The National People’s Congress approved new National Security and Counterterrorism laws. Foreign media, technology companies, foreign civil society organisations, and governments have widely criticised the laws for conferring Chinese authorities with even greater powers to restrict and control the activities of non-state actors especially when coupled with the Law on Managing Foreign Non-Governmental Organisations and Cybersecurity Laws.
The National Security Law effectively grants the National Security Commission domain over China’s national security encompassing politics, the military, finance, cyberspace, culture, environment, ideology, and religion. It sets out the principles of security manage-ment, including intelligence collection, risk assessments, national security reviews, emergency responses, and so on, and lays out the responsibilities of citizens and companies to assist the authorities in protecting national security and reporting potential threats. This applies to Hong Kong and Macau as well.
The law also requires Internet and information technology, information systems and data to be ‘secure and controllable’. The National Security Commission has the power to conduct reviews of foreign commercial investment, special technologies, Internet information technology products and services, and all other projects involving national security matters (Article 59). A broad spectrum of foreign governments, businesses, and civil society groups see the law as legitimising stronger restrictions on foreign business, social and political interests in China.
The Counterterrorism Law, meanwhile, proposes the establishment of a national body in charge of identifying terrorist activities and co-ordinating nationwide counterterrorist work. The first draft, issued for public comment in November 2014, drew widespread criticism for its vague definition of terrorism and the requirement that foreign tech companies provide their encryption keys to authorities and keep their servers and user data in China. Foreign companies and leaders, including US President Obama criticised the law and its potential effect on the Chinese business environment, making it less attractive to foreign companies. China has argued that many Western governments have similar requirements and that Chinese companies operating overseas are subjected to heavy security checks. Still, the final draft removed, inter alia, the clauses about encryption keys and foreign businesses keeping servers and user data in China.
The law still requires companies to provide encryption information upon the request of the government. Telecommunications and Internet service providers in particular are also required to monitor, report, and prevent dissemination of information on terrorism and extremism (including activities, such as peaceful agitation for greater autonomy for Xinjiang or Tibet, that are not considered either terrorist or extremist outside China). (Article 19).
The Chinese government has claimed that the laws will help strengthen the Party-state’s ability to prevent, handle, and punish threats to both national and international security. How it will affect foreign business activities and data security in practice remains to be seen.