-time
May 29–31 2013). Cited in ‘The Bridge: a global view of big data’, control, accurate management and scientific decision-making of
(National Academy of Engineering, 2014) <https://www.nae.edu/ the physical world: ‘The White Paper on the Internet of Things’,
File.aspx?id=128774> accessed 12 July 2015. China Academy of Telecommunication Research of MIIT, 2011.
ARTICLE IN PRESS
computing and big data – in urban planning, construction, and China in October 2016. Yinchuan is the favoured “Smart City”
city management. leader over Shanghai or Beijing, due to its small size – its popu-
The movement for Smart Cities is strong globally. Global lation is only 1.5 million.19 The city is testing various smart City
problems are theoretically solvable in a smarter planet. Smart measures, including solar powered public rubbish bins that
systems are transforming energy grids, supply chains and water double as compactors, allowing them to increase storage ca-
management. Smart healthcare systems can dramatically lower pacity five-fold. When full, the bins send out a signal to garbage
the cost of therapy. Smart food systems are using radio fre- collectors to empty them.
quency identification technology to trace meat and poultry from Other aspects are more problematic. On local buses, facial
the farm through the supply chain to store shelves. recognition software has replaced the fare box. Faces are linked
Smart Cities need secure networks but also contain many to their bank accounts. Public transport boarding is not slowed
open networks in need of a cyber security regime. Billions of by people fishing for correct change. Yet this system alone raises
devices envisaged connecting to a wide range of applica- questions regarding the kind of data China’s Smart Cities should
tions, ensures that security is essential for many Smart City be able to collect.20
initiatives especially those connected to a country’s critical in- This is only one example of individual Smart City projects.
frastructure. This new connected landscape makes cyber There are over 300 other experiments in China, undoubtedly
security a governmental responsibility to protect key infra- the world’s largest roll out of Smart City projects. These proj-
structure and data breaches. China often releases technical ects can help assist the Chinese Government in alleviating great
aspirational goals18 but the question remains, how can China social problems.
develop a polity actively engaged in Smart City goals and will However, major fears surrounding China’s new Cyber Secu-
the Cyber Security Law of 2016 help those aims? rity Law concern where and how data is stored and whether
One high-profile example expounds why Smart City plans this will allow abuse of citizens’ rights and freedoms by an au-
could greatly assist the implementation of responsive govern- thoritarian government. Principally that data must be locally
ment, while in some cases also arousing international stored in China, due to China’s preoccupation with “Network
suspicions of a nascent dystopia. Sovereignty” best embodied by the phrase “secure and control-
lable”. This is seemingly in stark contrast to China’s innovation
2.4. Yinchuan goals.
Yinchuan is the capital of Ningxia province, in northern China,

2.5. The Key Tenets of the 13th Five Year Plan:
which China announced as the blueprint “Smart City” across
innovation, “sharing” and “openness”
18
For example: A Five-Year Plan on China’s National Informatisation Innovation is China’s number one goal and this central
(2016–2020) was issued by the State Council on December 27 2016. focus must be emphasised before analysing China’s Cyber Se-
According to the official press release: <http://english.gov.cn/policies/ curity Law. The 13th Five-Year Plan21 is the first Five-Year Plan
latest_releases/2016/12/27/content_281475526646686.htm> China will
under President Xi Jinping’s leadership, and was released on
put more resources into the development of cutting-edge informa-
tion technology, including 5G wireless systems, IPv6, smart
15 March 2016. The 13th Five-Year Plan Proposal contains five
manufacturing, cloud computing and the Internet of Things. The plan main principles underpinning the policies for China’s future
set a goal of authorising 15.3 trillion patents in the information in- development.22
dustry. The goal is by 2020, BeiDou Navigation System, involving 35 The first aspirational principle is innovation, primarily as
satellites, will be completed and provide services for international a driver of economic development and to shift China’s eco-
clients. The plan includes:• More integrated national databases, cov- nomic structure into a higher-quality growth pattern. The other
ering information from government, academic institutions and other
four principles are: coordination 23 ; green development 24 ;
public sectors, will be set up and open to the public, so as to break
information barriers. A unified online system will be established, opening-up; and sharing. These broad aspirational goals all
integrating information and services from different departments, seem promising for technologies like the Internet of Things and
regions and levels to build a “smart government”. The govern- movements such as big data analytics and Smart Cities. The
ment hopes to deal with 80 percent of paperwork online by Five-Year Plan pledges openness, stating that China should
2020.• More funds will be invested into information infrastruc- utilise both domestic and global markets and be more active
ture, especially for rural and remote regions. By 2020, 40 percent
rural families in central and western China will have access to cable
19
internet. In addition, the speed of the internet will be accelerated Daisy Carrington, ‘Yinchuan: The smart city where your face is
and costs will be lowered.• The government hopes to connect the your credit card’, (CNN, 11 October 2016) <http://edition.cnn.com/
internet industry with manufacturing and agriculture. E-commerce 2016/10/10/asia/yinchuan-smart-city-future/> accessed 12 January
and other new business models will be promoted. By 2020, 2017.
20
e-commerce trade volume is planned to reach at least 38 trillion ibid.
21
yuan.• The plan also focused on cyber security, promoting legis- 《国民经济和社会发展第十三个五年规划》（“十三五”规划”）[the 13th
lation of relative laws and regulations, setting up risk alerts and Five-Year Plan for Economic and Social Development of the Peo-
an emergency mechanism. It also vows to further crack down on ple’s Republic of China (‘the 13th Five-Year Plan’)] National People’s
telecom fraud.• China has made significant achievements in Congress, 17 March 2016.
22
informatisation, according to the Five-Year Plan on Informatisation. ibid.
23
It also mentioned some shortcomings, including lagging innova- Coordination means to ensure balanced coordinated develop-
tion capability, core technology’s dependency on foreign companies, ment among rural and urban areas, and across different industries.
24
lagging information infrastructure in rural and poor regions, and Green development means protecting the environment and pur-
the risk of a widening digital gap. suing environmentally friendly economic growth.
ARTICLE IN PRESS
in global governance. Sharing means “Development for the After the 12th Five-Year Plan identified Smart City technol-
People, by the People and Shared by the Entire Population”.25 ogy as a sector to be encouraged, ministries subsequently began
Growth for growth’s sake is not enough.“Inclusive growth” was sponsoring programs and industry alliances.29 As Smart Cities
a key theme of the 12th Five-Year Plan (2011–2015) and continues are Chinese Government policy, multinational companies, in-
to be a main priority for Chinese leaders who face numerous cluding several from China, are now in a race to develop and
problems that are already impacting the quality of life of Chinese deploy Smart City platforms in which disparate systems com-
citizens.These include a widening income gap, a growing elderly municate and share information.30 There have been various public
population and a deteriorating natural environment. China’s documents calling for greater attention to the development of
manufacturing comparative advantage continues to erode and Chinese Smart Cities. For example, on 15 January 2014, the NDRC
many university graduates are unemployed. China’s innova- and the Ministry of Industry and Information Technology31 (MIIT),
tion economy is a political imperative. Innovation is therefore along with other relevant departments, publicised a Notice to
a major priority for the Chinese government. Speed up the Project Implementation of Smart Cities.32 It is
argued below that there is no indication that China’s Cyber Se-
curity Law was intended to disrupt this existing agenda.
2.6. “Smart Cities” in China’s Five Year Plans However planning for Smart City success will depend upon
China’s cyber security regime. If China continues collecting data
According to the Chinese National Development and Reform everywhere and employs sensors everywhere, China will need
Commission (NDRC)26 (中华人民共和国国家发展和改革委员会), the to have a well-articulated cyber security regime. Countries must
“Smart City” strategy introduces modern science and technol- protect critical infrastructure that is connected through private
ogy, such as the Internet of Things, cloud computing, big data, smart phones among other devices. In many ways China is at
spatial geographic information systems, to urban planning, con- the global vanguard of dealing with these issues. These are
struction and operation. serious threats facing China given the high penetration of in-
Smart Cities can improve urban management and service ternet usage and connected devices in China.
industries with the help of information and data resources.The The Internet of Things enables objects to talk to other objects.
goal is to integrate information resources, and improve urban Billions of devices envisaged connecting to a wide range of ap-
management and services, as well as transform China’s economy plications. Security is therefore essential for many applications.
to more modern industries.The term “智慧城市”,“Zhihui Chengshi” This final point is pertinent in that the Chinese Government
or “Smart City” has been widely accepted in China. The Smart knows all too well the sinister threat of cyber security attacks
City concept garnered much attention at the 2010 Shanghai posed, for example, by having a system of live sensors across
World Expo, where it was a key theme.The World Expo’s slogan a city.
was “Better City, Better Life”. In May 2017, it was reported that China was a major victim
In China the movement to develop such technologies, both of the global ransomware attack.33 Limited, disputed and
political and popular is very strong.27 China has employed a
large and sustained deployment of Smart City projects. The 12th
Five-Year Plan, which guided broad economic policy until 2015, 29
For example, in 2012, the Ministry of Housing and Urban-Rural
identified Smart City technology as a sector to be strengthened Development (MOHURD) formally issued the “Notice of Carrying out
and encouraged. China’s Five-Year Plans are blueprints con- the National Smart City Pilots”, and the “National Interim Mea-
taining the country’s social, economic, and political goals. They sures for Smart City Pilots” and approved 90 Smart City pilot projects.
30
Many cities such as Nanjing, Shenyang, Chengdu, and Kunshan,
encompass and intertwine with existing policies, regional plans,
have made strategic Smart City platform cooperation agree-
and strategic initiatives. A Five-Year Plan signals the Chinese ments with global software giant IBM: Zhang Yongmin, and Du
government’s vision for future reforms and communicates this Zhongchao, “Present status and thinking of construction of smart
to other parts of the bureaucracy, industry players and Chinese city in China,” China Information Times 2 (2011), p. 28–32. IBM is
citizens. It is a living document that will go through constant generally regarded as a leader in the integration and effective cen-
review and revision over a five year period.28 tralisation of communication between Smart City industries and
government departments.
31
The Ministry of Industry and Information Technology of the Peo-
25
《国民经济和社会发展第十二个五年规划》（“十二五”规划”）[the 12th ple’s Republic of China was established in 2008 as a department
Five-Year Plan for Economic and Social Development of the Peo- under the State Council responsible for the administration of China’s
ple’s Republic of China (‘the 12th Five-Year Plan’)] National People’s industrial branches and information industry. It is a “super min-
Congress, 14 March 2011. istry” responsible for the integration of science and technology
26
The National Development and Reform Commission of the Peo- planning and industry, but not media content control. See: <http://
ple’s Republic of China (NDRC), formerly known as the State www.miit.gov.cn/n11293472/index.html>.
32
Planning Commission and State Development Planning Commis- Cited in ‘Sector Report: Smart Cities in China’ (2016) EU SME Centre,
sion, is a macroeconomic management agency under the Chinese <http://www.cbbc.org/cbbc/media/cbbc_media/KnowledgeLibrary/
State Council, which has broad administrative and planning control Reports/EU-SME-Centre-Report-Smart-Cities-in-China-Jan-2016
over the Chinese economy. See: <http://en.ndrc.gov.cn/>. .pdf> accessed January 2017, p8. The link <http://gjss.ndrc.gov.cn/
27
Anthony, M., Townsend, Smart Cities: Big Data, Civic Hackers, zttp/xxhm/201401/t20140113_692263.htm> is no longer available.
33
and the Quest for a New Utopia (W. W. Norton & Company, New York, The WannaCry ransomware attack is a worldwide cyber attack,
2013). which targets computers running the Microsoft Windows operat-
28
《国民经济和社会发展第十二个五年规划》（“十二五”规划”）[the 12th ing system, encrypting data and demanding ransom payments in
Five-Year Plan for Economic and Social Development of the Peo- Bitcoin cryptocurrency. The attack started on 12 May 2017 and has
ple’s Republic of China (‘the 12th Five-Year Plan’)] National People’s been described as unprecedented in scale, infecting computers in
Congress, 14 March 2011. over 150 countries.
ARTICLE IN PRESS
tentative early evidence suggested the attack may be associ- Network Sovereignty. It is important to point to the forma-
ated with a group backed by North Korea.34 China struggled tion of the Cyber Security and Informatisation Leading Small
to recover from the global hacking assault that hit Chinese com- Group,37 and its Office, the Cyberspace Administration of China
panies, government agencies and universities especially hard. (CAC) in 2014 as a critical moment in the development of
It was argued that the risks of China’s heavy dependence on China’s overall strategy and institutional approach to the prob-
pirated software were exposed by this incident.35 Research- lems of cyber security/Informatisation. At that moment, Chinese
ers believe large numbers of computers running unlicensed President Xi Jinping then took a personal role in the ICT policy
versions of Microsoft Windows probably contributed to the reach and regulatory making process. This centralisation provided
of the ransomware attack. As pirated software is usually not much impetus to the legal and institutional developments since
registered with the developer, users often miss major secu- 2014. Policy for both Cyber Security and Informatisation resides
rity patches that ward off newer cyber assaults.36 Now imagine with the leader of China.
if that software was connected to hardware and infrastruc- The consolidation of internet regulations in bodies such as
ture across a Chinese city. Furthermore it underscores why the Central Leading Group for Cyberspace Affairs and the State
China might choose to increase reliance on foreign technol- Internet Information Office (SIIO) (中央网络安全和信息化领导小组),
ogy firms and strengthen intellectual property protections in represents a fundamental change from China’s previous patch-
order to avoid future cyber security risks. Alternatively, it may work of online governance.38 This new so-called Leading Small
bolster the Government’s resolve. Group, established on 27 February 2014 and chaired by Presi-
China’s current approach under the Cyber Security Law will dent Xi Jinping himself, emphatically signalled the consolidation
be to conduct reviews to ensure that network products and ser- of internet governance. The SIIO Leading Group exerts ulti-
vices are “secure and controllable.” Understanding Chinese mate authority over the Cyberspace Administration of China
companies and government agencies as well as private citi- (CAC) (国家互联网信息办公室), and it gained chief responsibil-
zens’ well-known historically heavy dependence on pirated ity in regulating online content.39 In June 2016, China named
software partially explains this requirement. It is a major cyber Xu Lin, head of the Cyberspace Administration of China, re-
security risk. Part IV below this paper seeks to objectively assess placing Network Sovereignty advocate, Lu Wei.40 Xu publically
the intention of China’s 2016 Cyber Security Law, and that as-
sessment requires a deep appreciation of the magnitude of
37
China’s Smart City top-down policy dreams. The new leading group largely merged the membership of the
previous two leading bodies for online governance, the State
Informatisation Leading Group (SILG) and the State Network and
Information Security Coordination Small Group (SNISCSG).
38
‘习近平:把我国从网络大国建设成为网络强国’ [‘Xi Jinping: Build Our
3. Part II: China’s Informatisation Strategy Country from a Large Network Country into a Strong Network
and Network Sovereignty: “Cyber security and Country’]. (Xinhua, 27 February 2014), available at: <http://news
.xinhuanet.com/politics/2014-02/27/c_119538788.htm> accessed 27
Informatisation are two wings of one body”
February 2016.
39
‘国务院关于授权国家互联网信息办公室负责互联网信息内容管理工作的
China’s Cyber Security Laws cannot be understood without un- 通知国发’ [‘Notice concerning Empowering the Cyberspace Admin-
derstanding China’s Informatisation drive and the concept of istration of China to Be Responsible for Internet Information Content
Management Work’], (State Council, 26 August 2014). For an English
translation see: <https://chinacopyrightandmedia.wordpress.com/
34
Evidence for North Korean involvement via the Lazarus Group, 2014/08/26/notice-concerning-empowering-the-cyberspace
remains tentative, Symantec called the code overlap “weak links.” -administration-of-china-to-be-responsible-for-internet
“The Lazurus Group” is a hacker collective with ties to North Korea: -information-content-management-work/> accessed 27 February 2016.
40
‘North Korean hackers behind global cyberattack?’ (CBS News, 16 David Iaconangelo, ‘China replaces its internet czar. Will its
May 2017) <http://www.cbsnews.com/news/cyberattack-wannacry policies change, too?’ (Christian Science Monitor, 29 June 2016) <http://
-ransomware-north-korea-hackers-lazarus-group/> accessed 19 May www.csmonitor.com/World/Asia-Pacific/2016/0629/China
2017.Western reports suggested that North Korea was responsible. -replaces-its-internet-czar.-Will-its-policies-change-too> ac-
Some reports in China suggested that the US was responsible. See: cessed 30 June 2016.As the official responsible for implementing
‘WannaCry ransomware has links to North Korea, cybersecurity the government’s internet policies, Lu was known for his outspo-
experts say’, (The Guardian, 16 May 2017) <https://www.theguardian ken defense of “Network Sovereignty”. Under Lu’s direction in recent
.com/technology/2017/may/15/wannacry-ransomware-north years, China had taken some tentative steps in the direction toward
-korea-lazarus-group> accessed 16 May 2017.See also the China Daily a “multi-stakeholder” approach to regulating the internet. In 2015,
editorial: ‘Greater global cooperation required to fight cyber crime’, Lu had joined the governing body of Netmundial, a forum based
(China Daily, 18 May 2017) <http://www.chinadaily.com.cn/cndy/ on Western principles of access. Chinese organisations stepped up
2017-05/17/content_29377195.htm>accessed 18 May 2017. their participation in ICANN, the nonprofit that manages IP ad-
35
Paul Mozur, China, ‘Addicted to Bootleg Software, Reels From dresses globally: Peter Ford, ‘On Internet freedoms, China tells the
Ransomware Attack’, (New York Times, 15 May 2017), <https:// world, ‘leave us alone’, (Christian Science Monitor, 18 December 2015)
www.nytimes.com/2017/05/15/business/china-ransomware <http://www.csmonitor.com/World/Asia-Pacific/2015/1218/
-wannacry-hacking.html> accessed 16 May 2017. On-Internet-freedoms-China-tells-the-world-leave-us-alone>
36
A study last year by BSA, a trade association of software vendors, accessed 12 January 2016.Lu was a global advocate for Network Sov-
found that 70 percent of software installed on computers in China ereignty influencing other countries in their internet policies.Bethany
was not properly licensed in 2015: ‘Seizing Opportunity Through Allen-Ebrahimian, ‘The Man Who Nailed Jello to the Wall’ (Foreign
License Compliance’, BSA Global Software Survey, May 2016, <http:// Policy, 29 June 2016) <http://foreignpolicy.com/2016/06/29/the
www.bsa.org/~/media/Files/StudiesDownload/BSA_GSS_US.pdf> 17 -man-who-nailed-jello-to-the-wall-lu-wei-china-internet-czar
accessed May 2017 cited in ibid. -learns-how-to-tame-the-web/> accessed 30 June 2016.
ARTICLE IN PRESS
vowed to maintain the Chinese Communist Party’s control over means China’s strong desire to invent, innovate and moder-
cyberspace.41 nise its economy might receive a major boost.
Thus, significant institutional change has taken place in order A new centralised internet governance regime may also offer
to consolidate and streamline Chinese ICT policymaking pro- more clarity for companies, who have always faced the per-
cesses. It also put the realisation of the Informatisation agenda sisting “fuzzy logic”46 of China’s legal system and the substantial
at the centre of political and economic reform. CAC’s mem- discretion afforded administrative authorities to interpret that
bership comprises economic and technological policymakers law in an ad-hoc manner. Indeed there is also the strong ar-
on the one hand, and entities more concerned with ideologi- gument that in light of China’s top-down innovation policies
cal and international security on the other.42 China needed a high-level e-leadership, such as the CAC to be
CAC perhaps embodies the inherent conflict between created. The following arguments were made in 2010 in an
Network Sovereignty and Informatisation. Are they conflict- article about China’s Emerging Informatisation Strategy:
ing strategies or two wings of the same bird? Previously various
ministries had authority over various aspects of the telecom- China needs to take key cross-cutting and synergistic actions:
munications and the internet. There was a need for developing develop e-leadership capabilities and institutions, develop human
e-leadership institutions. Regulatory gaps allowed for the resources to support national ICT diffusion priorities, promote af-
success of China’s internet giants.43 For example, while the in- fordable and shared access to ICT, and orient the national innovation
ternet was a banned industry for foreign investment, all of the system and ICT industry development to support local adapta-
BATs had foreign investment through a curious non-legal44 off- tion and local users.47
shore entity known as a Variable Interest Entity located in the
Cayman Islands.45 It has been stated that: “The senior political ranks in Beijing
Further, the positioning of CAC near the apex of China’s lead- recognize that the government’s ability to control, censor, and
ership hierarchy means China’s top leaders will be able to supervise the technology and the information it transmits has
pursue fundamental reform of national internet regulations fallen behind and must now catch up. Essentially, the tech-
in line with those principles that they view as most essential nology has gotten ahead of the government’s ability to manage
to China’s future development. This is a fundamental change. it.”48 This is not necessarily a sinister appraisal of the Chinese
Placing internet regulations close to the leadership hierarchy Government’s intent. Nevertheless, the role of CAC is evolv-
ing. CAC has faced a lot of bureaucratic hurdles in trying to
centralise control over cyber security and Informatisation poli-
41
cies and regulation.49
‘China appoints new internet regulator’, (Reuters, 29
In a Chinese report, Xinhua News agency noted that CAC is
June 2016) <http://www.reuters.com/article/us-china-internet
-idUSKCN0ZF0H4> accessed 30 June 2016. also trying to reassure foreign companies that the new powers
42
Rogier Creemers, ‘Cyber China: Updating Propaganda, Public of review will not compromise products and services, and in-
Opinion Work and Social Management for the 21st Century’, Journal tellectual property is not in danger. Xinhua also noted that after
of Contemporary China, (2015). passing the Cyber Security Law, CAC is drafting related guidelines
43
See Shao, Guosong, Internet Law in China, (Elsevier, Cambridge, on accessing online data, trying to ease concerns that the new
2012). See also Chen, Tain-Jy, and Ying-Hua Ku, ‘Rent Seeking and En-
trepreneurship: Internet Startups in China’, Cato Journal 36(3) (2016)
659.VIEs are usually an offshore holding company based in the
Cayman Islands. This company then establishes a Wholly-Foreign
46
Owned Entity (WFOE). Investors gain control of the WFOE through There is also an epistemic problem in defining Chinese laws.
various legal contracts. “Ownership through management con- Knowledge of the implementation of laws is sparsely diffused across
tracts.” The first VIE was Sina Weibo in 2000. VIEs can therefore list bureaucracies, government officials, and those few who have tested
on foreign stock markets or be controlled by a foreign investor.A new laws. Sometimes that knowledge is not diffused at all. I call
regulatory loophole in China’s foreign investment regime allowed this problem: ‘fuzzy-logic’, the idea is often used in computer coding
this investment in prohibited industries for foreign investment to where multiple truths exist in one phrase. That is, Chinese laws
occur. It is a legal grey area, which escapes Chinese regulatory con- and regulations exist at nausea but often cannot be understood.
trols for foreign investment in “sensitive” industries such as the Fuzzy logic is an approach to computer programming based on
internet and media. As of early 2017, VIEs are still unproven in “degrees of truth” rather than a standard “true or false” logic. Fuzzy
Chinese Courts. It was essentially created to allow foreign own- logic includes cases of truth but also includes the various states
ership in “sensitive industries”. of “truth” in between. For example, the result of a comparison
44
It seems likely that the Chinese government will make VIEs between two things may be not “tall” or “short” but measured in
illegal in 2017. On 19 January 2015, the State Council issued a dis- degrees of tallness. There is a clear ambiguity between what is
cussion draft of legislation setting out the plan for overhauling the meant by “tall” or “short” and everything in between.
47
antiquated Chinese foreign investment legal regime. The new system Nagy K. Hanna, and Christine Zhen-Wei Qiang. “China’s emerg-
is set out in the PRC Investment Law Discussion Draft (“Draft”), a ing informatization strategy”, Journal of the Knowledge Economy
massive document of 178 Articles and 11 Chapters. The underly- 1(2) (2010) p158.
48
ing philosophy of the Draft is explained in the Explanation of the Samm Sacks, ‘Apple in China, Part I: What Does Beijing Actu-
PRC Investment Law (the “Explanation”). The Explanation makes ally Ask of Technology Companies?’ (Lawfare, 22 February 2016)
it clear the new law directly targets VIEs. The Draft law is ex- <https://www.lawfareblog.com/apple-china-part-i-what-does
pected to be passed in 2017. -beijing-actually-ask-technology-companies> accessed 1 March 2017.
45 49
For further reading see: Samuel Farrell Ziegler, ‘China’s Vari- There is an inherent contradiction between cyber security and
able Interest Entity Problem: How Americans Have Illegally Invested Informatisation policy planning. For example, the international re-
Billions in China and How to Fix It’ [2016] 84(2) George Washington sponse to the Cyber Security Law has meant that CAC has had to
Law Review 539. consider delaying the law.
ARTICLE IN PRESS
law opens the door for police abuse of power.50 However, fears this committee will have a major influence on perceptions of its
about the impact of the new law on foreign businesses remain. objectivity.54 The creation of these new organisations and policies
There are increasing reasons for those fears, including the must be contextualised within China’s broader drive to strengthen
fact that China’s Cyberspace regime is evolving rapidly. On 25 cyber governance55 and the concept Network Sovereignty.56
March 2016, China created the Cyber Security Association of
China (CSAC – 中国网络空间安全协会). CSAC is a Chinese Com- 3.1. China’s Informatisation Strategy and Internet Plus
munist Party (CCP)–controlled industry association. CSAC further
connects the major stakeholders in China’s evolving cyber- China’s recent Internet Plus policy is one part of China’s
governance regime: government, the private sector, and Informatisation Strategy. China’s Informatisation Strategy
researchers. CSAC reflects President Xi’s broader efforts to cen- could simply be described as China’s e-development or online
tralise power over China’s cyber bureaucracy. Like many of these development campaign. Connecting industry, government and
new institutions the organisation is in charge of very diverse the polity to the economic benefits of online platforms and mar-
goals.51 CSAC’s leadership and membership is also notewor- ketplaces.The Informatisation Strategy has been Chinese policy
thy. Its chair, Fang Binxing, is best known as the “Father of the since the early 1990s with a goal to build an “information society”.
Great Firewall,” China’s internet censorship and surveillance In Chinese, the characters (xinxihua zhanlue 信息化战略) literally
system. Fang’s selection as head of the association suggests a explain the force for transformative change (hua 化) that infor-
pro-Network Sovereignty orientation for CSAC. mation can provide. It sounds much less technocratic than
Furthermore, there were no non-Chinese representatives Informatisation in English. The Chinese Government’s termi-
among CSAC’s initial membership.52 The CSAC consists of aca- nology of Informatisation is defined as the transformation of
demic institutes, individuals and internet companies including an economy and society driven by information and communi-
Tencent and internet security company Qihu 360. CSAC will focus cations technology. The Chinese Government has used
on promoting self-discipline in the industry, accelerating the es- informatisation interchangeably with the terms information
tablishment of industry standards. It will also promote and society, knowledge economy, and e-development.57 Upgrading
develop cyber security studies and participate in international networks and technical requirements for the development of
cooperation through conferences and comparative bodies.53 the internet is also part of this strategy:
CSAC’s membership features 257 individual members, in-
cluding senior representatives from Alibaba, Chinese network (Informatization), covering the enablers of the knowledge economy
security companies, and influential scientific universities and and the application of information and communication technology
research institutes, such as the Chinese Academy of Engineering (ICT) to government, business, and society. They identify the
and the Beijing University of Posts and Telecommunications. Un-
derstandably whether foreign representatives are allowed on to 54
During the launch, Wang Xiujun (王秀军), deputy director of the
country’s internet regulator, said that she hoped the association could
emphasise on safeguarding the country’s internet security and build-
50
‘中央网信办：正制定个人信息收集规范标准’ [Cyberspace Adminis- ing up China as an internet power, while attracting more cutting-
tration of China: Establishing a standard for collecting personal edge cyber security enterprises and talent to enhance the industry’s
information] (Xinhua, 11 November 2016) <http://news.xinhuanet authority.
55
.com/2016-11/11/c_1119897534.htm> accessed 25 December 2016. On 27 December 2016 CAC published China’s first National
51
Fang Binxing (方滨兴), chairman of the CSAC, has indicated in Cyberspace Security Strategy (“National Strategy”). See: 《国家网络空间
interviews that the association’s efforts will fall into the follow- 安全战略》 [National Cyberspace Security Strategy] (People’s Repub-
ing categories:• Laws and regulations helping to build out the lic of China) Cyberspace Administration of China, 27 December 2016.
new information and communications technology (ICT) legal The National Strategy offers few fresh initiatives, but summarises
regime.• Technology support helping to boost the domestic ICT in- goals within the PRC Cyber Security Law and other regulations passed
dustry.• Public opinion supervision to help in information control over the past year. A guiding concept is “Network sovereignty”, which
and propaganda.• Security and stability of information systems, the Strategy defines as China’s right to police the internet within
products, and services (conventional cyber security).• Protecting core its borders and participate in managing international cyberspace.
Chinese interests under globalization, and promoting globally com- In particular, the strategy also emphasises the need to safeguard key
petitive Chinese IT companies.The combination of these diverse information infrastructure operators.
56
goals under the umbrella of one association, the CSAC, under- CSAC seems to be an example of President Xi and his former chief
scores a trend that started with the creation of the LSG: President cyber security deputy Lu Wei (鲁炜)’s pursuit to align government,
Xi is tightly tying together the political bureaucracies overseeing industry, and academia around a shared set of cyber governance ob-
ICT (hardware and software) and digital content (propaganda jectives. Lu Wei was seen as an evangelist for Network Sovereignty.
system).See: Samm Sacks and Robert O’Brien, ‘What to Make of Perhaps Lu’s greatest personal contribution to the evolution of the
the Newly Established CyberSecurity Association of China’, (Center modern internet was his role as evangelist for China’s approach. He
for Strategic and International Studies, 25 May 2016) <https://www wasn’t just the technocratic architect of a system of controls; he also
.csis.org/analysis/what-make-newly-established-cybersecurity served as a vocal international advocate for the ideological and prac-
-association-china> accessed 29 May 2016. tical superiority of such a system. He proudly championed “network
52
Fang Binxing justified favoring Chinese companies over their sovereignty”.See: Samm Sacks and Robert O’Brien, ‘What to Make
(possibly) technologically more sophisticated foreign competitors of the Newly Established CyberSecurity Association of China’, (Center
on the grounds that they are more secure since they are bound for Strategic and International Studies, 25 May 2016) <https://www
by local government laws: ibid. .csis.org/analysis/what-make-newly-established-cybersecurity
53
‘Draft law strengthens China’s cyber security legislature’, (Tech -association-china> accessed 29 May 2016.
2, 27 June 2016) <http://tech.firstpost.com/news-analysis/draft 57
Nagy K. Hanna, and Christine Zhen-Wei Qiang. “China’s emerg-
-law-strengthens-chinas-cyber-security-legislature-322671.html> ac- ing informatization strategy”, Journal of the Knowledge Economy
cessed 30 June 2016. 1(2) (2010) p162.
ARTICLE IN PRESS
challenges facing government, business, and rural informatization, The next question is what is novel or reflects incremental
the growing digital divide between rural and urban areas and the Chinese policy change in this grandiose policy statement? ““In-
innovations pursued to bridge this divide. This holistic frame- ternet Plus” [explained in depth below] is a new factor changing
work is then used to identify key gaps and weaknesses in each the situation” according to the Outline. What this means is
enabler as well as synergies and cross-cutting coordination issues unclear. We will assess that statement below. However the
that need to be managed to support ICT application priorities and Outline also contains a comment that seems to reflect the need
achieve national development goals.58 for cyber security laws and “Network Sovereignty”.61 (Defined
below, but in short, China’s conception of Network Sover-
There is a direct connection between Informatisation (or cre- eignty is that the internet is subject to national boundaries that
ating online platforms) of government departments, Smart City individual countries should control and secondly, it also means
policies and the need for cyber security laws. On 27 July 2016 participation in global internet governance forums).
China released the Outline of the National Informatisation De-
velopment Strategy (“Outline”),59 it begins with the bold statement the construction of a legal system in cyberspace urgently needs
that “without informatisation, there is no modernisation”. The to be strengthened, and the potential of information technology
Chinese Government, through its bold policy statements, dis- in stimulating economic and social development, as well as serving
plays a keen sense of history and the need for technological the overall strategic arrangement of the country, has not been fully
advancement. Statements like: “human society has undergone liberated.62
the agricultural revolution and the industrial revolution, and is
now undergoing the information revolution” are made. The There are further references for the need to form smart
internet is at the forefront of this new stage of development: “e-government”63 and engage China’s citizenry in that mission:
“move forward the modernisation of national governance systems
At present, a new round of scientific and technological revolu- and governance capacities, strive to be one step ahead in prac-
tion is unfolding, represented by information technology, the Internet ticing new development ideas, and let informatisation enrich
is becoming more of a guiding force for innovation-driven devel- society, enrich the people, and lay a firm basis to realise the
opment every day. . . Global informatisation has entered a new Chinese Dream of the great rejuvenation of the Chinese nation.”64
stage of comprehensive penetration, cross-boundary conver-
gence, where it accelerates innovation, and leads development.60
61
The concept of Network Sovereignty, now officially translated
as Cyber Sovereignty by Chinese Government releases, emerged
58
“This framework is about creating an information society or in 2010, when the Chinese State Council Information Office pro-
knowledge economy “ecosystem”—a holistic approach that engen- duced The Internet in China, a white paper on Chinese internet
ders integrated leadership and shared vision, facilitates partnerships policy. The Internet in China states that: “Within Chinese terri-
among stakeholders, and maps the connections and shapes the re- tory the Internet is under the jurisdiction of Chinese sovereignty.
lationships among diverse players. Accordingly, e-development is The Internet sovereignty of China should be respected and pro-
defined most holistically so as to facilitate a way of systematically tected. Citizens of the People’s Republic of China and foreign citizens,
thinking about ICT as enabler of development, of strategically man- legal persons and other organisations within Chinese territory have
aging informatization programs, of tapping synergies among the right and freedom to use the Internet; at the same time, they
interdependent elements of ICT, and of communicating to a broad must obey the laws and regulations of China and conscientiously
community of practice” See Nagy K. Hanna, and Christine Zhen-Wei protect Internet security.”State Council Information Office of Peo-
Qiang. “China’s emerging informatization strategy”, Journal of the ple’s Public of China (SCIO), “The Internet in China,” China Daily,
Knowledge Economy 1(2) (2010) p129. 8 June 2010, <http://www.chinadaily.com.cn/china/2010-06/08/
59
This Strategy Outline is an adjustment and development of the content_9950198.htm> accessed 10 June 2014.
62
“National Informatization Development Strategy 2006–2020” “on the For an English translation see: Outline of the National
basis of new circumstances”. For an English translation see: Outline Informatisation Development Strategy’ (Central Committee General
of the National Informatisation Development Strategy’ (Central Com- Office, 27 July 2016) <https://chinacopyrightandmedia.wordpress
mittee General Office, 27 July 2016) <https://chinacopyrightandmedia .com/2016/07/27/outline-of-the-national-informatization
.wordpress.com/2016/07/27/outline-of-the-national -development-strategy/> accessed January 20 2017.
63
-informatization-development-strategy/> accessed January 20 2017. Despite efforts to introduce freedom of information pro-
60
“Information technology is blending into biotechnology, new grams, China does not have a specific law requiring the government
energy technology, new material technology, etc., which is currently to provide information. Moreover, the cost of accessing informa-
triggering mass technological breakthroughs with green, smart and tion is still relatively high. Although the government has built its
extensive characteristics. Information, capital, technology and talent capacity to provide information to the public, further legal reform
are flowing ever more quickly at a global scale, the Internet is pro- is needed to make information administration more open and ef-
moting industrial change, it stimulates the transformation from fective. A government information access law would provide a legal
an industrial economy to an information economy, and a new in- basis to support the free flow of information and the develop-
ternational division of labour structure is being shaped.The Internet ment of e-government.
64
information undertaking represents new productive forces and new “Raising government informatisation levels. Perfect departmental
development orientations, it promotes an unprecedented enhance- information sharing mechanisms, and establish state governance
ment of humanity’s capacity to understand the world and change big data centres. Strengthen data exchange and sharing, process-
the world, it is currently profoundly changing people’s ways of pro- ing and analysis, and monitoring and early warning concerning the
duction and life, it brings a qualitative leap in productivity, triggers operation of the economy, strengthen capacity to support macro-
a major change in relationships of production, and is becoming a economic adjustment and policymaking. Deepen the application
guiding force remoulding a new structure in the development of of informatisation in finance and taxation, support the adjust-
the international economy, politics, culture, society, ecology, and ment of financial relationships between the Centre and the localities,
military affairs”: see ibid. and stimulate reform of the fiscal system. Move forward with
ARTICLE IN PRESS
“Strategic Objectives” are firmly focused on strategic goals, standardisation cooperation mechanisms, vigorously strive for an
such as widespread fifth-generation mobile telecommunica- important position in international standardization organisations.
tions (5G) coverage. These are exceptionally important for In crucial technologies and important areas such as mobile tele-
Internet of Things movements, where the smartphone is the communications, next-generation Internet, next-generation radio
key user device. There are also more ambitious goals like and television networks, cloud computing, big data, the Internet
improving China’s satellite capabilities. These are purely tech- of Things, smart manufacturing, smart cities, cyber security, etc.,
nocratic goals. vigorously participate in the formulation of international
standards.66
3.2. “Cyber security and informatisation are two wings
of one body” Finally the Outline in Item 49 urges for the need to “persist
in giving precedence to urgent necessities, and accelerate the
There are numerous references to the importance of big data, promulgation of urgently needed laws”.67 China’s Cyber Secu-
and the “Internet Plus” Action Plan in driving China’s devel- rity Law is listed first.
opment. There is a “profound convergence of informatisation Furthermore, on 27 December 2016, the Central Cyber Se-
and industrialisation.” However, the key point is this: “cyber curity and Informatisation Leading Small Group approved, and
security and informatisation are two wings of one body”: the State Internet Information Office (Cyberspace Adminis-
tration of China) published the National Cyberspace Security
Guaranteeing security. Cyber security and informatisation are two Strategy,68 it too referred to: “Cyber security and Informatisation
wings of one body, two wheels of one cart, they must be planned are two wings of one body, two wheels of one cart.” The policy
together, arranged together, moved forward together and imple- document outlines the potential of the internet for “greatly
mented together, it must be ensured that they are coordinated and stimulating economic and social flourishing and progress, but
consistent, and are advanced simultaneously; realistically prevent, at the same time, has also brought new security risks and
control and eliminate risks that might occur in the process of challenges”.
informatisation, guarantee development with security, stimulate
security with development, strive to build a trend of long-term
security, and create an undertaking of long-term order.65 3.3. Internet Plus: will it help China’s Smart City drive?
Cyber security is one leg of China’s innovation strategy. Ac- Internet Plus is the most recent embodiment of China’s
cording to the Outline, China must therefore “build secure and Informatisation Strategy. On 5 March 2015, Premier Li Keqiang
controllable information technology systems” in order to lead in the annual Government Work Report69 introduced the In-
globally “in next-generation mobile telecommunications, next- ternet Plus70 policy to expand internet-driven economic activity
generation internet and other such areas, strive to build and guide new industry development. Internet Plus seeks to
comparative advantages in areas such as mobile Internet, cloud integrate big data, the Internet of Things, and mobile inter-
computing, big data, the Internet of Things”. net with manufacturing, and to promote e-commerce. The plan
Indeed innovation and security are intertwined in ambi- stated the State Council “aims to further deepen the integra-
tious goals such as: “comprehensively plan[ning] the construction tion of the Internet with the economic and social sectors,
of a national internet big data platform. Progressively launch making new industrial modes a main driving force of growth
socialised trading data back-ups and authentication, and ensure by 2018.” 71
that data are traceable and recoverable.” On 4 July 2015, the State Council released the ‘Guiding Opin-
The Outline also calls for “deepening international coop- ions on Actively Promoting the “Internet Plus” Action Plan’
eration and exchange”, and “participating in the formulation
of international norms”, both key aspects of Network Sover-
eignty discussed below. 66
ibid.
67
ibid.
Participating in the formulation of international norms. Vigor- 68
《国家网络空间安全战略》 [National Cyberspace Security Strat-
ously participate in the formulation of international norms for egy] (People’s Republic of China) Cyberspace Administration of
security in cyberspace. Consolidate and develop regional China, 27 December 2016.
69
The Government Work Report is the annual statement of the
Chinese Government’s annual goals and strategic aims.
70
sharing of basic information concerning the population and en- The “Internet Plus” policy is designed to stimulate economic
terprises, and effectively support reform of the household growth through the internet and technology industries. “Internet
registration system and reform of rules for commercial affairs. Move Plus” entails the integration of mobile internet, cloud computing,
forward the informatisation of government openness, strengthen big data and Internet of Things with modern manufacturing, fos-
the construction of an Internet information data service plat- tering new industries and business development, including
form and service platforms convenient for the people, and provide e-commerce, industrial internet and internet finance. ‘Li Keqiang’s
ever more high-quality and efficient online governmental ser- 2015 Government Work Report’, (Sina News, 5 March 2015) <http://
vices”. For an English translation see: ‘Outline of the National news.sina.com.cn/c/2015-03-05/105331571230.shtml> accessed 7
Informatisation Development Strategy’ (Central Committee General March 2015.
Office, 27 July 2016) <https://chinacopyrightandmedia.wordpress 71
‘China Headlines: China unveils “Internet Plus” action plan to
.com/2016/07/27/outline-of-the-national-informatization fuel growth’, (The State Council of the People’s Republic of China, 4 July
-development-strategy/> accessed January 20 2017. 2015) <http://english.gov.cn/policies/latest_releases/2015/07/04/
65
ibid. content_281475140165588.htm> accessed 10 July 2015.
ARTICLE IN PRESS
(“Guiding Opinions”).72 The language of the Guiding Opinions between the Chinese Government, large Chinese internet giants
reflects everything a Smart City needs, including “openness of such as Alibaba, Baidu and Tencent (known as BAT), foreign
public data resources”. The goal is that “by 2025, a networked, technology firms and a large number of third-party service pro-
intelligent, service-oriented and collaborative Internet Plus in- viders operating between the government and these enterprises
dustry ecological system shall have been improved basically, widens, who gets access to what data, and when becomes in-
a new economic pattern of the Internet Plus shall have been creasingly important.75
preliminarily formed, and the Internet Plus shall have become Secondly, regulations must ensure a level playing field
an important driver of the innovative economic and social for new innovators versus incumbents that are large and
development.”73 “Openness and sharing” and “data sharing” are powerful organisations, like BAT, who assist the Chinese Gov-
common phrases throughout the Guiding Opinions. ernment in its censorship work. Reports of such delegated
In addition, the Guiding Opinions delineate several rel- censoring abound. For example, Alibaba’s Taobao reported
evant supportive measures for Smart Cities. They include banned merchants from selling foreign media in China – even
changes to the policy environment: eliminating unreason- media approved by censors. The smaller players in this story
able mechanisms and policies, easing internet-integrated (the e-commerce booksellers) are apparently being directed by
product and service market access, and promoting entrepre- Alibaba’s directives – not the Chinese regulators.76 Thus, there
neurship and innovation. They also include government support is a pressing issue: “regulations provide innovators with the
for businesses through increased government procurement of certainty of parameters. Without regulations, companies some-
cloud services, innovative credit products and services, and times don’t feel confident to innovate, for fear that there will
crowdfunding. be a sudden implementation of rules that could land them in
trouble.”77
The legal framework for enabling an innovation ecosys-
3.4. Internet Plus v. Censorship and Cyber Security? tem is complex in any country. Issues such as institutional and
regulatory competition and overlap – and, in some cases, un-
Thus, an important objective of Internet Plus is to provide an derdeveloped laws are all difficult to resolve. In China, internet
open and shared innovation platform by dissolving the bar- controls pose constant regulatory uncertainty. For example, will
riers that restrict innovation for entrepreneurs. China’s China’s new Cyber Security Law restrict market entry by local
manufacturing-driven economy is unsustainable and China Chinese start-ups by making compliance too onerous?
must transform to an innovation-driven economy in the In- The South China Morning Post, formerly a staunch voice of
ternet Plus era. There is a strong policy-imperative driving critique on the Party’s mainland rule, before it was acquired
Internet Plus. As Internet Plus is Chinese national policy, the by Alibaba’s Jack Ma in December 2015, stated the following in
Chinese government will play a leading role in establishing an an editorial about Internet Plus:
efficient ecosystem and developing industrial parks and in-
cubators for Internet Plus-driven enterprises. “Moreover, in the China is well known for its strict censorship of online content. Hun-
Internet Plus era, the general public will play an important role dreds of foreign websites are blocked and Google remains unstable
by starting new Internet Plus undertakings or contributing their in China. More recently, the influential documentary film Under
innovative ideas as crowd intelligence.”74
In any country, the government must play a key role to
support innovation. In China the picture is more complex due 75
“To better connect government with these corporations, the In-
to internet controls and Network Sovereignty and the poten- ternet Society of China (ISC) was established. To a certain degree,
tial impact on cyber security of for example, real-name ICT user the ISC is an organization in the vein of the All-China Journalists’
registration. Despite progress in developing the technocratic Association or the All-China Lawyers’ Association: a self-regulatory
environment, China’s legal and regulatory framework for body that connects a profession to the Party. It has issued a number
of conventions through which Internet companies voluntarily accept
Informatisation faces several challenges. Firstly, as the web
duties and obligations in areas including blog and search engine
management, fair-trading and copyright. Its growing role as a
conduit between not only the technical and telecommunications
72
《国务院关于积极推进“互联网 + ”行动的指导意见》 [Guiding Opinions side of the Internet, but also the online content industry, is un-
on Actively Promoting the “Internet Plus” Action Plan] (People’s Re- derlined, amongst others, by changes in its governing council. In
public of China) Standing Committee of the National People’s Congress 2008, some of China’s best-known Internet entrepreneurs, includ-
(NPCSC), 4 July 2015.The document, which includes general re- ing Alibaba’s Jack Ma, Tencent’s Pony Ma and Baidu’s Robin Li, were
quirements and targets, detailed action plans, and supportive selected among the 25 vice-directors of this Council.”See: Rogier
policies, outlined 11 key Internet Plus actions, including:• entre- Creemers, ‘Cyber China: Upgrading Propaganda, Public Opinion Work
preneurship and innovation.• collaborative manufacturing.• modern and Social Management for the Twenty-First Century’, Journal of Con-
agriculture.• smart energy.• inclusive finance.• public services.• ef- temporary China, 26(103), (2016) 85, 89.
76
ficient logistics.• e-commerce.• convenient transportation.• green Echo Huang, ‘Taobao is banning merchants from selling foreign
ecology.• artificial intelligence (robotics). media in China – even media approved by censors’ (Quartz, 10 March
73
ibid. The Guiding Opinions have a stated aim of achieving rapid, 2017) <https://qz.com/929540/selling-foreign-media-in-china
high-quality economic growth and industry development, taking -even-media-approved-by-censors-is-being-banned-alibaba-baba
advantage of China’s scale and applications of the internet to drive -groups-online-shopping-platform-taobao/> accessed 12 March 2017.
77
deep and comprehensive integration between the internet and the Yasmine Yahya, Regulations essential to support innovation, say
real economy. analysts, (Straits Times, 10 February 2017) <http://www.straitstimes
74
Zhu Wang, et al. ‘Internet Plus in China’, [May–June 2016] IT .com/business/economy/regulations-essential-to-support
Professional, 18(3), 5,7. -innovation-say-analysts> accessed 15 February 2017.
ARTICLE IN PRESS
the Dome78 about air pollution in the country has been taken off uncertainty over the Rule of Law81 including governmental access
all major domestic websites. to public and proprietary big data under Network Sovereignty?
China’s newest Five-Year Plan released in March 2016 once again
We all know the key thing about the internet is freedom. If Beijing strongly promotes China’s national innovation agenda as the
misses the point and continues to censor access to information, major priority for the Chinese Government.82 Many big ideas are
Premier Li’s new Internet Plus strategy will probably just get espoused; however, clear regulatory procedures are yet to be
more Chinese to shop online rather than have any significant and mandated. Internet Plus is one of those big policy ideas. However,
long-term impact on the country’s long-awaited economic various recent legal and political developments have made
transformation.79 foreign technology firms, governments and observers uneasy
about the protections of the Rule of Law in China. Will these
How Internet Plus takes shape is unclear. The goal is to new laws, under China’s stated policy of Cyber or “Network
improve innovation and efficiency. The key point is that col- Sovereignty”83 slow China’s technological drive? Do these laws
lecting data is great for big data driven initiatives. There is a contradict/conflict with the aims and ideals of the Internet Plus
strong belief that: “[t]he smartphone is the fundamental tool initiatives?
to connect all parties on the Internet and can be the starting
point of Internet Plus to link consuming, industries and
finance”.80 With China’s incredible smartphone penetration this 3.6. The concept of Network Sovereignty
is certainly a fact. From a technology and development per-
spective, the more real data, and information collected from Cyber or “Network Sovereignty” emerged as a policy after Presi-
real projects, the more diversified programmes and applica- dent Xi Jinping took office. There are two linked but contrasting
tion can be created to offer to the market. What data is collected aspects of “Network Sovereignty”:
and how it is used poses difficult questions regarding the in-
tersection between Network Sovereignty, individual freedoms, 1. “Network Sovereignty” means that the Chinese Government
and China’s Informatisation drive. considers the close control of online discourse a matter of
Chinese officials are turning to technology to improve ef- national sovereignty. Network Sovereignty means cyber se-
ficiency and tackle developmental problems, but big data curity is akin to a principle in international law similar to
solutions to complex developmental problems, such as envi- exclusive economic zones – a country’s controlled maritime
ronmental degradation for example, require technology firms borders. China has debated and implemented increas-
to ensure that their valuable proprietary data is secure and not ingly tight data localisation policies over the past few years
subject to abuse. In this regard, China’s policy of Network Sov- and proposed further restrictions such as requiring all
ereignty has worried observers, and this has strongly flavoured Chinese data to be held in servers located in China, while
public responses to China’s Cyber Security Law.
81
There are radically different interpretations of Rule of Law. De-
fining Rule of Law in China is a major theoretical task of this research.
3.5. Network Sovereignty and the Rule of Law In commercial law, it means the ability to have certainty in com-
mercial transactions and precision of the laws governing property
rights between citizens and the State and between private indi-
This section analyses the concept of Network Sovereignty in
viduals. Rule of Law is a complex concept in China. It is an evolving
more depth, and poses the question of whether or not China’s subject. Scholars such as Randall Peerenboom have written exten-
Cyber Security Law is an assertion of that concept. Can Chinese sively on the subject: see for example, Randall Peerenboom, China’s
policy create successful innovation strategies in the face of Long March Toward Rule of Law (Cambridge University Press, Cam-
bridge, 2002); China Modernizes (Oxford University Press, Oxford,
2007).See also: John, Gillespie, ‘Developing a theoretical frame-
work for evaluating rule of law promotion in developing countries,’
78
The documentary, Under the Dome, shaming China’s environ- in Rule of Law Dynamics: In an Era of International and Transnational
mental degradation, was allowed for viewing online, became viral Governance, (eds.) Michael Zurn, Andre Nollkaemper, and Randall
online, and was then removed by censors. Under the Dome, (穹顶之下 Peerenboom, (Cambridge University Press, New York, 2012).
82
qióngdǐng zhī xià) is a 2015 self-financed, Chinese documen- The newest Five Year Plan was released in March 2016, as China’s
tary film by Chai Jing (柴静), a former China Central Television manufacturing comparative advantage erodes and many univer-
journalist, concerning air pollution in China. The documentary sity graduates are unemployed, China’s innovation economy is a
epitomises the complex censorship and policy environment in political imperative.
83
China. It was viewed over 150 million times on Tencent within three Cited as Network or Cyber Sovereignty (“网络主权” “wangluo
days of its release, and had been viewed a further 150 million times zhuquan” or “Internet Sovereignty,” as it is sometimes translated.
(total 300 million views) by the time it was taken offline four days However, it is better translated as “Network Sovereignty” from a
later. neutral language perspective). It emerged as a foundational policy
79
George Chen, ‘Can Li Keqiang’s Internet Plus strategy really save after President Xi took office. In short, the Chinese conception of
China?’ (South China Morning Post, 8 March 2015) <http://www.scmp “Cyber (Network) Sovereignty” is an internet fragmented by na-
.com/business/china-business/article/1732704/can-li-keqiangs tional boundaries and regulated individually by national governments.
-internet-plus-strategy-really-save-china> accessed 10 March 2015. It has become a near-ubiquitous component of Chinese com-
80
Wu Nan, ‘Is China’s new ‘internet plus’ ambition all about new ments delivered to overseas audiences on the subject of internet
smartphones?’ (South China Morning Post, 24 April 2015) <http:// policy-making. This is a common trend in Chinese politicking that
www.scmp.com/tech/enterprises/article/1773737/chinas-new certain phrases become “fashionable” in China’s political dis-
-internet-plus-ambition-it-all-about-more-smartphones> ac- course. This lexicon has been adopted by the Chinese media. Its
cessed 19 May 2015. position in domestic law is evolving and unclear.
ARTICLE IN PRESS
granting access to government authorities.84 What this On 1 March 2017 China released its strategy on cyberspace
means for foreign technology and Smart City business op- cooperation. According to Xinhua, the International Strategy of
erators is discussed further below. Cooperation on Cyberspace (“Cyberspace Strategy”) is the first
2. Furthermore, China’s conception of Network Sovereignty also China has released regarding the virtual domain.The Cyberspace
means discussions over global internet governance. China Strategy provides a comprehensive explanation of China’s policy
has actively been involved in creating global internet tech- and position on cyber-related international affairs as well as the
nical standards and norms of behavior. basic principles, strategic goals and plan of action in its Cyberspace
relations. China implores other countries to “guard against cy-
While some fear China’s global impact on the internet, berspace becoming a new battlefield”. The Cyberspace Strategy
Chinese agencies and engineers are increasingly coopera- aims to guide China’s participation in international cooperation
tively involved in technical standard development and internet in cyberspace, and encourage the international community to
regulation working groups.85 This is a major aid for Smart Cities build a peaceful, secure, open, cooperative and orderly cyberspace.
to attempt to create clear and precise technical regulatory China seeks a multilateral, democratic and transparent global
standards. Indeed, “[w]hen it comes to standards, strategic en- internet governance system. This may mean moving “central
gagement is likely to be more successful than isolationism.”86 command” of the internet out of US hands90 and into the UN91
In many ways, cooperation is inevitable. There continues to be and ICANN92. According to Xinhua News agency’s press release93:
large flows of capital out of China to other countries includ-
ing into foreign technology companies,87 and the drive for The aim of the strategy – jointly building a community of shared
foreign technology companies to enter China ensures that mu- future in cyberspace – illustrates China’s approach to cyber-
tually recognised best practices are an aspirational objective. space cooperation. Notably one that is based on peace, sovereignty,
Indeed without cooperation there can be no extraterrito- shared governance and shared benefits.
riality for cyber security laws.88 Network sovereignty is a
complex idea as cyberspace is everywhere but China seeks to The strategic goals of China’s participation in international cy-
establish that there are borders in cyberspace that govern- berspace cooperation are: the safeguarding of China’s sovereignty,
ments can control. Establishing a cyberspace strategy is a security and development interests in cyberspace; the secure and
statement of the potential collaboration and the potential orderly flow of information on the Internet; improved global connec-
threats China faces. Cyber security risks emanate from many tivity; maintaining of peace, security and stability in cyberspace;
sources: nation-states; insiders; criminal enterprise and enhancement of international rule of law in cyberspace; the pro-
hacktivists. China’s Cyber Security Law begins to identify a motion of the global development of the digital economy; and
series of actors such as “network operators” – broadly defined deepening cultural exchange and mutual learning, according to
– and pair them with a potential threat. the strategy.
The Outline of the National Informatisation Development
Strategy at Item 54 defined Network Sovereignty, in part as: China’s plan of action includes promoting the building of rule-
based order in cyberspace, expanding partnership with other
Safeguarding cyber sovereignty and national security. Manage countries, boosting institutional reform in Internet governance,
online activities within the range of our country’s sovereignty ac- jointly combating cyber terrorism and crimes, and protecting in-
cording to the law, and persist in defending our country’s cyber dividual privacy in cyberspace.
sovereignty. Persist in preventing and attacking acts to divide the
country, incite rebellion, overthrow the regime, destroy unity, steal China supports Internet-based innovation and entrepreneur-
secrets, etc., through the network.89 ship, and is committed to assisting developing countries with cyber
security capacity building, it said.
The country supports the formulation of cyberspace trade rules

84
These laws are discussed in detail below. and effective policy coordination among countries, said the strategy.
85
‘CNNIC Hosts “Promote Internet Development through Tech-
nology and Standards” Session of WIC Wuzhen Summit’ China
China will work with other countries to strengthen global infor-
Internet Network Information Center, 2 February 2016, <https://
cnnic.com.cn/IC/Events/201602/t20160204_53402.htm> accessed 23 mation infrastructure to facilitate the smooth flow of information,
March 2017.
86 90
Nagy K. Hanna, and Christine Zhen-Wei Qiang. “China’s emerg- There is currently an ongoing debate in the US, about whether
ing informatization strategy”, Journal of the Knowledge Economy or not the US should cede all governance powers of the internet
1(2) (2010) p153. to ICANN and other not-for-profit bodies.
87 91
See for example: Julie Zhu and Tova Cohen, ‘China’s tech money Russia and China, among others, had backed the idea of em-
heads for Israel as U.S. welcome wanes’ (Reuters, 11 May 2017), powering an obscure United Nations body called the ITU
<http://www.reuters.com/article/us-china-investment-israel (International Telecommunications Union).
92
-idUSKBN187080> accessed 17 May 2017. ICANN guides the internet’s global Domain Name System (DNS),
88
China’s Criminal Law was amended in 2016, to encapsulate cyber including policy development for the internationalisation of the
crime offences. It could overlap with the Cyber Security Law. DNS system. ICANN also maintains registries of Internet Protocol
89
For an English translation see: Outline of the National identifiers. It is a not-for-profit technical body. See: https://
Informatisation Development Strategy’ (Central Committee General www.icann.org.
Office, 27 July 2016) <https://chinacopyrightandmedia.wordpress 93
‘China releases first strategy on cyberspace cooperation’, (Xinhua,
.com/2016/07/27/outline-of-the-national-informatization 1 March 2017) <http://news.xinhuanet.com/english/2017-03/01/
-development-strategy/> accessed January 20 2017. c_136094734.htm> accessed 1 March 2017.
ARTICLE IN PRESS
and facilitate cyber culture cooperation among countries, accord- and criminality. By contrast, foreign governments and trade
ing to the strategy. groups have viewed these policies as onerous and a possible way
to discriminate against non-Chinese vendors.
With the animation, comic and games industry as a priority area, Network Sovereignty’s position in Chinese domestic law
China will carry out practical cooperation with countries along is becoming ubiquitous.97 It includes data protection98, banking99
the Belt and Road, encourage Chinese enterprises to provide online and media regulations,100 China’s 2015 Anti-Terrorism and 2016
cultural products and services catered to local needs based on local Cyber Security Laws.These laws all threatened to affect foreign
cultural resources, said the strategy. and Chinese technology companies participating in the Chinese
economy. They legislated on high profile matters such as data
The strategy was issued by the Foreign Ministry and State In- encryption and technology transfers.101 They created great un-
ternet Information Office.94 certainty amongst foreign and Chinese technology companies.
In assessing whether these fears are justified, it is necessary
The Cyberspace Strategy reflects the inherent tension to focus on two high profile laws as the most prominent ex-
between Internet Plus and Network Sovereignty. amples of legislated Network Sovereignty: the final version of
China drafted several security laws during 2014–16 that tight- China’s Anti-Terrorism Law of December 2015, and China’s Cyber
ened regulation over suppliers of technological equipment and Security Law which took effect on 1 June 2017. These laws fit
services. Many of these measures involve the concept of “secure China’s ethos of “Network Sovereignty” – the idea that states
and controllable” technology, a loosely defined term that in-
volves government security checks and data storage within
China.95 Chinese officials refer to the measures as necessary to
97
national security.96 They would allow China to verify that critical The National Security Law released on 1 July 2015 covers China’s
equipment is not vulnerable to hacking and to fight terrorism border security, acts of terrorism but also contains a provision that
discusses the need for the Chinese internet to be a “secure and
controllable” network and the need to maintain that network safely.
Article 25 introduces the concept of a “secure and controllable”
94
For an official English translation see: ‘Full Text: International (安全可控) network; and Article 59 establishes the concept of “na-
Strategy of Cooperation on Cyberspace’, (Xinhua, 1 March 2017) tional security review and oversight”.《中华人民共和国国家安全法》
<http://news.xinhuanet.com/english/china/2017-03/01/c [National Security Law] (People’s Republic of China) Standing Com-
_136094371.htm> accessed 1 March 2017. mittee of the National People’s Congress (NPCSC), 1 July 2015.
95 98
The phrase “secure and controllable” (安全可控) is sometimes also Currently, there is no comprehensive data protection law in China.
referred to as “secure and reliable” (安全可靠) or “indigenous and con- However, a draft Personal Data Protection Law has been under review
trollable” (自主可控). The Chinese government has also set out new by the government for many years, but there is still no indication
security requirements in industry-specific regulations. The phrase as to if and when that law will be passed. It was reported that public
has appeared in separate pending rules for ICT used in insurance, opinion has been sought. Reportedly, consultations had already been
medical devices, and the Internet Plus sectors (i.e. smart technol- held with large Chinese companies including Baidu, Alibaba, Tencent,
ogy, cloud computing, mobile technology, and e-commerce).“There 360 and Huawei. Rather, provisions relating to personal data pro-
are numerous interpretations of the phrase, but one thing is tection are found in various laws and regulations. Generally speaking,
clear: the government is linking localization with security, which provisions found in laws such as the General Principles of Civil Law
means that Chinese companies have a competitive advantage and the Tort Liability Law may be used to interpret data protection
when it comes to meeting these new security standards. This rights as a right of reputation or right of privacy.
99
puts foreign technology companies in a weaker negotiating posi- See: 《关于应用安全可控信息技术加强银行业网络安全和信息化建设的
tion, and adds to pressure that they cooperate with local partners, 指导意见》（称“317号文”） [Guidelines on Promoting the Applica-
rather than attempting to go it alone in the market.” See Samm tion of Secure and Controllable Information Technology Products
Sacks, ‘Apple in China, Part I: What Does Beijing Actually Ask of (Circular 317)] (People’s Republic of China) China Banking Regula-
Technology Companies?’ (Lawfare, 22 February 2016) <https:// tory Commission (CBRC), 26 December 2014.
100
www.lawfareblog.com/apple-china-part-i-what-does-beijing For example, the Ministry of Industry and Information Tech-
-actually-ask-technology-companies> accessed 1 March 2017.The nology (MIIT) and the State Administration of Press Publication Radio
term “secure and controllable” was initially introduced in the Film and Television (SAPPRFT) unveiled new measures that require
《关于应用安全可控信息技术加强银行业网络安全和信息化建设的指导意见》 localisation of server and storage equipment for online publish-
（称“317号文”） [Guidelines on Promoting the Application of Secure ing and take effect 10 March 2016. See: 《网络出版服务管理规定》,
and Controllable Information Technology Products (Circular 317)] [Network publishing services management regulations] (People’s
(People’s Republic of China) China Banking Regulatory Commission Republic of China) Ministry of Industry and Information Technol-
(CBRC), 26 December 2014. It was reported that the CBRC is going ogy (MIIT) and the State Administration of Press Publication Radio
to reintroduce the banking safety rules (the “Revised Regulation”) Film and Television, 4 February 2016, <http://www.gapp.gov.cn/
after consulting representatives of western technology enterprises govpublic/84/1067.shtml> accessed 20 September 2016.
101
such as Microsoft, IBM and Cisco about the revised regulation. It was 《中华人民共和国反恐怖主义法》 [Counter-Terrorism Law] (Peo-
suspended in April 2015 and an amended version was released. ple’s Republic of China) Standing Committee of the National People’s
96
For example, the English language China Daily referenced the Congress (NPCSC), 27 December 2015.In recent years, China and
murder of 29 people and many more were injured by knife- the US have clashed over trade in the technology industry. Last year,
wielding assailants at a train station in Kunming on 1 March 2014 the Obama administration responded to lobbying from American
as evidence of the need for the new law: “The attacks have brought companies against a number of Chinese laws that the companies
greater urgency to Chinese lawmakers’ drafting of an anti- said were devised to push them out of China. China abandoned a
terrorism law. The first draft of the law was submitted for legislators’ regulation restricting what foreign hardware could be sold to Chinese
review in October.”‘Lawmakers weigh China’s draft anti-terrorism law’, banks. China also banned Microsoft’s Windows 8 from govern-
(China Daily, 25 February, 2015) <http://www.chinadaily.com.cn/ ment offices and threatened to phase out of IBM servers from
china/2015-02/25/content_19653472.htm> accessed 22 March 2016. Chinese banks.
ARTICLE IN PRESS
should be permitted to govern and monitor their own cyber- counter-terrorism provisions are different from domestic US
space, controlling incoming and outgoing data flows. discussions surrounding backdoor keys for mobile phone en-
cryptions. Is the new law in line with international norms? Is
3.7. China’s Anti-Terrorism Law China legislating standard international practice?
The State Council of China on 27 December 2015, published

the Anti-Terrorism Law of the People’s Republic of China. The 3.9. The US, data encryption and backdoor keys
law came into effect on 1 January 2016. The initial draft was
circulated for comment in late 2014. It attracted global criti- Many Western governments, including the US, have made
cism, especially from technology companies participating in similar requests for encryption keys. In December 2015, the US
the Chinese economy. Following several rounds of revisions simultaneously debated the same backdoor key issue. The US
during the subsequent 12 months, the Standing Committee of questioned whether to enforce security backdoors, for the
the National People’s Congress passed the law unanimously. Federal Bureau of Investigations (FBI) in counter-terror inves-
Most of the debate on the draft law was focused on the so- tigations. Apple CEO Tim Cook released a statement in February
called “backdoor provisions.” The draft law would have required 2016, saying: “When the FBI has requested data that’s in our
telecommunications operators and internet service provid- possession, we have provided it. Apple complies with valid sub-
ers to provide the Chinese government with “backdoor” access poenas and search warrants, as we have in the San Bernardino
to their products, to handover encryption codes for review, and case”.104 The San Bernardino case refers to a terrorist attack
to store local user data on servers within China. in California on 2 December 2015, in which 14 people were mur-
The final law abandoned these demands for encryption dered by an Islamist terrorist. Cook continued that “[w]hile we
review and data localisation. Had the “backdoor provisions” been believe the FBI’s intentions are good, it would be wrong for the
implemented it is clear that foreign technology companies government to force us to build a backdoor into our prod-
feared losing their intellectual property via theft through de- ucts.” He went on to write that: “ultimately, we fear that this
clared backdoors. This may have isolated and slowed China in demand would undermine the very freedoms and liberty our
its innovation and Smart City drive. It would also have had government is meant to protect”.105
major implications for free and open company data. The crux of this debate is a combination of cyber security
The final law only requires telecommunications operators measures, US political culture and commercial realities. US au-
and internet service providers to help decrypt information in thorities have had great difficulty un-encrypting devices.
the event of a terror attack, but not install security “backdoors” Reportedly, Apple uses more secure encryption in its mobile soft-
as initially planned in the draft version.102 In reality, this could ware than does Google for its Android phones, a commercial
logically have the same impact as a backdoor. Even if a company selling point for Apple.106 Further, highly popular messaging plat-
has an encryption system, mandated access (in a terror event) forms such as Facebook’s WhatsApp, for example, use end-to-
is the same as having either a backdoor or front door. Yet the end encryption that even the National Security Agency (NSA)
amendment did appear to appease critics of the law. had to invest significant resources to crack.107 Facebook has been
Furthermore, importantly from a global trade perspective working on integrating cryptography into its normal chat.108
and from a position of commercial reality, the provision in the In the final analysis, the US Justice Department aban-
initial draft that required companies to keep servers and user doned its bid to force Apple to help unlock the iPhone used
data within China was removed from the final law. What might by one of the shooters in the San Bernardino terrorist attack.
have been a major setback for the development of Smart Cities Investigators found a software loophole without Apple’s
may have in fact been a crisis averted. assistance.109 It was later reported that an Israeli security firm
This kind of internal debate and compromise is not unusual possessed the necessary technology to un-encrypt the iPhone
in recent Chinese law-making.103 It seemingly allows China time
to await domestic and international reaction to its draft laws.
It also reflects the competing interests within the Chinese Gov-
ernment and the tension between Network Sovereignty and 104
Elias Groll, ‘Why Apple – and Not Google – Is in the FBI’s Crosshairs’,
Internet Plus. The Cyber Security Law is another example of
(Foreign Policy, 18 February, 2016) <http://foreignpolicy.com/2016/
a consultative legislative debate, discussed in detail below. 02/18/why-apple-and-not-google-is-in-the-fbis-crosshairs/> accessed
25 March 2016.
3.8. Assessing the Anti-Terror Law: recent Chinese 105
ibid.
legislative trends 106
Google cannot encrypt its phone data as securely as Apple. This
makes Apple’s encryption technology a commercial selling point.
Assessing the Anti-Terror Law in terms of recent Chinese Arguably, Apple’s embrace “of encryption is as much a business
legislative trends, the question remains whether the model decision as it is a principled embrace of user privacy”: ibid.
107
ibid.
108
Signal is an encrypted instant messaging and voice calling ap-
102
The final law retains the original text on the requirement for plication for Android and iOS.
109
providing the government with technical support, including Matt Zapotosky, ‘FBI has accessed San Bernardino shooter’s
backdoor access and decryption, but only for the prevention and phone without Apple’s help’, (The Washington Post, 28 March 2016),
investigation of terrorist activities. <https://www.washingtonpost.com/world/national-security/fbi
103
Both China’s Anti-Terror Law and Cyber Security Laws went -has-accessed-san-bernardino-shooters-phone-without-apples
through public consultation periods. Subsequent regulations dis- -help/2016/03/28/e593a0e2-f52b-11e5-9804-537defcc3cf6
cussed below also sought public comment. _story.html> accessed 30 March 2016.
ARTICLE IN PRESS
and shared the technology with the FBI.110 It has also been sug- been brought.”116 The US government was then left to decide
gested in cyber security circles that the FBI abandoned the whether it would outline its decryption method to Apple, in
matter for political reasons due to public pressure as much as keeping with a reportedly little-known process in which federal
technical reasons.111 Public opinion seemed to be turning against officials must consider disclosing security vulnerabilities they
the FBI. Indeed, the Congressional Committee112 Encryption find to the companies at risk from those loopholes.117
Working Group Year-End Report reported on 20 December 2016
that back doors and “compelled disclosure by individuals” are 3.10. China, data encryption and backdoor keys
a bad idea.113 A key question was asked: “[w]hat vulnerabili-
ties remain after communications have been encrypted and The point of this commentary on US practice is to provide a
how might those vulnerabilities be addressed?”114 broader international context for recent Chinese legislative de-
The House Committee’s response was emphatic: velopments and their implications for Smart Cities and
innovation of smart technologies. Effective and successful In-
Encryption is inexorably tied to our national interests. It is a safe- ternet of Things devices and Smart Cities need technologies
guard for our personal secrets and economic prosperity. It helps that talk to each other securely. Open dialogues between people,
to prevent crime and protect national security. The widespread use machines and data, lead to successful Smart City outcomes.
of encryption technologies also complicates the missions of the law Cyber security is an essential part of that dialogue.
enforcement and intelligence communities. As described in this Had the “backdoor provisions” in the Chinese Anti-Terror
report, those complications cannot be ignored. This is the reality Law been implemented it is clear that foreign and Chinese tech-
of modern society. We must strive to find common ground in our nology companies would have feared possible, intellectual
collective responsibility: to prevent crime, protect national secu- property theft, even if this fear was only based on perception
rity, and provide the best possible conditions for peace and rather than reality.118 In observing the Chinese legal system,
prosperity. foreign critique is often based on perceptions of vague regu-
lations. This negative reaction may be why the law was revised.
That is why this can no longer be an isolated or binary debate. Regulatory clarity goes a long way towards increasing foreign
There is no “us versus them,” or “pro-encryption versus law en- confidence in China’s legal system.
forcement.” This conversation implicates everyone and everything In April 2016, Cisco Systems signed an agreement with the
that depends on connected technologies – including our law en- southern Chinese city of Guangzhou to build a “model smart
forcement and intelligence communities. This is a complex challenge city”.119 The project is reportedly a first in China. This might
that will take time, patience, and cooperation to resolve. The po- suggest that international partners have not been dissuaded
tential consequences of inaction – or overreaction – are too
important to allow historical or ideological perspectives to stand 116
Matt Zapotosky, ‘FBI has accessed San Bernardino shooter’s
in the way of progress.115 phone without Apple’s help’, (The Washington Post, 28 March 2016),
<https://www.washingtonpost.com/world/national-security/
Apple released a statement: “From the beginning, we ob- fbi-has-accessed-san-bernardino-shooters-phone-without
jected to the FBI’s demand that Apple build a backdoor into -apples-help/2016/03/28/e593a0e2-f52b-11e5-9804-537defcc3cf6
_story.html> accessed 30 March 2016.
the iPhone because we believed it was wrong and would set 117
ibid.
a dangerous precedent. As a result of the government’s dis- 118
In the cyber security community, the belief is that back doors
missal, neither of these occurred. This case should never have are dangerous. They could allow China to develop so-called NOBUS
exploitation technology. The phrase NOBUS comes from “NObody
But US”, and concerns security vulnerabilities that the United States
National Security Agency (NSA) believes that only it can exploit.
This opens up major ethical questions: should China stockpile in-
110
“Israeli firm ‘helped FBI crack San Bernardino gunman’s cell ternet vulnerabilities or disclose and fix them? “It’s a complicated
phone without Apple’s help’”, Daily Mail, 30 March 2016 <http:// problem, and one that starkly illustrates the difficulty of separat-
www.dailymail.co.uk/news/article-3514875/Israeli-firm-helped ing attack and defense in cyberspace.” Bruce Shneier, ‘Should U.S.
-FBI-crack-San-Bernardino-gunman-s-cellphone-without-Apple Hackers Fix Cybersecurity Holes or Exploit Them?’ (The Atlantic, 19
-s-help.html> accessed 30 March 2016. May 2014) <https://www.theatlantic.com/technology/archive/2014/
111
National reactions to Apple’s opposition of the order were mixed. 05/should-hackers-fix-cybersecurity-holes-or-exploit-them/371197/
A CBS News poll that sampled 1022 Americans found that 50% of > accessed 20 February 2016.
119
the respondents supported the FBI’s stance, while 45% supported “Cisco partners with Guangzhou to build ‘model smart city’”,
Apple’s stance: ‘CBS News poll: Americans split on unlocking San China.org.cn, 22 April 2016, <www.china.org.cn/business/2016-04/
Bernardino shooter’s iPhone’, (CBS News, 18 March 18, 2016) <http:// 22/content_38308997.htm>.Cisco will establish a head office for
www.cbsnews.com/news/cbs-news-poll-americans-split-on innovation in Guangzhou’s Panyu District to develop technology
-unlocking-san-bernardino-shooters-iphone/> accessed 19 Sep- related to the Internet of Everything (IoE) and the Internet of Things
tember 2016. (IoT), and create a IoE/IoT cloud platform to serve industry.Through
112
Formerly known as the House Judiciary Committee and House big data, cloud computing, and the IoE/IoT, a smart city can address
Energy and Commerce Committee Encryption Working Group. problems such as traffic jams and pollution more efficiently. Gua-
113
US Congressional Committee, Encryption Working Group Year- ngzhou, as a national hub for advanced manufacturing, is actively
End Report, (. . ..,20 December 2016), <https://judiciary.house.gov/ transforming its traditional industries with the introduction of new
wp-content/uploads/2016/12/20161220EWGFINALReport.pdf> technology. Cisco announced last June that it would invest 10 billion
accessed 19 September 2016. U.S. dollars to support local innovation, and later set up a joint-
114
ibid., p13. venture with Chinese cloud computing and data center company
115
ibid. Inspur.
ARTICLE IN PRESS
from investing in Chinese Smart City infrastructure by the Anti- In a survey AT&T conducted in 2016, 58% of business leaders
Terror Law. Cisco’s deal with the city of Guangzhou is perhaps said they were not confident in the security of their IoT devices.123
an endorsement of China’s legislative decisions. Or perhaps
an indication that foreign firms cannot be too fastidious. Oth- For enterprises, the Internet of Things (IoT) currently represents
erwise they will end up like Google: restricted from doing something of a double-edged sword. On the one hand there are
business in China.120 manifold opportunities to boost the efficiency of products and ser-
Nevertheless, the amendment of the Anti-Terror Law pro- vices, create new revenue streams and reduce operational costs
vides some support for the hypothesis that foreign technology by connecting all manner of devices (‘things’) to the internet and
companies will be able to negotiate their data security ar- analysing the data they generate. On the other hand, this is still
rangements under the new Cyber Security Law. an immature market in which architectures, technologies, stan-
dards and vendors are all moving targets, making investment a
risky business. In particular, security is a major worry when it
3.11. Big data, cloud computing, The Internet of Things comes to the IoT.124
and Cyber Security
At the network level there are great risks.125 This is where
Before this paper considers China’s Cyber Security Law in depth, China’s Cyber Security Law and what it says about protected
it is important to acknowledge that China has been very suc- critical infrastructure is important. At the same time, the Law
cessful in developing its innovation ecosystem and as a result could unduly restrict China’s impressive emerging entrepre-
faces genuine cyber security threats. neurial ecosystem. The issue of storing data in the cloud
There is an intersection between big data and the Inter- securely will only become increasingly important. This is one
net of Things (IoT), big data adoption, analytics, big data area of law that can really delay and impact China’s innova-
distributions, and cloud computing intelligence and cyber se- tion drive.
curity. The IoT hardware device collects the (big) data (through
sensors for example) and then the analytics team (or artifi-
cial intelligence) discover the value of the data. ‘Things’ already 3.12. IoT, Shanzhai and Shenzhen
range from automotive subsystems and security cameras to
Bluetooth beacons, smart garments, agricultural crop sensors As connected devices become common, Shenzhen’s manu-
and many other ‘things’. facturing heritage, talent base and manufacturing and
A company’s ability to manage big data analytics is critically technology workers make it a perfect IoT hub, not just for China,
important to their success or failure with IoT devices. IoT along but the entire world. Increasingly, many Wholly Foreign-
with artificial intelligence is a core justification for investing in Owned Enterprises (WFOEs) are setting up in Shenzhen.
and implementing big data analytics. That is, the companies that Furthermore, many foreign firms are working with electron-
store all that valuable device data are concerned about making ics parts manufacturers in Shenzhen and are looking to
big data usable.There is a belief beyond the IoT hype that: “[e]very manufacture products, create joint ventures or enter technol-
enterprise needs to factor in how the Internet of Things is going ogy licensing agreements. There is an obvious reason for this,
to affect them and their business, and must respond by estab- as Forbes Magazine noted:
lishing the right infrastructure to support this level of Big Data
and analytics. If they don’t, they will fall behind.”121 This is where The IoT sector has found its center of gravity in a city far away
China’s Cyber Security Law and what it says about enforced data from Silicon Valley, in the bustling, southern Chinese Special Eco-
collections (discussed below) is important. nomic Zone of Shenzhen. The Tier 2 China city with a population
Protection of data has much to do with cyber security and of approximately 14 million is located 40 km north of Hong Kong.
cyber security protocols. Data analytics can also provide cyber While the city has always had a special identity as an entrepre-
security insights. However cyber security is crucial. Security is neurial manufacturing hub, more recently it has become the darling
a major concern for businesses as they research and implement of IoT entrepreneurs from around the world.126
IoT infrastructure. American multinational telecommunica-
tions conglomerate, AT&T noted that 2014–2016 has seen a 3198%
increase in attackers scanning for vulnerabilities in IoT devices.122 123
ibid.
124
Charles McLellan, ‘Internet of Things in the enterprise: The state
of play’ (ZDNet, 1 February 2017) <http://www.zdnet.com/article/
enterprise-iot-in-2017-the-state-of-play/> accessed 3 March 2017.
120 125
Google.com has faced persistent blocking in China by Chinese Several IoT technology areas have multiple contenders to choose
authorities, despite periods of time when it was unblocked, such from. In low-power short-range wireless networks, for example,
as the Beijing Olympics. there is Zigbee (and other IEEE 802.15.4-based PANs), ZWave,
121
Howard Baldwin ‘A Match Made Somewhere: Big Data Bluetooth (4 and 5), DASH7, WiFi, NFC and WiGig. Several options
and the Internet of Things’ (Forbes, 24 November 2014) <http:// are available for low-power wide-area networking too, including
www.forbes.com/sites/howardbaldwin/2014/11/24/a-match proprietary technologies like Sigfox, incumbent 2G/3G cellular net-
-made-somewhere-big-data-and-the-internet-of-things/ works and NarrowBand IoT (NB-IoT) – the latter being the likely
#700337432028> accessed 15 July 2015. long-term winner.
122 126
‘AT&T, IBM, Nokia, Palo Alto Networks, Symantec and Trustonic Falguni Desai, ‘Innovators Find Internet of Things Paradise in
Form IoT Cybersecurity Alliance’, (AT&T Newsroom, 8 February 2017) Shenzhen’ (Forbes, 7 March 2016) <http://www.forbes.com/sites/
<http://about.att.com/story/iot_cybersecurity_alliance.html> ac- falgunidesai/2016/05/07/innovators-find-internet-of-things
cessed 3 March 2017. -paradise-in-shenzhen/#5bf14931552d> accessed 1 March 2017.
ARTICLE IN PRESS
According to Wired Magazine, a “unique manufacturing eco- focused exclusively on cyber security and China’s first attempt
system has emerged in Shenzhen. Inventers or makers have to legislate a comprehensive cyber security regime.132 The draft
access to the world’s leading hardware-prototyping culture law signalled that the Chinese Government was tightening
whilst challenging misconceptions from the West.”127 A uniquely control on domestic networks and data security in line with
Chinese element is apparent. The “evolution of “Shanzhai” – or its policy of Network Sovereignty. The draft law also caused
copycat manufacturing – has transformed traditional models great concern among foreign companies fearing provisions re-
of business, distribution and innovation, and Wired asks what quiring the turnover of encryption keys to communications
the rest of the world can learn from Shenzhen – the so- equipment under certain circumstances.
called “Silicon Valley of hardware”. The first draft granted authorities the power to cut internet
Shenzhen-based HAX is the world’s largest hardware access in public security emergencies, and required data
accelerator,128 and their General Partner Benjamin Joffe eluci- localisation of servers in China as well as cyber security reviews
dated that: of company data. These moves dovetailed with other regula-
tions that required foreign technology companies with businesses
The reason why HAX is based in Shenzhen and not Hong Kong in China to store data on servers located inside the country.
is because of the immediate access to the components market for Many observers, waited for an about-face and a watering
prototyping and to the manufacturing ecosystem and know- down of controversial provisions as had occurred with the Anti-
how. It’s immediate, cheaper and faster. It’s literally one click Terror Law. When in November 2016, the Standing Committee
away.129 of the National People’s Congress approved the Cyber Secu-
rity Law despite foreign opposition,133 hopes that the Chinese
Furthermore, an hour away by train, Hong Kong “has the government would respond positively to the concerns ex-
benefits of a first world capital: Open Internet, international pressed on the draft Cyber Security Law were dashed. This
workforce, rule of law, widespread English and first-world development was in stark contrast to China’s Anti-Terror Law.134
lifestyle.”130 There is also long list of major Chinese technol- The Cyber Security Law took effect on 1 June 2017, so it is
ogy companies headquartered in Shenzhen: Huawei and ZTE important to analyse its key provisions and consider whether
(telecommunications equipment, phones), Tencent (internet, the fears of its critics are justified.
mobile apps), DJI (drones), OnePlus (mobile phones), to name
the most prominent. 4.1. Vague regulations make compliance difficult
With this background in mind, the question should be why
would China allow its new Cyber Security Law to tarnish a The international business community has focused much of
seemingly organic success story in Shenzhen: a government- its attention on how business obligations will change for Main-
initiated Special Economic Zone that has become the world’s land China operations and how the law will affect cross-
darling “Silicon Valley of Hardware” and the home of the In- border handling of customer, operations, and other data. These
ternet of Things? are all legitimate questions Chinese regulators need to elabo-
rate upon through detailed implementing rules.
• Firstly, only “network products and services” used in “criti-

4. Part III: China’s Cyber Security Law cal information infrastructure” (still not fully defined) will
be subject to review. The law’s text offers no details on what
On 6 July 2015, the Standing Committee of the National Peo- this will entail. According to The Interim Measures for Cyber
ple’s Congress released a first draft of the Cyber Security Law Security Review, the review will not be a compliance test,
of the People’s Republic of China (Draft) (《中华人民共和国网络安 but will focus more on the trustworthiness of the company
全法（草案）》) (Draft)131 for public comment. When it was finally and its supply chain.135
adopted in November 2016, it became the first Chinese law that • Secondly, “information infrastructure operators” must
store user data within the territory of mainland China.
127
Wired Magazine released the documentary: ‘Shenzhen: The
Silicon Valley of Hardware’ (Youtube, 5 July 2016).See: <https:// 132
Previously, regulations relating to cyber security in China were
www.youtube.com/watch?v=SGJ5cZnoodY>. scattered across many different laws, regulations and regulatory
128
Startup accelerators vary but are usually fixed-term, cohort- documents. For example, Administrative Measures on Internet In-
based programs that include mentorship and culminate in a public formation Services (last amended in 2011), and Telecommunications
pitch event. Regulations of the People’s Republic of China (last amended in 2016).
129 133
Falguni Desai, ‘Innovators Find Internet of Things Paradise in The Cyber Security Law of the People’s Republic of China was
Shenzhen’ (Forbes, 7 March 2016) <http://www.forbes.com/sites/ adopted at the 24th session of the Standing Committee of the 12th
falgunidesai/2016/05/07/innovators-find-internet-of-things National People’s Congress on November 7, 2016. With seven chap-
-paradise-in-shenzhen/#5bf14931552d> accessed 1 March 2017. ters and 79 articles, this Law will come into force on 1 June 2017.
130 134
ibid. China’s Anti-Terror Law had rules requiring companies in the
131
After first and second drafts were released for public consul- financial sector to prove the “security and controllability” of their
tation in June 2015 and May 2016, respectively, it was a third draft equipment through intrusive testing were suspended. Encryption
issued in October 2016 that was ultimately passed into law. code handover requirements under national security and counter
《中华人民共和国网络安全法（草案）》 [Cyber Security Law of the terrorism laws were also rolled back.
135
People’s Republic of China (Draft)] (People’s Republic of China) Stand- 《网络产品和服务安全审查办法（试行）》 [Interim Security Review
ing Committee of the National People’s Congress (NPCSC), 6 July Measures for Network Products and Services] (People’s Republic of
2015. China) Cyberspace Administration of China, 2 May 2017.
ARTICLE IN PRESS
Problematically, data collection operators are obliged to store • “Network Operators”141

data and personal information collected and produced by • “Critical infrastructure operators”142
their services in China.136 Companies may apply for excep- • “Electronic information distributors”143
tions to this rule, but only after undergoing an additional • “application software providers”144
audit and certification process unspecified by the new law. • “electronic information distributor service providers”145
• The law also requires internet company operators to co- • “application software download service providers”146
operate with investigations involving criminal conduct and
national security. Companies must give government inves- It seems that the Cyber Security Law is trying to capture
tigators full access to their data if national security risks technology firms including Smart City providers, who may
are suspected.137 The new law states that the Chinese Gov- control “critical network equipment”. This law is necessary for
ernment will take measures to monitor, defend and handle a country so focused on ambitious Smart City goals. “Network”
cyber security risks and threats originating from within the and “network operators” under article 76(1) and 76(3) are not
country or overseas sources, protecting key information in- clearly defined. However, it seems that under the Law, an IoT
frastructure from “attacks, intrusion, disturbance and manufacturer may be considered to be a “network operator”
damage”.138 The review process is unclear. (as a “network service provider” (under Article 76) or perhaps
more likely a provider of “network products”).147 Furthermore,
IoT manufacturers or Smart City providers might be consid-
4.2. Vague rules: 1. Who do the laws apply to? ered in control of “critical network equipment” or “specialised
network security products” (Articles 22–23). In turn, a firmware148
Of course, a preliminary question is who does the law apply administrator could be considered to be a “network operator”
to? Depending on how a company is viewed under the Cyber or “application software download service provider” (Article 48).
Security Law, the Law imposes security obligations. Further un- When read in light of China’s Smart City and Internet ofThings
certainty surrounds exactly who will be caught by the new rules. drive it seems that these definitions are less abstract but remain
Definitions of entity types are not clear. While the new law will vague.Viewed in light of China’s connected Smart Cities, China’s
clearly apply to businesses and organisations, the extent to need to protect infrastructure is justifiable. However, what equip-
which its terms will apply to individual employees and offi- ment falls into the category of “key network equipment” and
cers as well as web users is unclear. However, China is at the “specialised network security products”is unclear. It is also unclear
vanguard of legislating cyber security laws, thus, some fluid- according to what criteria or procedures “critical information
ity of definitions should be expected if not encouraged in some infrastructure facilities security assessments” will be conducted.
circumstances.
The following types of entities are considered by the law: 141
“网络运营者” (Articles 9, 21, 24–25, 28-29, 31, 40–43, 47, 49–50, 55-
56, 59, 61, 64, 68–69, 72, 76). A range of new obligations apply to
• “Suppliers of network products and services”139 organisations that are “network operator” (ie network owners,
• [Suppliers of] “critical network equipment and specialised cyber network administrators and network service providers). A “network”
(network) security products”140 means any system comprising computers or other information ter-
minals and related equipment for collection, storage, transmission,
exchange and processing of information. Some commentators argue
these broad definitions could catch any business that owns and
operates IT networks/infrastructure or even just websites in
136
《中华人民共和国网络安全法》 [Cyber Security Law of the Peo- China.Reports suggest vague terminology could be intended to catch
ple’s Republic of China] (People’s Republic of China) Standing popular apps such as Taobao and WeChat, which have millions of
Committee of the National People’s Congress (NPCSC), 7 Novem- daily users in China who would be affected by a security breach.
ber 2016, Article 37. This is not necessarily a sinister appraisal relating to censorship.
137 142
See Articles 12, 28, 31, 35, 58 and 63 that refer to national se- “关键信息基础设施的运营者” (Articles 34–39, 59, 65–66).
143
curity events and the corresponding requirements. “电子信息发送者” (Articles 48, 68).
138 144
ibid. See Article 75. “应用软件提供者”.
139 145
“网络产品”, “服务的提供” (Articles 22, 64).Providers of “network “电子信息发送服务的提供者” (Articles 48, 68).
146
products and services” must comply with national and mandatory “应用软件下载服务提供者” (Articles 48, 68).
147
standards. Their products and services must not contain malicious As regard network security, network operators must fulfill certain
programs; must take remedial action against security issues and tiered security obligations according to the requirements of the
report them to users and relevant authorities. They must also provide classified protection system for cyber security, which includes: for-
security maintenance for their products and services, which, cannot mulating internal security management systems and operating
be terminated within the contract term agreed with customers. instructions; appointing dedicated cyber security personnel; taking
140
“网络关键设备和网络安全专用产品” (Article 23).Critical network technological measures to prevent computer viruses and other
equipment and specialised cyber security products must obtain gov- similar threats and attacks, and formulating plans to monitor and
ernment certification or meet prescribed safety inspection respond to network security incidents; retaining network logs for
requirements before being sold or provided. This potentially catches at least six months; undertaking prescribed data classification, back
a wide range of software, hardware and other technologies being up, encryption and similar activities; complying with national and
sold – or proposed to be sold – by international companies in the mandatory security standards; reporting incidents to users and the
China, since the definitions used in the law are drafted very broadly. authorities; and establishing complaints systems.
148
Further guidance by way of a catalogue of key network products is In simple terms, Firmware is software that is embedded in a
expected in due course. Understandably there are concerns that this piece of hardware. In the context of Internet of Things compa-
may create barriers to international businesses looking to enter the nies it is important how firmware is classified under the Cyber
Chinese market. Security Law with regard to security protocols.
ARTICLE IN PRESS
4.3. Vague rules: 2. Data storage requirements Article 34 is equally broad, requiring firms that operate “criti-
cal information infrastructure” comply with all other obligations
Article 37 has worried foreigner observers. The Article was created by law or administrative regulation in performing se-
perhaps widened between the final draft and the passing of curity protection obligations.
the law. The word “citizen’s” was deleted, requiring all “per-
sonal information149 and important business data collected and Article 34: In addition to the provisions of article 21152 of this Law,
produced” in China to be stored in China: critical information infrastructure operators shall also perform the
following security protection obligations:
Article 37: Citizens’ personal information and important busi-
ness data collected and produced by critical information (1) Set up specialised security management bodies and persons
infrastructure operators during their activities within the terri- responsible for security management, and conduct security back-
tory of the People’s Republic of China, shall be stored within the ground checks on those responsible persons and personnel in critical
territory; where due to business requirements it is truly neces- positions;
sary to provide it outside the mainland, a security assessment shall
be conducted according to the measures jointly formulated by the (2) Periodically conduct network security education, technical train-
national cyberspace administration and the relevant depart- ing and skills evaluations for employees;
ments of the State Council. Where laws or administrative
regulations provide otherwise, those provisions apply.150 (3) Conduct disaster recovery backups of important systems and
databases;
This changed phrasing now explicitly includes the data of
non-Chinese residents living, studying and working in China. (4) Formulate emergency response plans for network security in-
Understandably, Article 37 has created fears of potential intel- cidents, and periodically organise drills;
lectual property theft in China. If, for example in a national
security event, China could demand encryption keys to servers (5) Other obligations provided by law or administrative
containing business data stored in China. Data storage com- regulations.153
pliance costs and the scope of “security assessments” have also
proved worrying. However, it is likely that Article 34 will become important
However, Article 37 also allows for data storage exceptions, to offsetting foreign fears, as companies will negotiate mutu-
and future regulations might provide more clarity about who ally agreed upon outcomes with the Chinese Government.These
is exempt from the requirement. Personal data and important agreements may be as part of joint venture or licensing agree-
business data generated or collected in China by the opera- ments, or like Microsoft, companies could open a “transparency
tors of Critical Information Infrastructure Facilities must be stored centre” where Chinese Government coders could test and analyse
in China. However data transfers abroad are allowed if: Microsoft’s products for security.154 Perhaps a regulatory prec-
edent will be set by Microsoft’s new centre. Indeed Article 34
(i) there is a business need; and may just be a codification of existing practices.
(ii) security assessments are passed according to the rules The head of Cyber Security Strategy for the Asia-Pacific at
issued by the Cyberspace Administration of China (CAC)151 Siemens AG argued China’s new reflected common practices
or other relevant governmental agencies. and existing informal pressures:
Again, a loop-hole exists. Exemptions will likely operate. Beyond the new and pending laws and regulations, foreign firms
Thus, if a company can prove that it is “truly necessary” to already face pressure to submit source code, undergo security
store such information abroad, they must work with the State audits, and localize data and equipment. These procedures are costly
Council to formulate specific monitoring procedures. Yet, the and expose foreign tech companies to a host of security, regula-
law does not specify what is meant by other “important tory, and IP risks in order to be in the market.
business data” in Article 37. That ambiguity may mean keeping
more data inside China, costing overseas companies more Foreign tech firms have been providing at least partial source
money, and heightening fears of proprietary big data theft. code to the Chinese government for years. For example, Microsoft
provided Windows source code to the Chinese government in the
149
1990s. And it remains the common practice today. Providing source
“Personal information” is defined as including all kinds of in-
code is not necessarily the same as providing so-called “backdoor”
formation, recorded electronically or through other means, that can
identify a person’s identity, including, full names, birth dates, iden-
tification numbers, personal biometric information, addresses,
152
telephone numbers. Discussed below. It pertains to security inspections.
150 153
《中华人民共和国网络安全法》 [Cyber Security Law of the Peo- 《中华人民共和国网络安全法》 [Cyber Security Law of the Peo-
ple’s Republic of China] (People’s Republic of China) Standing ple’s Republic of China] (People’s Republic of China) Standing
Committee of the National People’s Congress (NPCSC), 7 Novem- Committee of the National People’s Congress (NPCSC), 7 Novem-
ber 2016, Article 37. ber 2016, Article 34.
151 154
The Cyberspace Administration of China (CAC) (国家互联网信息 Tekendra Parmar, ‘China: Tech Giants Push Back Against Bei-
办公室), is the central internet oversight, and control agency for the jing’s New Cyber Security Bill’, (Fortune, 2 December 2016), <http://
People’s Republic of China. CAC was founded in 2014 and is dis- fortune.com/2016/12/02/cyber-security-bill-source-code/> accessed
cussed in depth below. 12 December 2016.
ARTICLE IN PRESS
access to device contents, but it does have significant security im- Article 21 also states that “specialised network security prod-
plications. And understanding the ongoing provision of such ucts” must meet a set of standards released in a “catalogue” by
information is necessary to meaningfully evaluate the conse- the State Council, the administrative body chaired by Premier
quences of other requirements. Li Keqiang.The standards in this catalogue have yet to be revealed.
The government will also formulate and promulgate the cata-
Similarly, security audits are also a regular part of operating in logue of key network equipment. Products and services providers
the China market. In practice, a security audit could range from shall comply with the compulsory requirements of relevant na-
something as benign as sitting down for a series of meetings with tional standards. It is provided in the Cyber Security Law that
government officials – perhaps from the Ministry of Public Secu- “key network equipment” and “specialised network security prod-
rity – and answering questions about security features, data ucts” must be either certified or tested by a licensed security
storage, or management techniques to something far more inva- certification institution in order to ensure compliance with rel-
sive. And as a consequence of the pending laws and regulations, evant national and industry standards and are not allowed to
these security reviews are likely to become increasingly intensive.155 be released into the China market unless they have passed the
certification or testing process.
One important question is: If you provide a service for a State- Chinese regulations often lack clarity, ultimately leaving both
Owned Enterprise – are you then a critical infrastructure Chinese and foreign companies without a proper roadmap for
provider? It probably depends on the kind of information in ques- how to abide by the law. It is the kind of business environ-
tion as well as how “other important data” is defined.156 ment the Party-State prefers, due to its flexibility and room for
official discretion and control. Those who seek to conduct busi-
4.4. Vague rules: 3. Unclear product review requirements ness must do so by China’s currently unclear but also flexible
rules. Further regulations will likely clarify some of these issues,
Article 65 states that “critical information infrastructure pro- responding to business concerns.
viders” stand to violate the law if they use products or services Vague regulations do make compliance difficult. The ques-
that “have not had safety inspections or did not pass safety in- tion remains, however, do these vague regulations shut foreign
spections.” Article 31 provides a seemingly partial definition of ICT service providers out of the market? The answer to this
“critical infrastructure operators” who are subject to a cyber se- question is unclear. It is important to remember Chinese in-
curity review: dustry faces the same obstacles from the Chinese regulatory
environment. New security regulations will also bring added
The State implements focus protection for critical information in- compliance costs to Chinese start ups and small-to-medium
frastructure in important sectors and areas such as public sized companies, perhaps inhibiting Chinese innovation. Nev-
telecommunications and information services, energy, transpor- ertheless, a common perception among foreign commentators
tation, irrigation, finance, public services, e-government, etc., as is that China’s Cyber Security Law simply benefits Chinese in-
well as other critical information infrastructure that, whenever cumbents, such as Alibaba’s cloud computing arm, AliYun.158
it is destroyed, loses its ability to function or encounters data leaks,
may gravely harm national security, the national economy, the peo-
ple’s livelihood and the public interest, on the basis of the tiered 4.5. The centralisation of China’s internet regulatory
cyber security protection structure. The concrete scope of critical authorities: Network Sovereignty’s silver lining for
information infrastructure and security protection rules are for- technology companies?
mulated by the State Council.157
If it is true that some of the criticism of China’s legal system
However, the nature and procedure for these safety inspec- emanates from its perceived legislative vagueness, it is also true
tions remain unspecified. that China is addressing some of these concerns. While China’s
Network Sovereignty push poses challenges for global inter-
155
net governance, it also may conceal “something of a silver lining
Samm Sacks, ‘Apple in China, Part I: What Does Beijing Actu-
for global technology firms wishing to operate in China”.159 This
ally Ask of Technology Companies?’ (Lawfare, 22 February 2016)
<https://www.lawfareblog.com/apple-china-part-i-what-does is also helpful for groups seeking to influence the cyber secu-
-beijing-actually-ask-technology-companies> accessed 1 March rity compliance debate.
2017.In January 2015, Apple became the first foreign technology Under the Cyber Security Law, there is no confusion as to
company to publicly announce it would comply with increasing which bureaucracy is in charge. The Law, streamlines the regu-
China’s increasing security review procedures: Yin Cao, ‘Rule to latory structure:
protect security “on the way this year”’, (China Daily, 22 January
2015) <http://www.chinadaily.com.cn/china/2015-01/22/content
158
_19373572.htm> accessed 1 July 2016. See for example: ‘China’s Cybersecurity Law Enacted’
156
Indeed, “critical information infrastructure operators” must (ChinaTechNews, 7 November 2016) <https://www.chinatechnews
comply with Articles 34–39, 59, and 65–66, which are all provisions .com/2016/11/07/24439-chinas-cybersecurity-law-enacted> ac-
strongly geared towards cyber security incident prevention and di- cessed 10 November 2016.
159
saster recovery and technical support. This further suggests this Scott Livingston, ‘Beijing Touts “Cyber-Sovereignty” In Inter-
new law is strongly focused on China’s Smart City and Internet net Governance: Global Technology Firms Could Mine Silver Lining’,
of Things ambitions. Yet compliance requirements are still vague. (China Law Blog, 19 February 2015) <http://www.chinalawblog.com/
157
《中华人民共和国网络安全法》 [Cyber Security Law of the People’s 2015/02/beijing-touts-cyber-sovereignty-in-internet-governance
Republic of China] (People’s Republic of China) Standing Committee -global-technology-firms-could-mine-silver-lining.html> ac-
of the National People’s Congress (NPCSC), 7 November 2016, Article 31. cessed 25 February 2015.
ARTICLE IN PRESS
Article 23: Critical network equipment and specialised cyber se-

curity products shall follow the compulsory requirements of relevant 5. Part IV: are fears of the new law justified?
national standards, and be safety certified by a qualified estab-
lishment or meet the requirements of a security inspection, before There is an understandable fear among foreign and Chinese
being sold or provided. The National Cyberspace Administration companies, and any company that relies on foreign software
together with the relevant departments of the State Council, for- systems to run its business in China. The requirements to store
mulate and release a catalogue of critical network equipment and data locally as well as only employing technology deemed
specialized cyber security products, and promote reciprocal rec- “secure” might amount to Chinese firms gaining another edge
ognition of safety certifications and security inspection results to over foreign rivals. Storage requirements, however, remain
avoid duplicative certifications and inspections.160 unclear. It is true that: “[t]he law also requires business info
and data on Chinese citizens gathered within the country to
This leaves China’s Cyberspace Administration (explained be kept on domestic servers and not be transferred abroad
above) in charge of cyber security matters. Articles 50–53 state without permission. That last condition hampers the opera-
that the National Cyberspace Administration is the highest tions of multinationals accustomed to a global Internet
authority.161 Article 51 clearly states that the National Cyber- computing environment”.164 Yet this may also harm China’s in-
space Administration is in charge of coordinating the relevant novation plans:
departments in matters involving cyber security.162 Article 39
states that the State network information departments shall For example, requirements for data localisation may prevent en-
comprehensively coordinate relevant departments for various gineers that are employed by the same Chinese firm, but located
tasks such as inspections and technical support.163 separately in Europe and China, from effectively communicating
on how to rapidly address a problem. This would provide a par-
ticular challenge given that they would be competing in
160
international markets with companies that do not face this
《中华人民共和国网络安全法》 [Cyber Security Law of the Peo-
ple’s Republic of China] (People’s Republic of China) Standing
limitation.165
Committee of the National People’s Congress (NPCSC), 7 Novem-
ber 2016, Article 23. There are also obvious implications for Smart Cities, often
161
“Article 50: The National Cyberspace Administration and relevant built in China with foreign technology partners such as IBM and
departments perform cyber security supervision and administra- Cisco. As their R&D and major operating bases are outside of
tion responsibilities; and where discovering information the release China – foreign technology partners will likely need to send data
or transmission of which is prohibited by laws of administrative regu-
outside of China. Foreign technology partners may also not agree
lations, shall request the network operators stop transmission, employ
disposition measures such as deletion, and store relevant records; to transfer data used in building applications for privacy reasons.
for information described above that comes from outside mainland In the Chinese Party-State, where the government uses the
People’s Republic of China, they shall notify the relevant organisation media as a tool for public policy statements, there is often a
to adopt technological measures and other necessary measures to discord between Chinese-language news sources and English-
block the transmission of information.” 《中华人民共和国网络安全法》 language news sources. Chinese-language news is for domestic
[Cyber Security Law of the People’s Republic of China] (People’s Re-
consumption. English-language news is how the government
public of China) Standing Committee of the National People’s Congress
wants the international community to digest vague laws. It
(NPCSC), 7 November 2016, Article 50.
162
“Article 51: The State establishes cyber security monitoring and means little to Chinese citizens.
early warning and information bulletin systems. The National Cy- In English, Xinhua news agency highlighted provisions of
berspace Administration shall do overall coordination of relevant the Cyber Security Law that state that “efforts will also be made
departments to strengthen collection, analysis and reporting efforts to punish criminal activities online and safeguard the order
for cyber security information, and perform unified release of cyber and security of cyberspace. Individual users and organiza-
security monitoring and early warning information in accordance
tions are not allowed to jeopardize security on the Internet or
with regulations.” 《中华人民共和国网络安全法》 [Cyber Security Law
of the People’s Republic of China] (People’s Republic of China) Stand-
use it to “damage national security, honor and interests””.166
ing Committee of the National People’s Congress (NPCSC), 7 That language is certainly reminiscent of Chinese internet cen-
November 2016, Article 51. sorship and the increasing growth of Network Sovereignty-
163
“Article 39: The State Internet Information department shall com- inspired legislation. Xinhua further noted that: “[o]nline
prehensively coordinate relevant departments. The following activities that attempt to overthrow the socialist system, split
measures may be adopted in order to protect the security of critical the nation, undermine national unity, advocate terrorism and
information infrastructure: With respect to random inspection testing
of security risks to information infrastructure, [they may] propose
measures for improvement, and when necessary to do so may
164
appoint specialist inspection and detection institutions to under- ‘China Adopts Cybersecurity Law Despite Foreign Opposition’,
take testing and evaluation for security risks; Periodically organise (Bloomberg, 7 November 2016) <https://www.bloomberg.com/news/
critical information infrastructure operators to conduct emer- articles/2016-11-07/china-passes-cybersecurity-law-despite
gency cyber security drills, increasing the level and coordination of -strong-foreign-opposition> accessed 7 November 2016.
165
responses critical to information infrastructure responses to cyber European Chamber of Commerce in China, ‘China Manufacturing
security incidents. Promote cyber security information sharing among 2025: Putting Industrial Policy Ahead of Market Forces’, March 2017, p26.
166
relevant departments, the operators of critical information infra- ‘Xinhua Insight: China adopts cybersecurity law to protect na-
structure, cyber security services institutions and relevant research tional security, citizens’ rights’, (Xinhua, 7 November 2016) <http://
institutions. Provide technical support and assistance for cyber se- news.xinhuanet.com/english/2016-11/07/c_135812209.htm> accessed
curity emergency management and recovery and so forth.” 7 November 2016.
ARTICLE IN PRESS
extremism are all prohibited, according to the provisions, which Therefore an objective assessment of the Cyber Security Law
also forbid activities including inciting ethnic hatred, discrimi- requires an objective assessment of its goals. One must evalu-
nation and spreading violence and obscene information.”167 ate the regulatory framework by: firstly, studying whether the
Again this seems to reflect the increasing promulgation of Chinese policy measures are effective in achieving their pro-
Network Sovereignty-inspired legislation. However, there is posed aims; and secondly, by assessing the logic behind the
another explanation. The final version, when compared with policies, which may suggest that China’s innovation policies
previous drafts of the Cyber Security Law reinforces the pro- induce certain outcomes, but equally impede others.
visions targeting cyber fraud and cyber crime by imposing Indeed, there is a perception that the pursuit of innovation
criminal, administrative and legal penalties against individu- sometimes conflicts with other interests of the Chinese Party-
als and entities that commit cyber fraud and cyber crime. The State, in particular the maintenance of information control.There
law is clearly targeting criminal behaviour in this regard. is also an ongoing question as to whether this conflict assists
Nevertheless, increasing use of this language has worried China’s entrepreneurial ecosystem by blocking foreign tech-
foreign observers. Critics of the law say it threatens to shut nology firms such as Google and Facebook; as well as China’s
foreign technology companies out of various sectors deemed policy of “indigenous innovations” which meant government
“critical”, and includes contentious requirements for security procurement of local products in a protectionist manner.169
reviews and for data to be stored on servers in China. In a state- Objectively, where does intellectual property theft fit into
ment, James Zimmerman, chairman of the American Chamber this picture? How does it relate to encryption and enforced
of Commerce in China, argued the law has more to do with backdoors? Colouring in the lines prejudicially towards China,
protectionism than cyber security: “[i]n terms of improving se- China clearly has nefarious plans with this requirement.170 Many
curity, this law is at best a missed opportunity, and some of will recall and continue to point to 171 China’s policies of
the measures seem to emphasize protectionism rather than
security.” He was adamant that:
169
In 2006 China released the “Medium- to Long-Term Plan for the
Development of Science and Technology” (MLP). The Chinese Gov-
one thing is for sure: the more difficult it is for data to travel across ernment declared its intention to transform China into “an
the Chinese border, the more difficult it will be for companies inside innovative society” by 2020 and a world leader in science and tech-
those borders to innovate, and China risks becoming isolated technology by 2050. The aim of the MLP was to reduce China’s reliance
nologically from the rest of the world.168 on imported technology to no more than 30% within a few years,
to increase domestic R&D funding, and to leapfrog foreign rivals
Conversely, Chinese companies may try to evade govern- in what the government identified as “strategic emerging sectors”.
They included: biotechnology, energy-efficient technologies, equip-
ment pressure to buy from local technology suppliers deemed
ment manufacturing, information technology, and advanced
more “secure”. Securing network infrastructure is a responsi- materials. Under the MLP, the Chinese Government introduced
bility that must be addressed regardless of the nationality of export subsidies for Chinese firms. The MLP also introduced a policy
the ICT product vendor. This is the question being asked of for the promotion of “indigenous innovations”, requiring govern-
Network Sovereignty. Will it slow China’s innovation drive? ment ministries and state-owned businesses to procure goods, when
feasible, from Chinese-owned companies. Various laws and regu-
lations were associated with China’s MLP. It was considered a form
5.1. Objectively assessing China’s Cyber Security Law: of protectionism by foreign critics.According to the MLP, foreign com-
censorship and cyber security are not the same thing panies wanting to compete for government contracts and subsidies
promoted under indigenous innovation policies, had to transfer their
If we separate aspects of this law concerning censorship and proprietary technology and IP to their Chinese partners. Despite
Network Sovereignty, perhaps the law’s cyber security aims could objections that those policies violate the terms of China’s mem-
bership in the World Trade Organisation, few international firms
be more objectively assessed? Of course, it is a difficult task to
have left, instead resigning themselves to supporting innovation
decipher the Chinese Government’s intent. As with many pieces within China.
of legislation anywhere in the world there are multiple purposes. 170
China’s Cyber Security Law arguably echoes other existing re-
As China’s economic development progresses, innovation has quirements that companies install “back doors” so that security
become a central concern of Chinese policymakers. Law has been agencies can access encrypted communications. Many have argued
the most central tool by which this innovation is stimulated. that doing so undermines rather than enhances cyber security. Tech-
Consequently, a range of legislative and regulatory measures, nology companies and internet operators may need to cooperate
with criminal and national security investigations, and hand over
aimed at enhancing China’s capability for developing and
source code and other sensitive or proprietary data when the au-
commercialising new technologies, are now in place. Neverthe- thorities deem it necessary. However we still need to wait until 1
less, the pursuit of innovation sometimes conflicts with other June 2017 to see how this will take place.See: S. James Boumil III,
interests of the Party-State, in particular, the maintenance of ‘China’s Indigenous Innovation Policies Under the TRIPS and GPA
information control, manifested through a complex web of regu- Agreements and Alternatives for Promoting Economic Growth’ (2012)
lation around technology and content. 12(2) Chicago Journal of International Law 754.
171
The State Council’s original outline of its new “China Manu-
facturing 2025” policy included market share targets to “realise
167
ibid. guarantees of self-sufficiency” (实现自主保障) for sourcing 40 and
168
Josh Horwitz, ‘China’s bewildering new cybersecurity law is 70 per cent of both core components and key basic materials by
keeping foreign tech firms out of the country’ (Quartz, 7 November 2020 and 2025 respectively: Notification on the Printing and Dis-
2016).<http://qz.com/829248/chinas-new-cybersecurity-law-is tribution of Made in China 2025, The State Council, 8th May, 2015,
-so-vague-that-its-keeping-foreign-tech-firms-out-of-the-country/> <http://www.gov.cn/zhengce/content/2015-05/19/content_9784
accessed 7 November 2016. .htm> accessed 12 March 2017.
ARTICLE IN PRESS
“indigenous innovations” and question whether or not China’s Furthermore, can a cyber security regime succeed without
Cyber Security Law is more of the same.172 However, China has increasing collaboration between the public and private sectors
731 million internet users according to government statistics on data protection issues? Openness of public data has much
in January 2017. 695 million users use mobile devices and many to do with cyber security and cyber security protocols.
rarely use cash and rely on China’s online, e-commerce, payment In order to pursue policies of “smarter” Smart Cities, China
and logistics ecosystem. The number of “mobile wallet” users needs to develop its cyber security framework. The Cyber Se-
is up to 469 million, up 31.2 percent in the past year, and WeChat curity Law focuses on ensuring the stability of China’s computer
remains the most popular app, used by 80 percent of all in- networks, which face threats from viruses, other menaces as
ternet users.173 China clearly needs a cyber security plan to well as hackers trying to access government and private net-
protect them. works and data. Accordingly, China needs strong policies, laws,
Nevertheless, the text of the new law allows for much as- and consultative processes to ensure the security of networks.
sumption. According to the Cyber Security Law, critical China also needs a cyber security law to aid big data goals:
information infrastructure facilities are broadly defined to cover
a wide range of sectors including energy, transportation, elec- Since the concept of data openness has been driven by the central
tricity, water, gas, financial institutions, medical/healthcare, and government and there has been a drive towards openness and
social security. “Critical information infrastructure network op- sharing, some departments have accepted the concept and started
erators” is a clear ambiguity in the Cyber Security Law. The to consider openness. However, the fear of potential data theft,
security review measures merely add that national security replication and general security issues makes complete data open-
checks triggering cyber security reviews of critical informa- ness difficult to achieve in the short term.176
tion infrastructure network operators shall be determined by
critical information infrastructure protection departments,174 Perhaps this Cyber Security Law with its vagaries does not
adding another layer of bureaucratic uncertainty to a conten- yet achieve that goal. Chinese leaders have complex policy de-
tious provision. Resembling China’s policy of “indigenous cisions to make. China’s legislative campaign to safeguard its
innovations”, government procurement decisions will be shaped infrastructure echoes post-Snowden revelation efforts in Europe,
by the new cyber security review. This type of provision is what the US and elsewhere. Even with Network Sovereignty in the
leads to charges of “indigenous innovation”-style protection- background China is part of the global vanguard legislating in
ism being leveled against China.175 these areas. Many countries are just starting to consider these
Conversely, China has consistently focused on its need to issues. These are complex areas to legislate around. There are
have a cyber security regime for genuine cyber threats, in ad- currently no international guidelines for best practice in cre-
dition to legislative and rhetorical references to Network ating a cyber security regime.177 There is equivalent law in the
Sovereignty. This is due to China’s rapid technology adoption US in terms of cyber security planning.
rates and the need to educate new users of cyber risks. The Secondly, perhaps an objective approach requires us to sepa-
question then becomes does China care more about interna- rate internet content control and censorship laws and regulations
tional business and technological progress than censorship? from genuine cyber security goals. China’s internet content regu-
lators determine whether content is consistent with social values.
172
Regulators focus on preventing dissemination of information that
The China Manufacturing 2025 Roadmap also includes numer-
the government considers illegal. Unlike information network or
ous mentions of ‘indigenous innovation’ (自主创新) and ‘self-
sufficiency’ (自主保障, 自给, 自给率). As with the 2010 Medium- and cyber security, which mainly deals with data and network pro-
Long-term Plan for the Development of Science and Technology, tection, internet content regulation involves placing regulations
2006–2020 (MLP) and the strategic emerging industries (SEIs). on what Chinese people can read, see, and hear on the internet.
《国务院关于加快培育和发展战略性新兴产业的决定》 [Decision on Ac- The Cyber Security Law requires instant messaging services
celerate and Develop Strategic Emerging Industries] (People’s and other internet companies to require users to register with
Republic of China), State Council, 18th October, 2010, See: <http://
their real names and personal information, and to censor content
www.gov.cn/zwgk/2010-10/18/content_1724848.htm>; Strategic
Emerging Industries Likely to Contribute 8% of GDP by 2015, (People’s
that is “prohibited.”178 Real name policies restrict anonymity
Daily, 19th October, 2010). <http://en.people.cn/90001/90778/90862/
7170816.html> accessed 12 March 2017.
173 176
This is according to Chinese Government statistics released in ‘Sector Report: Smart Cities in China’ (2016) EU SME Centre,
January 2017. See: Steven Millward, ‘China now has 731 million in- <http://www.cbbc.org/cbbc/media/cbbc_media/KnowledgeLibrary/
ternet users, 95% access from their phones’, (TechinAsia, 23 January Reports/EU-SME-Centre-Report-Smart-Cities-in-China-Jan
2017). <https://www.techinasia.com/china-731-million-internet -2016.pdf> accessed January 2017, p26.
177
-users-end-2016> accessed 23 January 2017. There are clear differences of opinion regarding internet gov-
174
“Article 11: Products and services purchased by Critical Infor- ernance. China’s vision of Network Sovereignty, the idea that the
mation Infrastructure Network Operators that may affect national internet, like territory, has borders which each nation is entitled
security shall be subject to the cyber security review.Whether or to monitor and defend, is an idea that is gaining steady appeal
not network products and services purchased by the critical in- around the globe, particularly among authoritarian regimes. Iran,
formation infrastructure operators affect national security shall be Russia, Turkey, Thailand, and Zimbabwe are looking to China as they
determined by critical information infrastructure protection de- consider their own national version of the “Great Firewall”.
178
partments.” See Article 24. Network operators handling “network access and
175
“Article 10: Party and government departments and key indus- domain registration services” for users, including mobile phone and
tries shall prioritise the procurement of network products and instant message service providers, are required to comply with “real
services that have passed the review, and shall not procure network identity” rules when signing up or providing service confirmation
products and services that have failed the review.” to users, or else may not provide the service.
ARTICLE IN PRESS
and can encourage self-censorship for online communica- enterprises,183 it has now drastically expanded the range and
tion.This appears to have little to do with cyber security. Burglars scope of legal and regulatory measures directly affecting in-
do not leave business cards. No hacker will send you his email ternet users.
address while he attacks your network and systems. Real- One dominant element of this strategy is the gradual ex-
name registration as required by various Chinese laws and pansion of real name registration requirements in various areas
regulations, is clearly aimed at discouraging criticism of the of telecommunications and internet use.184 A self-regulatory
Party. Convention on mobile telephone apps passed in November 2014
committed developers and app stores to broaden the imple-
mentation of identity authentication systems.185 These efforts
5.2. Real name user registration seem to have some success: it was reported in January 2015
that more than 80 per cent of WeChat users had registered
Common in many previous recent pieces of legislation is under their real identities.186
the concept of real name user registration.179 In August 2014, Moreover, real name registration duties are not limited to
China promulgated the so-called “WeChat (微信) Articles” online content; they were also mandated for the purchase of
–regulations designed to collect WeChat user data.180 The Instant telephones, enabling the identification of online activities
Messaging Regulations 《即时通信工具公众信息服务发展管理暂行 through individual pieces of hardware.187 In February 2015, the
规定》—colloquially known as the “WeChat Articles” are im- Cyberspace Administration of China mandated a real-name reg-
portant because they affect the reportedly nearly 700 million181 istration system for all account-based online information
WeChat users. The State Internet Information Office (SIIO) de- services.188
manded real name registration for WeChat accounts, with the The Cyber Security Law carte blanche seems to makes
proviso that users would be permitted a public handle or nick- smaller internet firms and new forms of media, including In-
name. Previous similar legislation aimed specifically at Sina ternet of Things and smart technologies subject to real name
Weibo had a major negative commercial effect on Sina Weibo.182 user registration. The law in a petri dish approach was tested
The sheer size of companies such as Baidu, Alibaba and on Weibo and WeChat with targeted regulations. Those firms
Tencent means that effective control over a few companies have survived and are both now flourishing. With 390 million
enables the State to regulate the majority of online activities. monthly users, Sina Weibo is seeing a huge unforeseen revival
Yet where the government previously largely out-sourced
the burdens of regulating individual behaviour to those
183
In March 2017 there was a report that Taobao (an Alibaba
179
Notwithstanding these broad new grants of authority, many pro- company) is banning merchants from selling foreign media in China
visions appear to codify longstanding government restrictions on – even media approved by censors. The smaller players in this story
internet usage. Article 24, for example, mandates that companies (the e-commerce booksellers) allegedly accept what Alibaba – not
verify an individual’s real identity before providing internet ser- the Chinese regulators dictate.See: Echo Huang, ‘Taobao is banning
vices. The China Cyberspace Administration has enforced similar merchants from selling foreign media in China – even media ap-
requirements on blogs, instant-messaging services, discussion proved by censors’ (Quartz, 10 March 2017) <https://qz.com/929540/
forums, and other internet outlets for over a year. Article 12 pro- selling-foreign-media-in-china-even-media-approved-by-censors
hibits persons or organisations from “subverting national -is-being-banned-alibaba-baba-groups-online-shopping-platform
sovereignty” or “overthrowing the socialist system.” This parallels -taobao/> accessed 14 March 2017.
184
Article 15 of the 2015 National Security Law. See: 《中华人民共和国 For example a Judicial Interpretation on online infringement
国家安全法》 [National Security Law of the People’s Republic of of personality rights, promulgated in October 2014, provides that
China] (People’s Republic of China) Standing Committee of the Na- Courts may order internet companies to provide names, ad-
tional People’s Congress (NPCSC), 7 January 2015.Article 58 of the dresses and contact methods of users, where these are deemed
Cyber Security Law, gives the State Council and other govern- to have published defamatory information. Companies refusing to
ment entities the ability to temporarily restrict internet access as carry out such requests would be liable for punitive measures.
required by “national security” or to preserve “social order.” The 《关于审理理应信息网络侵权人身权益民事纠纷按键使用法律若干问题的
Cyber Security Law does not retreat from past censorship powers. 规定》 [Regulations concerning Some Questions of Applicable Law
180
On 7 August 2014, the State Internet Information Office (SIIO) in Handing Civil Dispute Cases involving the Use of Information
issued a new set of guidelines entitled: 《即时通信工具公众信息服务发 Networks to Harm Personal Rights and Interests] (People’s Repub-
展管理暂行规定》 [Provisional Regulations for the Development and lic of China) Supreme People’s Court, 9 October 2014.
185
Management of Instant Messaging Tools and Public Information 《北京市移动互联网应用程序公众信息服务自律公约》 [Beijing Mu-
Services] (People’s Republic of China) State Internet Information nicipality Self-Discipline Convention on Internet Application
Office (SIIO), 7 August 2014.These regulations, the so-called “WeChat Programmes and Public Information Services], Capital Internet
Articles” require that instant messaging service providers who Society, 26 November 2011.
186
engage in “public information service activities” obtain certain prior Liu Sha, ‘Govt Takes Down Illegal Websites’, (Global Times, 14
qualifications. The SIIO issued the WeChat Articles. Many of China’s January 2015) <http://www.globaltimes.cn/content/901784.shtml>
internet regulations bear the SIIO stamp. accessed 20 January 2016.
181 187
See: Steven Millward, ‘WeChat still unstoppable, grows to 697m 《电话用户真实身份信息登记规定》 [Telephone User Real Iden-
active users’, (TechinAsia, 17 March 2017).<https://www.techinasia tity Information Registration Regulations], (People’s Republic of
.com/wechat-697-million-monthly-active-users> accessed 23 March China) Ministry of Industry and Information Technology (MIIT), 16
2017. The figure was obtained from Tencent’s (WeChat’s parent July 2013.
188
company) Quarter 4 2016 report. The link is no longer available. 《互联网用户账号名称管理规定》 [Internet User Account Name
182
See for example: Eric Harwit, ‘The rise and influence of Weibo Management Regulations], (People’s Republic of China) Cyber-
(microblogs) in China’, Asian Survey 54(6)(2014), pp. 1059–1087. space Administration of China, (CAC), 4 February 2015.
ARTICLE IN PRESS
in late 2016.189 What was once called ‘China’s Twitter’ has now and Europe.194 The Cyber Security Law is the first national law
become a comprehensive platform that incorporates the major level legislation establishing the legal principles for protection
features of social media channels like Twitter, YouTube, and of personal data. In the past, data privacy was regulated by ad-
Instagram.190 Network Sovereignty, typified by real name usage, ministrative rules, judicial interpretations, government policies
has now been expanded throughout the Chinese internet in- and non-binding industry guidelines.195 Articles 41, 42 and 43
dustries, by Article 24 of the new Cyber Security Law: restrict the amount of personally identifiable information that
can be collected. These articles also limit how data can be trans-
Article 24: Network operators handling network access and domain ferred, and provide an individual the right to request that
registration services for users, handling stationary or mobile phone information be deleted if mishandled.196 The Cyber Security Law
network access, or providing users with information publication provides that network operators must safeguard the secrecy
services, shall require users to provide real identity information of personal data collected. The collection and use of personal
when signing agreements with users or confirming provision of data must follow the principles of legality, propriety and ne-
services. Where users do not provide real identify information, cessity and data collectors must follow the legal requirements
network operators must not provide them with relevant services. in terms of giving the notice and obtaining the consent.197
Further, in relation to public policy and privacy concerns, in
The State implements an online trustworthy identity strategy, sup- Article 22 of the Cyber Security Law, the general public must
ports research and development of secure and convenient electronic be notified of any security flaws regarding their personal data.198
identity confirmation technologies, and promotes mutual recog-
nition among different electronic identity confirmation
technologies.191 194
In Europe for example, organisations such as the European Data
Protection Supervisor (EDPS) operate as an independent supervi-
Article 30 makes it clear that, information obtained “when sory authority whose primary objective is to ensure that European
institutions and bodies respect the right to privacy and data pro-
carrying out cyber security protection duties, may only be used
tection when they process personal data and develop new policies.
for cyber security needs, and may not be used for other 195
See: Rogier Creemers, ‘Cyber China: Updating Propaganda, Public
purposes.”192 Sceptics may wonder whether the Chinese Gov- Opinion Work and Social Management for the 21st Century’, Journal
ernment will really restrict its use of information in this way. of Contemporary China, (2015).
196
Some more colouring in the lines is required at this stage. Nev- In case of a data breach incident, the data collectors shall report
ertheless China continues to utilise data collection as a means to the authority and affected users should also be contacted. Com-
to maintain social order.193 panies and individuals who are directly in charge can be fined up
to RMB 100,000 for failure to comply.
197
“Network operators” must:• make publicly available data privacy
notices. These notices must explicitly state purposes, means and
5.3. Individual protections: protection of personal data
scope of personal information to be collected and used;• obtain
individuals’ consent when collecting, using and disclosing their per-
On the other hand, the Cyber Security Law provides in- sonal information;• adopt technical measures to ensure the security
creased individual protections. Many will welcome the of personal information against loss, destruction or leaks;• if a data
introduction of requirements that are widely championed by security breach occurs must take immediate remedial action and
data protection authorities and bodies across North America promptly notify users and the relevant authorities;• comply with
principles of legality, propriety and necessity in their data han-
dling, and not be excessive; not provide an individual’s personal
189
See: Steven Millward, ‘7 years of ‘China’s Twitter’, (TechinAsia, information to others without the individual’s consent; nor ille-
14 August 2016). <https://www.techinasia.com/7-years-of-weibo gally sell an individual’s personal data to others;• keep user
-china-social-media> accessed 10 January 2017. information confidential and to establish and maintain data pro-
190
Manya Koetse, ‘Weibo’s Revival: Sina Weibo Is China’s Twitter, tection systems;• rules do not apply to truly anonymous data.As
YouTube & InstaGram’ (What’s on Weibo, 20 November 2016) <http:// discussed above, while an earlier draft specifically provided pro-
www.whatsonweibo.com/weibos-revival-sina-weibo-chinas tection to personal information of “citizens”, the final law does not
-twitteryoutubeinstagram/> accessed 22 November 2016. make this distinction. Seemingly offering a broader protection to
191
《中华人民共和国网络安全法》 [Cyber Security Law of the Peo- all personal information belonging to residents of China.
198
ple’s Republic of China] (People’s Republic of China) Standing “Article 22: Network products and services shall comply with the
Committee of the National People’s Congress (NPCSC), 7 Novem- relevant national and industry standards. Providers of network prod-
ber 2016, Article 24. ucts and services must not install malicious programs; when it is
192
《中华人民共和国网络安全法》 [Cyber Security Law of the Peo- discovered that their network products or services have risks such
ple’s Republic of China] (People’s Republic of China) Standing as security flaws or leaks, they shall promptly notify users and adopt
Committee of the National People’s Congress (NPCSC), 7 Novem- remedial measures, and promptly notify users and report the
ber 2016, Article 30. matter to the relevant controlling department according to
193
In 2014, China released an outline of its new social credit system, regulations.Providers of network products and services shall con-
which rates citizens and firms on financial, legal, and civic terms. tinuously provide security maintenance for their products and
Western media have focused on highly opaque and inaccessible services; and must not terminate providing security mainte-
guidelines on the individuals and firms being rated. The most high nance during the set time period or period agreed on with
profile social credit system is Alibaba’s Sesame Credit. Sesame Credit clients.Where network products and services have functions to
is a social credit scoring system being developed by Ant Financial collect user information, their provider shall indicate this to users
Services Group, an affiliate of the Chinese Alibaba Group. It uses and obtain agreement; where citizens’ personal information is in-
data from Alibaba’s services to compile its score. This is an area volved, this shall abide by the provisions of this Law, as well as
that must be further observed especially as the lines between the relevant laws and administrative regulations, concerning the pro-
public and private sectors become more blurred. tection of citizens’ personal information.”
ARTICLE IN PRESS
If we emphasise this legislative development, perhaps the data storage and encryption. There is a live issue to be ad-
Cyber Security Law could be more objectively assessed? Data dressed by TC260 in that global companies juggling multiple
theft is a live issue in China. In February 2017, Chinese State national security agendas can create “lots of competing
media released a report suggesting that vendors have been standards.”202 Perhaps these foreign technology firms, members
selling confidential information such as people’s national ID of TC260, already know the answer to the problem of vague
numbers, home addresses, the value of their assets including Chinese regulations and understand phrases such as “secure
property, and even mobile phone call logs.199 Chinese Netizens and controllable”.
were outraged. A unit overseeing information security at Furthermore, with regard to the location of servers within
Tencent, which owns instant-messaging service, QQ, re- China, it was reported that many foreign internet companies
leased a statement on reporting that since August 2016, QQ has have already complied with this measure. AirBnB, for example,
blocked over 3500 group accounts where personal informa- announced in November 2016, it would move its Chinese user
tion was sold in bulk, including 30 such accounts in the previous data to a domestic location, over a year after it officially entered
four days alone. This indicates a major need for the privacy the Chinese market via a joint venture.203
and criminal penalty articles in the Cyber Security Law. Technology companies have also made public statements
against China’s Cyber Security Law requiring companies to
5.4. Objective assessments: cyber security international share proprietary source code within China. Microsoft wrote,
protocols and realities “[s]haring source code in itself can’t prove the capability to be
secure and controllable. It only proves there is source code”.204
The Chinese government, like the US government is within its In order to do so, you would need an expert security audit. China
sovereign rights in wanting to ensure the security of digital would reportedly need to build its cryptographic expertise to
systems and data. A denial of service attack on the mainframe conduct such security audits.205 This is because in cyber se-
of connected power station, for example, could have very serious curity it is much easier to build attacks than to verify defenses.
consequences for “critical infrastructure”.The question is: does While media reports stated that foreign technology compa-
China’s Cyber Security Law achieve that aim? Or does it create nies will be required to provide source code to the Chinese
barriers to trade and innovation for both Chinese and foreign Government, there is no obligation in the law. The Cyber Secu-
innovators? rity Law does not explain source code compliance requirements.
The short answer to this question is simple. Wait and For example, certification requirements could mean technol-
see. The Chinese government will issue future regulations to ogy companies will be asked to provide source code, encryption
clarify the law’s scope and intent. Only then can we objectively or other critical intellectual property for review by security au-
assess the outcome. However other key Chinese information thorities. Yet we do not know when and if this will actually occur.
security institutions, such as the China National Information As noted, reportedly, Microsoft in China already does so with
Security Standards Technical Committee (TC260) have been its software, under controlled conditions,206 and is planning a
open to international cooperation. 200 “transparency centre,” allowing Chinese government coders to
test and analyse Microsoft’s products for cyber security issues.207
Technology companies may be required to provide source code
5.5. China National Information Security Standards
to third party bodies as part of specific licensing/review require-
Technical Committee (Technical Committee 260 or TC260)
ments. That could take place, in a system similar to Microsoft’s
One cannot be sensationalist about Chinese legislative efforts.
In August 2016, it was reported that a Chinese government com-
202
mittee, Technical Committee 260 (TC260), was at work defining ibid.
203
Josh Horwitz, “China’s bewildering new cybersecurity law is
cyber security standards. TC260 allowed Microsoft, Intel, Cisco
keeping foreign tech firms out of the country”, Quartz, 7 November
and IBM to take part in drafting Chinese cyber security rules 2016.<http://qz.com/829248/chinas-new-cybersecurity-law-is-so
rather than participating as observers only. -vague-that-its-keeping-foreign-tech-firms-out-of-the-country/>.
TC260 is a cyber security advisory committee tasked with 204
Eva Dou, ‘Microsoft, Intel, IBM Push Back on China Cybersecurity
defining China’s standards constituting “secure and control- Rules’ (The Wall Street Journal, 1 December 2016) <http://www
lable” technologies.201 TC260 is involved in discussions of .wsj.com/articles/microsoft-intel-ibm-push-back-on-china
-cybersecurity-rules-1480587542> accessed 21 December 2016.
205
However, in August 2016 China launched a satellite into orbit with
199
Liu Xiaojing and Li Rongde, ‘QQ Blocks Thousands of Ac- a unique feature: it has the ability to send information securely, not
counts for Selling Private Information’ (Caixin Global, 21 February with mathematical encryption but by using the fundamental laws
2017) <http://www.caixinglobal.com/2017-02-21/101057642.html> ac- of physics. China will be the first country to achieve this feat. China’s
cessed 21 February 2017. new satellite is an important step towards truly secure communi-
200
Eva Dou and Rachel King, ‘China Sets New Tone in Drafting cations, as it allows quantum data to be sent over extreme distances
Cybersecurity Rules’ (Wall Street Journal, 26 August 2016) <http:// between any two locations.
206
www.wsj.com/articles/china-moves-to-ease-foreign-concerns-on Eva Dou, ‘Microsoft, Intel, IBM Push Back on China Cybersecurity
-cybersecurity-controls-1472132575> accessed 27 August 2016. Rules’ (The Wall Street Journal, 1 December 2016) <http://www
201
ibid.It was also reported in cyber security circles, see for .wsj.com/articles/microsoft-intel-ibm-push-back-on-china
example:Jeremy Seth Davis, ‘China allows foreign tech firms to par- -cybersecurity-rules-1480587542> accessed 21 December 2016.
207
ticipate in creating cybersecurity standards’ (SCMagazine.com, 31 Tekendra Parmar, ‘China: Tech Giants Push Back Against Bei-
August 2016) <https://www.scmagazine.com/china-allows-foreign jing’s New Cyber Security Bill’ (Fortune, 2 December 2016) <http://
-tech-firms-to-participate-in-creating-cybersecurity-standards/ fortune.com/2016/12/02/cyber-security-bill-source-code/> accessed
article/530234/> accessed 31 August 2016. 21 December 2016.
ARTICLE IN PRESS
transparency centres, in which regulators can review source code The issue is how encryption usage is legislated. In practi-
in a highly controlled environment. cal terms, there is no difference between building a back door
Furthermore, there is no reason to suggest that China’s Cyber and forcing Microsoft to un-encrypt when “technical support”
Security Law diminishes the importance of global coopera- is required. Currently we have no concrete idea what “tech-
tion in technical standard-setting. Article 7 of the new law nical support” means. It does raise concerns at least theoretically
echoes the desire of Network Sovereignty to create global in- of commercial espionage and sabotage. In reality, for both fi-
ternet standards: nancial and technical reasons, it is unlikely that China would
invest in auditing source code to ensure Chinese Network Sov-
Article 7: The State actively launches international exchange and ereignty. This might be too big of a task.
cooperation in the areas of cyberspace governance, research and
development of network technologies, formulation of standards, 5.7. Inherent tension between Network Sovereignty and
attacking cybercrime and illegality, and other such areas; pro- global internet guidelines: the Internet Engineering Task
motes the construction of a peaceful, secure, open and cooperative Force (IETF)
cyberspace, and the establishment of a multilateral, democratic
and transparent cyber governance system [emphasis added].208 It is difficult to envisage that China will be an international
standard setter as a task of Network Sovereignty. The Inter-
TC260 will likely be engaged in consultations extensively net Engineering Task Force (IETF), the global internet standards
before 1 June 2017 and beyond. body, is generally sceptical of any governmental involvement
and tries to leave internet regulatory work to technical experts.
5.6. Security technology is often public. The issue is how
The IETF “is a large open international community of network
governments legislate usage
designers, operators, vendors, and researchers concerned with
the evolution of the Internet architecture and the smooth op-
Back doors do not affect the company that creates the en-
eration of the Internet. It is open to any interested individual”.210
cryption technology, but the companies who use encryption
In terms of the hierarchy of combative internet bodies the IETF
technology might need to worry, as might individuals who have
sits at the top. The IETF is an internet engineering task force
an expectation of privacy. For example, if Microsoft provides
made up of academics and technologists hostile to govern-
encryption technology to Ford Motor Company, the Chinese
ment. This is because it emerges from hacker ethos coupled
Government might request Microsoft’s assistance in an inves-
with an academic culture, designed purely for the commu-
tigation of Ford. Companies are required to report “network
nity development of internet standards and advocating a free
security incidents” to the Chinese Government and inform con-
and open internet. It is difficult for countries to influence these
sumers of breaches, but the law also states that companies must
standards. The IETF also often rejects business concerns from
provide “technical support” to government agencies during in-
private industry if they conflict with good technical sense.
vestigations. “Technical support” is also not clearly defined, but
Indeed recently, when formulating the latest web encryption
could mean providing encryption backdoors or other surveil-
standards: https, the business lobby proposed a way to have
lance assistance to the government.
security control over employees, suggesting back doors, to see
Security technology is often public. Encryption algorithms
if employees were exposing proprietary information. The IETF
are standardised, created by public research and are not pro-
rejected this idea.211 In real terms it will be difficult for China
prietary. Encryption algorithms are rarely intellectual property
to influence the IETF.
as keeping encryption algorithms secret is a recipe for exploit-
able products.209 However, how encryption algorithms are
5.8. Data localisation, cloud computing and keeping your
integrated is both intellectual property and a possible target
data in the cloud
for cyber attack. Source code disclosures, on the other hand,
would be a major risk. Intellectual property theft may occur,
Network Sovereignty is different in domestic context and in-
as source codes amount to instructions of how to do something
ternational contexts. Domestically it often means censorship
as opposed to designs. Source code is the implementation in-
guidelines. Internationally it means China outlining its per-
structions for that encryption design, for example.
spective for global internet guidelines. This is where the conflict
Overall security depends on many things including how code
between the two aims becomes complex.
is added to the wider product. In essence, you cannot tell if
One aspect that surprised many is the requirement of the
your house is secure, just from the front door being locked.
Cyber Security Law for data localisation forcing “critical infor-
There might be other ways to break in. If the whole house’s
mation infrastructure operators” to store data within China’s
source code was shared, there may be serious concerns of in-
borders. As noted, the law does not include a clear definition
tellectual property theft.
of infrastructure operators. Many businesses could be lumped
into that definition.
208
《中华人民共和国网络安全法》 [Cyber Security Law of the Peo- This is surprising because much of the recent drive to es-
ple’s Republic of China] (People’s Republic of China) Standing tablish enterprises in China has been the intellectual property
Committee of the National People’s Congress (NPCSC), 7 Novem-
ber 2016, Article 7.
209 210
Encryption technology is generally available online for free (open See: https://www.ietf.org/about/.
211
source), it would be trivial to subvert. Technically the use of back See for example: ‘Re: [TLS] Industry Concerns about TLS 1.3’
doors is not a major difference. Without a backdoor Microsoft cannot <https://www.ietf.org/mail-archive/web/tls/current/msg21428
encrypt data. .html>.
ARTICLE IN PRESS
protection of storing data in the cloud. That is, Internet of Things Draft) (“Encryption Law”) promulgated in April 2017. The En-
devices can be valueless hardware, but the value of the company cryption Law seeks to promote the use of encryption
resides in the big data collected. For the Internet of Things, cloud technologies from a national level. As yet there has been no
computing is viewed as a key enabler to widespread adop- international outcry over its intent.214 Unlike the initial Anti-
tion. Cloud providers are expected to deliver secure and efficient Terror Law it does not require “back doors” to be built. There
cloud services by default, protecting from major data breaches is a strong focus in the Encryption Law on the use of encryp-
or solution downtime issues. China would not seem likely to tion to protect critical information infrastructure. Article 11 sets
disrupt this model that has been so successful in attracting forth that commercial encryption products that are sold or used
IoT start-ups to Shenzhen and other Chinese cities. in business activities, as well as the provision of commercial
At the same time, in order to pursue Smart City policies, encryption services will be subject to approval in accordance
China needs to strengthen cyber security. Internet Plus and with to be-created certified encryption catalogues. In line with
China’s passion for IoT devices means that: a security breach the discussion above about encryption products, the major
is not limited to merely stealing credit card data. Anyone with global technology companies would need to be involved in as-
the right access could, for example breach firewalls or steal sisting in the creation of these catalogues.
health records from IoT devices. As millions of “things” start
joining the enterprise network, the surface area for hackers 5.10. Third parties in Security Review Measures and data
to breach your system is expanding.212 All these devices will exits
leverage public Wi-Fi, cloud, Bluetooth networks, and other en-
The issue of the cross border data flows is complex and
abling networks, creating multiple points of vulnerability.213
evolving. On 11 April 2017, CAC released a circular for public
The standards for IoT hardware and software are still evolv-
consultation until 11 May 2017: the Circular of the State In-
ing. Until there are established guidelines, companies need to
ternet Information Office on the Public Consultation on the
account for a vast range in device quality. Some devices may
Measures for the Assessment of Personal Information and Im-
be very sophisticated and hardy, while others may be cheap
portant Data Exit Security (Draft for Soliciting Opinions)
and disposable. Low-quality devices have been used to gain
(“Circular”).215 The Circular requires “network operators” in China
unauthorised entry into a secure network. In China where
looking to transfer data abroad to undergo a security assess-
Shenzhen’s shanzhai movement for knock-off and now inno-
ment to determine whether the transaction carries “risks such
vative electronic devices has thrived, this creates numerous
as disclosure, damage, tampering and abuse”. The rules will
security concerns.
therefore apply to any business seeking to transfer over one
One big advantage of IoT is the sheer amount of data it gen-
terabyte of data or information on 500,000 or more individu-
erates. This allows operators to track operational data to create
als. This seems to widen the reach of the Cyber Security Law
alerts based on anomalies in the system. This may be com-
as the rules limiting the transfer of data outside China’s borders
promised by legislating enforced localised data collecting
previously applied only to “critical information infrastruc-
servers. Afraid of intellectual property theft from the cloud, data
ture operators.” This now includes “network operators”. A
collected in China may be quarantined by companies. This
“network operator” remains undefined and could be very broad.
would affect the quality of data samples. In turn, this may affect
The Circular prohibits any transfer of personal information
the quality of security updates. Especially if the China market
without prior consent of the user.216 Few clues were left as to
represents the company’s greatest data collection point and
how this process will take place. The Chinese Government has
company directors insist on segregating data and operations.
In addition, what if Chinese technology companies are forced
214
to tamper with politically sensitive data, for example, related 《中华人民共和国密码法 (草案征求意见稿)》 [Encryption Law of the
to environmental degradation? Foreign and Chinese companies People’s Republic of China (Opinion-seeking Draft)] (People’s Re-
alike, may be hampered by the data localisation requirements. public of China) Office of State Commercial Cryptography
Administration (OSCCA), 13 April 2017.Article 20 is similar to China’s
Data localisation is a risky ploy for China, time will tell what
Anti-Terror Law: People’s procuratorates, public security bodies and
it means to force “critical information infrastructure opera-
State security bodies may require telecommunications operators
tors” to store data within China’s borders. Yet there are some and internet service providers to provide technological decryp-
recent indicators that China will not sabotage its own cyber tion support when necessary for national security or the prosecution
security for its censorship goals. of criminal cases.
215
《个人信息和重要数据出境安全评估办法（征求意见稿）》公开征求
意见 [Circular of the State Internet Information Office on the Public
5.9. Regulatory updates supporting third party
Consultation on the Measures for the Assessment of Personal In-
assessments formation and Important Data Exit Security (Draft for Soliciting
Opinions)] (People’s Republic of China) State Internet Informa-
Much less controversial than the Anti-Terror Law and in-line tion Office, 11 April 2017.
216
with China’s genuine cyber security concerns is the Encryp- “Personal information” is defined as various types of informa-
tion Law of the People’s Republic of China (Opinion-seeking tion recorded by electronic or other means capable of identifying
a person’s personal identity alone or in combination with other
information. Including: the name of the natural person, date of birth,
212
‘5 Considerations For Securing IoT’ (Forbes, 26 January identity document number, personal biometric information, tele-
2017) <https://www.forbes.com/sites/vmware/2017/01/26/5 phone number. Important data refers to data that is closely related
-considerations-for-securing-iot/#2e1a2e2c154a> accessed 27 January to national security, economic development, and social and public
2017. interests, with specific reference to national relevant standards and
213
ibid. important data identification guidelines.
ARTICLE IN PRESS
now begun to create a process to allow data transfer and storage In assisting the Office’s review, two more groups will be in-
overseas, despite the apparent prohibition in the Cyber Secu- volved in the process: designated third party evaluation centers,
rity Law. This was almost certainly a response to the commercial providing technical evaluation reports; and an expert panel as-
and security concerns of multinational technology firms. Nev- sembled by the Committee, to evaluate whether the suppliers
ertheless this issue is evolving. are “secure and controllable,” on the basis of third party reports.
The Office then decides based on the third party reports and
5.11. Third parties in security review measures the panel’s recommendations.
The English version of the Global Times, a state-owned tabloid
The major ongoing question is this: what role will third parties newspaper, reported that yet another cyber organisation will
have in China’s cyber regime? The Chinese Government has be created from the Security Review Measures.221 Will these new
begun issuing regulations to clarify the scope and intent and organs include representatives from foreign technology com-
implementation of China’s Cyber Security Law. In China’s “regu- panies? Will the “third-party institutions”222 in Article 7 include
latory sandbox”217 where complex competing goals of Network foreign technology companies?223
Sovereignty and Informatisation collide, it seems likely that On 2 May 2017 China released the Interim Security Review
foreign firms will be extensively consulted. Article 29, for Measures for Network Products and Services. Again there are
example, provides that “relevant industry organisations will es- multiple references to accredited third parties in Cyber Security
tablish sound cyber security standards and mechanisms for
collaboration.”
On 4 February 2017, CAC sought public opinion on its draft
221
internet product and service security inspection law, a follow- According to the Global Times yet another cyber organisation
up to the Cyber Security Law: Measures for Security Reviews will be created: “A proposed new cyber security watchdog
will prevent online products and services from being manipu-
of Network Products and Services (Draft for Solicitation of Com-
lated by foreign forces and safeguard Party and government
ments) (“Security Review Measures”).218 There are numerous departments and key industries from national security threats,
references to a new body to oversee technical matters – the experts said. The Cyberspace Administration of China (CAC)
Cyber Security Review Committee (“Committee”) in Articles is seeking the public’s opinion on a draft regulation of online
5–8.219 Under the Committee, a Cyber Security Review Office products and services that will see China set up an Internet
(“Office”) will be established to handle the actual review work.220 security review body to examine policies and coordinate nation-
wide practices on cyber security.”Liu Caiyu, ‘China eyes new
cyber security watchdog’ (Global Times, 2 February 2017) <http://
217
A regulatory sandbox is a ‘safe space’ where businesses can test www.globaltimes.cn/content/1031517.shtml> accessed 2 February
innovative products, services, business models without the threat 2017.Comments made in the English language press reflect
of regulatory action. how the Chinese Government intends the world to understand
218
《网络产品和服务安全审查办法征求意见 (草案征求意见稿)》 [Mea- its intent. The report went on: “[b]ecause China now still heavily
sures for Security Reviews of Network Products and Services (Draft relies on foreign core technology, the Web review body will examine
for Solicitation of Comments)] (People’s Republic of China) State loopholes that may have been intentionally installed into
Internet Information Office, 4 February 2017. online products or services, which might pose a threat to national
219
See: “Article 5: The State Internet Information Office, in con- security”.
222
junction with relevant departments, shall set up a Cyber Security In Chinese the phrasing “第三方评价” third party appraisals and
Review Committee to review important policies of the cyber se- “第三方机构” third party organisations or institutions suggests an
curity review, organise cyber security review work, and coordinate air of objectivity in Chinese language usage.
223
the relevant important issues related to the cyber security review. It could be that only Chinese organisations are capable of
The Cyber Security Review Office shall concretely organise and providing the necessary technical support. There is a precedent.
implement the cyber security review.Article 6: The Cyber Security Foreign cloud service providers in China are currently required
Review Committee shall appoint relevant experts to form a Cyber to obtain a mobile service licence, for which issuance is re-
Security Review Experts Committee to conduct a comprehensive stricted by regulation, and are largely held by domestic data service
evaluation on the security risks of network products and services operators. Therefore, a sino-foreign joint venture needs to be es-
and the security and trustworthiness of suppliers on the basis of tablished in order to obtain the licence.This dynamic is typified
the third-party evaluation.Article 7: The State shall determine in in IBM’s cooperation with Tencent Cloud and 21Vianet, which has
a unified manner the third-party institutions, and entrust the third- enabled it to offer its services to the Chinese market and partici-
party institutions to conduct work during the cyber security pate in the construction of a large data center just outside of Beijing.
review.Article 8: In accordance with the requirements of relevant Microsoft and Amazon have also established partnerships with do-
state departments, national industry association proposals, market mestic Chinese companies in order to offer their cloud services
reactions, and enterprise applications, the Cyber Security Review in China. Intel and Oracle are two Western companies that bought
Office will organise third-party organisations and experts to conduct into China’s existing cloud systems.For a cloud services review,
the cyber security review of network products and services, and it was China Academy of Information and Communications
publish or circulate within certain limits the results of the reviews.” Technology (CAICT), China Information Technology Security Cer-
220
The Security Review Measures provide that the Office can ini- tification Center (CNITSEC), a source code review lab, and China
tiate security reviews in response to requests made by government Electronic Standardization Institute (CESI). These bodies will
agencies, suggestions made by trade associations, or incidents in likely be included as third party reviewers for Cyber Security
the market. Companies can also voluntarily submit their prod- Reviews.Nevertheless TC260 was involved in drafting standards for
ucts or services for review (Article 8). The review will consist of four China’s cloud security review regime. See “TC260 Drafts New Stan-
elements: lab testing, on-site inspection, online monitoring, and dard for China’s Cloud Security Review Regime” (United States
review of background information (Article 3). No further detail was Information Technology Office, June 26 2015) <http://www.usito.org/
provided with respect to how these elements will be carried out news/tc260-drafts-new-standard -chinas-cloud-security-review
and the overall timeframe for the entire review. -regime> accessed 2 May 2017.
ARTICLE IN PRESS
Reviews.224 Recent regulatory updates continue to refer to third localisation227 requirements until 31 December 2018. The im-
party cyber security assessments.225 plications for the location of cloud servers are yet to be
announced.228 Nonetheless, many internet companies have re-
portedly already begun to comply with China’s policy toward
data storage.229 Like the Anti-Terror Law, China will be careful
not to harm its innovation agenda.
6. Conclusion The concept of a Smart City means very different things to
different cities. China has a very different ecosystem from other
Foreign and Chinese observers are yet to see if China has ar- countries. China’s innovation ecosystem possesses many
ticulated a new vision for an innovative and inclusive elements many countries lack. These elements include: deep
entrepreneurial ecosystem embodied by Informatisation and capital reserves, the world’s largest population for product
Internet Plus; or a more rigid one embodied by Network Sov- scaling, strong governmental will and a large military that is
ereignty. Vague regulations famously allow regulators leeway actively seeking cutting-edge communication technology in-
to suit their aims. The Cyber Security Law may be the oppor- novations. Increased development is a necessity for a Party-
tune time for China to decide which way it is heading toward: State keen to appease a populace frustrated by environmental
further innovation or further restriction. and employment and other developmental issues.
As CAC is under heavy pressure to implement the Law and As noted, there is a complete circle to be drawn here. The
supporting regulations, it seemed unlikely that there would be Chinese Government in seeking to retain power needs to
any delay in the Law coming into force on 1 June 2017. However appease a population now expecting more from its leader-
Reuters reported on 19 May 2017, that: CAC called a meeting ship in terms of economic development and better quality of
– with around 100 participants, including representatives from life. These are complex policy considerations to balance.
global technology firms – to present last-minute changes to The statement that “cyber security and informatisation
implementation rules for China’s new Cyber Security Law. are two wings of one body” may explain why the Chinese Gov-
It was reported that possible changes being considered by ernment is interested in providing the public with improved
CAC, included a new 18-month phase-in period from June 2017. secure big data solutions. More public information, increased
This would mean that the law would not be fully imple- transparency and accountability are crucial to eliminating cor-
mented until the end of 2018, allowing time for further clarity ruption, critical to the Party maintaining power. Thus, despite
to be provided.226 The Chinese government has now delayed the occasional heavy-handed efforts at exerting control over
internet-driven innovation, there are sufficient interests at stake
to ensure that innovation will continue to change gover-
nance and ultimately perhaps change the government itself.
Premier Li Keqiang’s March 2016 Government Work Report,230
224
《《网络产品和服务安全审查办法（试行）》 [Interim Security articulated that China is attempting to remove unclear lines
Review Measures for Network Products and Services] (People’s Re-
public of China) Cyberspace Administration of China, 2 May 2017.See
for example: Article 6: The Cyber Security Review Committee shall
227
engage relevant experts to establish a Cyber Security Review Experts The law will be subject to a phase-in period. “The Cybersecurity
Committee, which shall, based on third-party assessments, perform Law and the revised draft measures both take effect on June 1, 2017.
comprehensive assessment on the security risks of network prod- However, cross-border data transfers will not be required to conform
ucts and services, and the security and trustworthiness of the to the revised draft measures until December 31, 2018”. It was widely
suppliers. reported that Cyberspace Administration officials briefed foreign
225
The Interim Security Review Measures for Network Products and embassies and trade organisations about revisions to the cyber se-
Services also contain the following provisions:Article 7: The third- curity provisions. See: Yang Ge and Wu Gang, ‘Foreigners Get Minor
party organisations involved in cyber Security review shall be Concessions in Cybersecurity Law’, (Caixin, 29 May 2017)
accredited by the State according to the law, to perform third- <http://www.caixinglobal.com/2017-05-31/101096399.html> ac-
party assessments as part of Cyber Security review work.Article cessed 1 June 2017.
228
8: The Cyber Security Review Office shall, in line with the require- Caixin reported that: the US Chamber of Commerce wrote an
ments of relevant national departments, at the request of any email detailing a number of changes to the Cyber Security Law in-
national industry association, or based on user responses, iden- cluding a revised provision that “internal company data transfers
tify the entities for review according to procedures, organise third- will not be subject to a security review if the company does not
party organisations and the Experts Committee to conduct cyber use its network to commercialize data externally”; and that “implied
security reviews on network products or services, and then release consent will be a sufficient standard for processing cross-border
review results or report these results within a certain scope.Article data transfers.” This is an ongoing regulatory discussion. See: ibid.
229
11: The third-party organisations performing cyber security review In December 2016, AirBnB made the public announcement
shall conduct the assessment on an objective, just and fair basis, stating that it had begun storing data for its Chinese users on do-
in line with relevant national rules, by referring to relevant stan- mestic Chinese servers. Uber, Evernote, LinkedIn, and Apple have
dards, and with a focus on the security and controllability of network also done so, before the official implementation of the Cyber Se-
products and services and their supply chains, and transparency curity Law: Josh Horwitz, ‘A key question is at the heart of China’s
of security mechanism and technologies, and assume responsi- new cybersecurity law: Where should data live?’ (Quartz, 7 June 2017)
bility for assessment results. <https://qz.com/999613/a-key-question-at-the-heart-of-chinas
226
Michael Martina and Cate Cadell ‘Amid industry pushback, China -cybersecurity-law-where-should-data-live/> accessed 9 June 2017.
offers changes to cyber rules: sources’ (Reuters, 19 May 2017) <http:// 230
‘Li Keqiang’s March 2016 Government Work Report’, (Xinhua, 17
www.reuters.com/article/us-china-cyber-law-idUSKCN18F1VZ> March 2016) <http://news.xinhuanet.com/english/china/2016-03/
accessed 21 May 2017. 17/c_135198880.htm> accessed 19 March 2016.
ARTICLE IN PRESS
of authority. In outlining the role of government, streamlin- intelligence.231 This prediction is based on emerging technolo-
ing administrative approvals is a key objective: gies such as the Internet of Things and Smart City technologies.
Finally, there is also a goal of attracting foreign firms to the
■ Government vows to streamline administration, trans- Chinese innovation ecosystem.232 That goal is perhaps em-
form the functions of the government, and improve its bodied by the impression given by recent regulations that
performance. foreign technology firms will be allowed to participate in Cyber
■ It will release the lists of all powers and responsibilities of Security Reviews under the new Cyber Security Law.
local governments. Domestic legalism embodied by Network Sovereignty seems
■ It will revise administrative regulations, reduce adminis- like the simple answer for Chinese leaders. Slowing or even
trative levies and cut red tape to ensure that the people have hampering innovation, technology and technocracy233 in this
more equal opportunities and greater space for creativity. age of technology-driven innovation is a more complex problem
■ Government will carry out the “Internet Plus government ser- that Chinese leaders will have to face. It seems unlikely that
vices” model and promote better information sharing between the Chinese government will really wish to stifle its innova-
Government departments, so that the public and businesses tion agenda. We must therefore look to the wider policy context
can make fewer visits to government departments to get things for the intent behind the Cyber Security Law, namely, the urgent
done. need to protect China’s billions of connected devices and the
Chinese Government’s desire to improve the lives of the Chinese
This seems counterintuitive to the idea that China’s Cyber people, and thereby maintain its legitimacy.
Security Law is planning to introduce more red tape. On the
contrary China has streamlined its cyber bureaucracies. The
weight of evidence suggests that this new Law was driven by
a desire to protect key infrastructure from cyber vulnerabili-
Acknowledgement
ties. If this is the goal, China will not stop foreign firms from
negotiating data exits from China. I would like to thank Professor Colin Hawes of the University
The assertion that China’s Cyber Security Law and the of Technology, Sydney for his editing and comments on the final
concept of Network Sovereignty would dampen Smart City in- manuscript, and Paul S. Triolo of the Eurasia Group for reading
novations is also questionable. While the Chinese Government and commenting on my final draft. I would also like to thank
carefully manages internet information flow in political areas, Professor Natalie Stoianoff of the University of Technology,
it is open and supportive of internet commerce and Smart City Sydney and Shaanan Cohney of the University of Pennsylva-
projects.There is great optimism in China’s direction and a belief nia for their input and expertise. Finally, I want to thank
in China’s innovative capabilities. Many venture capitalists iden- Professor Steve Saxby for his encouragement and support from
tify China as the leading Asian innovator and a competitor to conception to publication of this article. This research was made
the US, including in complex technologies such as artificial possible through funding as a Quentin Bryce Scholar.
231
See for example: Sarah Zhang, ‘China’s Artificial-Intelligence
Boom’, (The Atlantic, 26 February 2017) <https://www.theatlantic.com/
technology/archive/2017/02/china-artificial-intelligence/516615/>
accessed 19 March 2017.
232
China has long had a policy attracting “foreign talent” to China.
This has been expanded in terms of ease of obtaining visas, for
example, since President Donald Trump won the US election, in the
hope that China will draw talented expatriates to join its innova-
tion cause.
233
Technocracy is an organisational structure or system of gover-
nance where decision-makers are selected on the basis of
technological knowledge.

The Impact of China's 2016 Cyber Security On Foreign

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Impact of China's 2016 Cyber Security On Foreign

Uploaded by

Copyright:

Available Formats

ARTICLE IN PRESS

computer law & security review ■■ (2017) ■■–■■

Available online at www.sciencedirect.com

The impact of China’s 2016 Cyber Security Law

China’s Cyber Security Laws cannot be understood without

Yinchuan is the capital of Ningxia province, in northern China,

The country supports the formulation of cyberspace trade rules

The State Council of China on 27 December 2015, published

• Firstly, only “network products and services” used in “criti-

Problematically, data collection operators are obliged to store • “Network Operators”141

Article 23: Critical network equipment and specialised cyber se-

You might also like