The Chinese government is set to adopt the Cybersecurity Law, a regressive measure that strengthens censorship, surveillance, and other controls over the Internet, Human Rights Watch said today. China’s top legislative body, the National People’s Congress Standing Committee, held a third and final reading on the law on October 31, 2016, and is expected to pass the law by the end of its October 31-November 7 session.
“Despite widespread international concern from corporations and rights advocates for more than a year, Chinese authorities pressed ahead with this restrictive law without making meaningful changes,” said Sophie Richardson, China Director. “The already heavily censored Internet in China needs more freedom, not less.”
The third and final reading draft, which has not been officially published, reflects some changes from the first draft. Yet the fundamentally abusive aspects of the initial draft remain unchanged. The final draft:
- Requires a range of companies to censor “prohibited” information and restrict online anonymity, including by demanding that companies require users to provide their real name and personal information. The final law adds instant messaging services to the list of service providers subject to real-name requirements;
- Requires “critical information infrastructure operators” to store users’ “personal information and other important business data” in China. The final draft narrows the scope to only data that is related to a firm’s China operations, but the term “important business data” is undefined, and companies must still submit to a security assessment if they want to transfer data outside the country. The definition of “critical information infrastructure” remains vague and could encompass a broad range of companies;
- Requires companies to monitor and report to the government undefined “network security incidents,” as well as provide undefined “technical support” to security agencies to aid in investigations, raising fears of increased surveillance. The final draft further specifies that network operators must retain network logs for at least six months and accept government supervision; and
- Provides a legal basis for potentially large-scale network shutdowns to respond to “major [public] security incidents.”…