113 54 3MB
English Pages 254 [250] Year 2022
Daoli Huang
Research on the Rule of Law of China’s Cybersecurity China’s Rule of Law in Cybersecurity Over the Past 40 Years
Research on the Rule of Law of China’s Cybersecurity
Daoli Huang
Research on the Rule of Law of China’s Cybersecurity China’s Rule of Law in Cybersecurity Over the Past 40 Years
Daoli Huang The Third Research Institute of the Ministry of Public Security Shanghai, China
ISBN 978-981-16-8355-8 ISBN 978-981-16-8356-5 (eBook) https://doi.org/10.1007/978-981-16-8356-5 Jointly published with Huazhong University of Science and Technology Press The print edition is not for sale in China (Mainland). Customers from China (Mainland) please order the print book from: Huazhong University of Science and Technology Press. ISBN of the Co-Publisher’s edition: 978-7-5680-1465-6 © Huazhong University of Science and Technology Press 2022 This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publishers, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publishers nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publishers remain neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd. The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721, Singapore
Editorial Committee
Director: Ma Minhu Members: Gu Jian, Huang Daoli, Jin Bo, Jing Qianyuan, Li Jingjing, Lin Yanfei, Song Yanni, Wu Songyang, Zheng Jingqing Executive Editor: Huang Daoli Writing Members: Fang Ting, He Zhile, Hu Wenhua, Liang Siyu, Ma Ning, Yuan Hao, Zhao Lili, Bao Liang
v
Foreword
Since the Report on the Work of the Government of 1978 proposed energetically developing emerging science and technology, particularly to expedite the research of integrated circuits and electronic computers and stimulate their popularization and application, China’s Internet industry has developed for more than four decades. Over these four decades, the network security and informatization business of China has set an impressive record of achievement. The evolution of the Chinese Internet industry for more than four decades precisely keeps track of the historical development of the cybersecurity legal frameworks of China. Especially since the 18th National Congress of the Communist Party, China’s legal construction in cybersecurity has developed in leaps and bounds, and the legal regimes that focused on the Cybersecurity Law of the People’s Republic of China likewise have matured. As the first batch of scholars studying cybersecurity law, I have witnessed the twists and turns in the development of China’s cybersecurity legal regimes from scratch, from weak to strong and from passive to active. I am deeply aware of the ups and downs of the development process and sincerely feel gratified for China’s achievements today. However, in the vigorous development of cybersecurity law-based governance, many researchers were eager to explore the future development path and lacked an overall grasp of the history and evolution of cybersecurity legislation in China. As a result, their research was just like a rootless tree, and even worse, misunderstood China’s cybersecurity legislation and misjudged the development path. In 2017, my student Huang Daoli, the editor-in-chief of this series, told me that she planned to publish a series of books to review China’s cybersecurity legislation systematically. Meanwhile, she also conveyed colleagues some insights, prejudgments on its future and compliance opinions of our team in the domain of cybersecurity in which she has been engaged for more than 30 years. I fully agree with her in this regard, but I also know that it is not so easy. To the best of my knowledge, the process of writing this series is beset with numerous difficulties. Researcher Huang Daoli also asked me for advice many times. During this time, they specially organized seminars and invited relevant legislators to tell the stories behind the legal provisions.
vii
viii
Foreword
This pragmatic attitude also makes me profoundly confident and expectant for the publication of the series, which is also the story behind these books. The first time I read the final draft, I came to realize that Chinese academic circles have been exploring and working on cybersecurity as a new realm of jurisprudence for more than four decades, and it has been more than 30 years since I started studying cybersecurity legislation in 1988. Apart from feeling the passage of time, my thoughts are also touched overwhelmingly. In 1978, the new period of reform, opening up and socialist modernization unfolded, which kept almost the same pace as the global commercial popularization of the Internet. In 1978, the Report on the Work of the Government put a high premium on the development of integrated circuit and electronic computer technology, which not only laid the foundation for the development of China’s information technology industry but also made China quickly aware of the possible security threats posed by the application of this new technology. As early as 1981, China’s public security departments found that computer equipment was exposed to the risk of data leakage through information reproduction. The central government attached enormous importance to this and required the establishment of laws and regulations to ensure that there are laws to abide by to secure China’s computer information systems. In 1982, China began to launch legislative research on the security protection of computer information systems, gradually exploring the road of law-based governance in cybersecurity. By 1994, Decree No. 147 was promulgated and implemented as the first cybersecurity legislation in China. This landmark legislative case has initiated a new era in China’s construction of law-based governance in cybersecurity. There is no denying that over a long period of time, the emphasis of China’s legal construction in cybersecurity has always failed to break through the limitation of “computer room thinking.” Specifically, legislation chiefly focuses on the security of computer information systems, which still bears little resemblance to the cybersecurity we understand today. Of course, this is compatible with the level of technological development at that time, which is also the result of “stability” and “lag” of the law itself. After 2000, China’s informatization construction began to develop at top speed, and information technology has been applied extensively on a social scale. The national level attaches more importance to information security as well. In July 2003, the Information Office of the State Council entrusted me to study the information security laws, regulations and law enforcement to offer theoretical research support for the Network Information Security Regulations included in the plan for legislative work of the State Council in 2003. In April 2004, the seminar on Information Security Legislation organized by the Information Office of the State Council was held at Xi’an Jiaotong University. The participants included representatives of crucial industries, ministries and commissions of the State Council, representatives of important enterprises, etc. The theme of the seminar was to probe into the major issues in the domain of information security in China at that time and the ideas of response to legislation. At the seminar, collective demonstration and acceptance of the results of my project were launched as well. In the years that follow, information technology begins to integrate into the fabric of society and is almost indistinguishable from society itself. After the
Foreword
ix
digital economy has turned into a new “motive power of development,” information technology has made increasingly obvious contributions to the progress of modern society, but this contribution still comes at a cost—we are more dependent on the security of technology and technology utilization activities than ever before—“dependence” is objective. In the realm of jurisprudence, this renders information technology-based social relations, an independent adjustment object, and escalates cybersecurity to be a comprehensive issue involving the country, industry and individuals. With respect to this series of books, several highlights and breakthroughs deserve affirmation and praise. Existing studies generally regard Order 147 as the beginning of China’s network security legislation; nevertheless, the legislative motion before Decree No. 147 and its historical backgrounds are basically a blank area of research. It is indeed a breakthrough of great practical significance to integrate the development of China’s reform and opening up with the legal construction of Chinese cybersecurity legislation, which tremendously broadens the horizon of tracing to the sources of cybersecurity law and makes the study of rule of law in cybersecurity closer to the technological approach. The current international situation is turbulent and changeable. In the context of “technology decoupling” and “deglobalization,” China is drawing up an important plan for supply-side structural reforms, actively developing strategic industries while stabilizing traditional industries, in a bid to avoid the dilemma of “strategic dependence” of core technologies for a long time, raise the level of science and technology, forge core competence and engage in and lead the reconstruction of global industrial chain. Since the enforcement of the Cybersecurity Law of the People’s Republic of China for more than four years, China’s network information work has broken new ground, achieved new development and opened up a new situation, which fundamentally advances China’s transition from “a large cyber country” to “a cyber superpower,” providing a vital legal basis for cyberspace governance in accordance with the law, and promotes China’s comprehensive management capacity of cybersecurity continue to improve. Looking into the future, quite a number of problems in the legal system of cybersecurity await further perfection. May the author and colleagues in academic circles can contribute more wisdom to the research of cybersecurity laws. Here is the Foreword above. Shanghai, China September 2020
Ma Minhu Professor of Xi’an Jiaotong University Director of Suzhou Institute of Information Security Law Xi’an Jiaotong University
Introduction
The Fourth Industrial Revolution marked by big data, cloud computing, unmanned driving, AI and 5G is sweeping across the globe. The digital and intelligent revolution has not merely influenced individuals’ living conditions and lifestyles at the microlevel but has altered the production organization mode, national order, international situation and even the world pattern at the macro-level. The expedited integration of the cyber world and the physical world has also spawned and amplified the risk effect of cybersecurity upon which social digital technology relies. On February 27, 2014, General Secretary Xi Jinping clearly stated at the first meeting of the Central Leading Group for Cybersecurity and Informatization that “without cybersecurity, there will be no national security, and without informatization, there will be no modernization.” China officially launched a series of top-level designs and plans for the purpose of building China into a national power in cyberspace. In the context of national development, building an all-round rule of law system of cybersecurity is of primary importance in cybersecurity work. In retrospect, New China’s development in the past 40 years of reform and opening up is of unique and extraordinary historical significance. From the historic decision of “tightening up the socialist legal system” made at the Third Plenary Session of the Eleventh Central Committee in 1978, to the time when the 19th National Congress of the Communist Party of China further promoted adhering to “law-based governance of the country” as the basic strategy for upholding and developing socialism with Chinese characteristics in the new era, the magnificent 40-year socialist legal system with Chinese characteristics is also the 40-year innovation and reform of cybersecurity rule of law in China. China has seized the historical opportunity offered by the development of informatization to the country and people; focused on the theme of security and development, it has realized the continuous perfection of rule of law in cybersecurity from scratch, from fragmentation to systematization and from response to prevention and embarked on a path of rule of law in cybersecurity that is both in line with international practices and with Chinese characteristics. Currently, China’s comprehensive governance pattern of network co-construction, co-governance and sharing has basically taken shape, which has scored impressive achievements and put to the test of history. xi
xii
Introduction
Research on the rule of law inside cybersecurity is a major issue of the times brought by the development of information technology. The study of rule of law in cybersecurity poses enormous challenges, taking on prominent interdisciplinary characteristics, which requires strategic, holistic and forward-looking innovative thinking, and finally tests the legal personnel’s capability to get to a grip on society and adapt to social changes. As a generation born after the reform and opening up and growing up with it, I was admitted to the major of Economic Law, Xi’an Jiaotong University in September 2003 and started my postgraduate studies. I have studied under Professor Ma Minhu and listened to his teachings to this day. Professor Ma Minhu is one of the founders of research on information security law and founded the Information Security Law Research Center, Xi’an Jiaotong University, the first academic institution specializing in research on information security law in China. During my academic career, I engaged in the research project entrusted by the legislation of Network Information Security Regulations of the former Information Office of the State Council, and some research findings were written into the Research on Information Security Law (published by Prof. Ma Minhu in 2004), China’s first monograph that systematically studies the basic theory of information security law. Thanks to the research foundation and support of my supervisor and seniors, I can launch related research and academic exploration from a comparatively high starting point. In June 2007, I joined the Third Research Institute of the Ministry of Public Security and began to work as a people’s police engaged in cybersecurity. As a legal person on the front of public security science and technology, the study of rule of law in cybersecurity is the objective need of implementing the practice of comprehensively governing the country in accordance with the law and the requirements of public security work in the new era, and it is also a professional and personal feeling derived from teachers’ instructions. Over the past four decades of reform and opening up, China, like other countries throughout the world, has been increasingly confronted with complex and changeable cybersecurity issues. The change of social form described in the Third Wave, Being Digital or the Rise of the Network Society, is becoming a reality, and the change of legal paradigm of cybersecurity in China is precisely unfolding in this process. Officially enforced basic laws, such as the Cybersecurity Law of the People’s Republic of China, the Cryptography Law of the People’s Republic of China, the National Security Law of the People’s Republic of China and the Counterterrorism Law of the People’s Republic of China, the Data Security Law and the Personal Information Protection Law, have jointly constructed a Chinese legal assurance system of cybersecurity characterized by more coordinated horizontal internal systems, a wider external radiation scope and more three-dimensional longitudinal systems, principles and rules. In the course of nearly 20 years of academic research, a large number of my academic research findings are also closely associated with these legislations. Moreover, thanks to the support of my Supervisor and the Third Research Institute of the Ministry of Public Security, I have attained the value goal of applying scientific research findings directly to legislation on cybersecurity, which has been fully recognized by national and local institutions such as the Legislative Affairs Commission of the Standing Committee of the National People’s Congress, the State Cryptography
Introduction
xiii
Administration, Cyber Security Department of the Ministry of Public Security, Legal Affairs Bureau of the Ministry of Public Security and the Office of the Leading Group for Big Data Security of Guizhou Province. At the moment, I and the team of the Cybersecurity Law Research Center of the Third Research Institute of the Ministry of Public Security are serving the needs of the work of the cybersecurity center, fully integrating social forces such as universities, scientific research institutions, cybersecurity associations and Internet enterprises and other social forces and conducting extensive academic exchanges to jointly explore the future direction of cyberspace security governance in China. We have made persistent endeavors in the research, drafting and revision of subordinate administrative regulations of the cybersecurity law, such as the Regulations on the Classified Protection of Cybersecurity and the Regulations on the Security Protection of Critical Information Infrastructure, and the formulation of the guidelines for the administrative law enforcement of cybersecurity. The series of books published this time—the Review Volume of Research on China’s Rule of Law in Cybersecurity: Zhongguo Wangluo Anquan Fazhi 40 Nian, the Trend Volume of Research on China’s Rule of Law in Cybersecurity: Research on the Rule of Law of Cybersecurity 2020 and the Compliance Volume of Research on China’s Rule of Law in Cybersecurity: Analysis on the Law of Cybersecurity 2020—outline the prospect of cybersecurity rule of law in China from different dimensions. From the point of view of the reality of the rule of law, the Review Volume presents the development course of the 40-year construction of the cybersecurity rule of law in China. From the point of view of academic research, the Trend Volume brings together some research findings on the legal issues of cybersecurity, such as data governance, legal regulation of security vulnerabilities, personal information protection, protection of critical information infrastructure security and forensics and authentication of electronic data, in recent years. From a practical point of view, the compliance volume shows Yuan Hao’s understanding of cybersecurity compliance and reflection on legal rules at a higher level as a professional lawyer. The Review Volume of Research on China’s Rule of Law in Cybersecurity: Zhongguo Wangluo Anquan Fazhi 40 Nian divides the legalization process of China’s cybersecurity into three stages: security governance of network tools, security governance of network society and security governance of network country. By sorting out the cybersecurity policies and laws in different stages as well as their development trends, it well reflects the evolution process of the rule of law on the strength of the technical application scenarios, which provides valuable basic data for legal construction development in cybersecurity and offers crucial practical value. In the face of such a grand task—research on the 40-year history of cybersecurity legal construction in China—we not only need to gain a profound understanding of China’s Internet industry but also have an accurate command of the evolution and essence of China’s cybersecurity legal regimes. This is indeed not easy for the writing team. Fortunately, we have received unreserved guidance from Prof. Ma Minhu and many seniors of the Expert Committee of China Information Security Law Conference in this work. Here, we sincerely express our gratitude: Thank you! Looking ahead, China’s opening up is offering new avenues and presenting new opportunities to nations around the world. Faced with the profound changes in the
xiv
Introduction
world today, it is the responsibility and dream of all cybersecurity legal persons to accelerate the building of a model of comprehensive law-based governance, to explore China’s plan for cybersecurity regulation on the basis of international experience and domestic practice, to transform the effectiveness of Chinese law-based model building into real governance efficiency, to maximize the digital well-being of the country, society and individuals and finally to fulfill the modernization of national governance capacity. The realization of these dreams still requires the exploration and struggle of all colleagues, which is also the essence of my team’s perseverance. What’s past is prolog. The year 2021 is destined to be an extraordinary year. Thanks to Guo Shanshan and her editorial colleagues from Huazhong University of Science & Technology Press, we have gone through the epidemic and headed for the future hand in hand! I hereby express my heartfelt thanks to Yuan Hao, He Zhile, Hu Wenhua, Liang Siyu, Ma Ning, Zhao Lili and other editors who worked with me. Let us set sail again and work for a glorious future with our united efforts! The editors of this series are limited in talent and learning, so we dare not say anything about the value of the series. However, I wish that the publication of this series will be a boon to the study of cybersecurity rule of law in China in the future. Daoli Huang Researcher of the Third Research Institute of the Ministry of Public Security Secretary General of the Expert Committee of China Information Security Law Conference
Contents
1 40 Years of China’s Legal Construction in Cybersecurity . . . . . . . . . . . 1.1 Cyberspace Governance in the View of Equipment Security . . . . . . 1.1.1 Legislative Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.2 Legislative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1.3 Legislative Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Cyberspace Governance in the View of Social Security (2000–2012) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1 Legislative Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2 Legislative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.3 Legislative Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Cyberspace Governance in the View of National Security (2013–2020) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.1 Legislative Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.2 Legislative Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.3 Legislative Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 2 2 6 13 15 15 20 33 35 35 43 85 90
2 40 Years of China’s Regulatory Development in Cybersecurity . . . . . 91 2.1 The Early Stage of Internet Administration Construction: The Police-Led Supervision Model (1994–1999) . . . . . . . . . . . . . . . . 92 2.2 The Emergence of the Multisectoral Participation Model (2000–2007) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 2.3 The Initial Overall Coordination Model (2008–2013) . . . . . . . . . . . . 100 2.4 The Strengthened Overall Coordination Model in the New Period (2014–2021) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 3 40 Years of China’s Judicial Reforms in Cybersecurity . . . . . . . . . . . . . 3.1 Criminalization and Punishment of Cybercrimes . . . . . . . . . . . . . . . . 3.2 Reinforcement of Civil Relief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Standardization of Actual Administrative Behavior . . . . . . . . . . . . . . 3.4 Innovation of Trial Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
117 118 128 133 136 138 xv
xvi
Contents
4 40 Years of China’s International Governance in Cyberspace . . . . . . . 4.1 Evolution and Development of China’s International Governance in Cyberspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 Holding High the Banner of Cybersecurity Sovereignty . . . . 4.1.2 Making Endeavors to Maintain Peace in Cyberspace . . . . . . 4.1.3 Shaping the Asia–Pacific Cybersecurity Concept . . . . . . . . . 4.1.4 Raising the Security Consensus of BRICS . . . . . . . . . . . . . . . 4.1.5 Consolidating the Consensus on Cybersecurity Between Asia and Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Game and Cooperation Between China and the United States in Cyberspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.1 Development Process of the Game . . . . . . . . . . . . . . . . . . . . . . 4.2.2 Typical Game Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2.3 Cooperation Situation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Disagreements and Cooperation Between China and the EU in Cyberspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3.1 Development Process of the Game . . . . . . . . . . . . . . . . . . . . . . 4.3.2 Cooperation Situation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3.3 Cooperation Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Future Prospects of China’s Legal Construction in Cybersecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Serve “Digital Well-Being” as the Fundamental Gist . . . . . . . . . . . . . 5.2 Correctly Handle the Relationship Between Technological Development and Legal Initiative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Promote the Development of Legislation, Law Enforcement and Judicature in a Scientific and Coordinated Manner . . . . . . . . . . . 5.4 Design Security System Around the Core Element of Data . . . . . . . 5.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
139 139 139 142 143 145 148 150 151 155 159 162 162 166 169 171 173 174 176 177 181 183
Annex: Research on Global Data Trading Practices, Industry Norms and Legal Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Chapter 1
40 Years of China’s Legal Construction in Cybersecurity
In 1978, China entered the new era of reforming and opening up and socialist modernization construction. In that year’s Report on the Work of the Government, it was proposed to energetically develop emerging science and technology, particularly to expedite the development of research on integrated circuits and electronic computers and to apply them extensively in all aspects. To date, China’s Internet industry has developed for more than four decades. The development of the Internet industry for more than four decades is the history of China’s legal construction in cybersecurity and the exploration history of maintaining a balance between development and security. On September 14, 1987, Beijing sent China’s first e-mail, launching the prelude to China’s use of the Internet. On April 20, 1994, the demonstration network project of education and scientific research in the Zhongguancun area was implemented through the 64 K international dedicated line connected to the Internet by Sprint Company of the United States, and China became the 77th country with a fully functional Internet on a global scale. The opening of the international dedicated line was a huge milestone in the development of China’s Internet industry. Since then, China has officially started to take the path of informatization construction. Over the past four decades, the application of the Internet in China has gradually infiltrated into all aspects of society, such as politics, economy, military, culture and business, from a few fields, such as computer, education and scientific research, in the early stage. Driven by the “Internet +” wave, China has gradually moved from “following” to “running alongside” in information technology innovation, platform economy development and new business forms and new applications, and in some areas, China has “taken the lead in race”. In the past 40 years, the Internet has approached average households from minority groups in individual fields, and China has taken first place worldwide with respect to the number of cyber citizens, becoming a veritable large cyber country. Over the past four decades, China, like other countries throughout the world, has been increasingly confronted with complex and changeable cybersecurity issues. Faced with such threats and risks as raging computer viruses, frequent network attacks, rampant illegal and criminal network activities, and © Huazhong University of Science and Technology Press 2022 D. Huang, Research on the Rule of Law of China’s Cybersecurity, https://doi.org/10.1007/978-981-16-8356-5_1
1
2
1 40 Years of China’s Legal Construction in Cybersecurity
deviated ecological governance of networks, China constantly explores the balance between security and development while stimulating the development of Internet construction at top speed. In the past 40 years, China’s rule of law in cybersecurity has undergone many changes. Along with the perfection of legal system from Decree (No. 147) of the State Council in 1994, the Regulations of the People’s Republic of China on the Security Protection of Computer Information Systems, to the Decision of the Standing Committee of the National People’s Congress on Guarding Internet Security in 2000, and then to the Cybersecurity Law of the People’s Republic of China in 2016 (hereinafter referred to as Cybersecurity Law) as well as its supporting laws and regulations, China’s rule of law of cybersecurity has undergone changes from security governance of network tools, security governance of network society to security governance of network country, realizing the transformation from scratch, from fragmented legislation to systematic legislation, and from extensive legislation to refined legislation.
1.1 Cyberspace Governance in the View of Equipment Security 1.1.1 Legislative Background At the beginning of the application of information technology, China began to realize the significance of information technology and informatization for national security and economic construction. At this stage, China worked hard to change the traditional opinions of information technology, making the national decision-making bodies and crucial industries realize that science and technology, especially computer information technology, can be extensively applied in traditional administrative areas to improve the management system and raise the level of modernization. At this stage, the government exerted the leading role in researching and popularizing computer technology, which was regarded as a tool to enhance the national management level. The computer applications spawn as a result are chiefly concentrated in education, scientific research, government and other crucial areas, and the basic operations of the network are conducted by public networks, education networks, science and technology networks, economic and trade networks and other industries. With regard to economic construction, China launched the great new revolution of reform and opening up in 1978 and entered a new era of socialist modernization. Upholding the idea that only when the country is strong can it truly assure security, China has begun to put a high premium on the development and application of science and technology. In 1978, the Report on the Work of the Government proposed catching up with the ever-changing pace of modern science and technology with the least delay possible, energetically developing emerging science and technology, particularly expediting the development of research on integrated circuits and electronic computers and making them extensively used in all aspects. In 1985, the Central
1.1 Cyberspace Governance in the View of Equipment Security
3
Committee of the Communist Party of China released the Decision on the Reform of Science and Technology System, emphasizing that economic construction must be on the strength of science and technology, and scientific and technological work must be oriented to the strategic policy of economic construction. In 1986, China came up with the National High-Tech Research Development Plan (i.e., “863” Plan). As a strategic plan, it is linked with information technology, including communication technology, information acquisition and processing technology, and automation technology of computer integrated manufacturing systems and intelligent robot themes. In August of the same year, Wu Weimin of the Institute of High Energy Physics, Chinese Academy of Sciences, through satellite connection, remotely logged into the account of Wang Shuqin in a machine VXCRNA in CERN, Geneva, on an IBMPC at 710 Beijing Institute and sent an e-mail to Steinberger in Geneva.1 However, this email was sent only by remote login and controlled by computers thousands of miles away, without forming a data exchange protocol between computers.2 In September 1987, with the help of the research team led by Professor Werner Zorn of Karlsruher Institut für Technologies in Germany, Professor Wang Yunfeng and Dr. Li Chengjiong set up an e-mail node in the Beijing Institute of Computer Applications (ICA) and successfully sent an e-mail to Germany on September 20th, with the content of “Across the Great Wall we can reach every corner in the world”.3 As a result, the first e-mail was born in China. Since the reform and opening up, China’s inbound and outbound goods and articles have increased in large quantities. It was difficult to satisfy the actual demand of business volume processing by simply increasing the number of business personnel in the customs system. Since the mid-1960s, developed countries have set out to study the computer application of customs. During the “7th Five-year” Plan, the State Council established the construction of 12 crucial electronic information and business systems, including the national economic information system, public security, railway, civil aviation, meteorology, banking, and other information systems.4 In March 1993, Zhu Rongji, then Vice Premier, presided over the meeting and proposed and planned the construction of the China Golden Bridge Network (referred to as the ChinaGBN Project). In August of the same year, Premier Li Peng approved the use of prime minister reserve funds, totaling $3 million, to support the startup of ChinaGBN preproject construction.5 At the end of 1993, the Three Golden Projects, the initial project of China’s national economy informatization, was officially launched, namely, the ChinaGBN Project, Golden Customs Declaration Project 1
Memorabilia of Internet from 1986 to 1993. http://www.cac.gov.cn/2009-04/10/c_126500533. htm. 2 China’s bumpy Internet access path: the Internet coming out of the narrow path. http://www.isc. org.cn/ftfy/ft/listinfo-13329.html. 3 Memorabilia of Internet from 1986 to 1993. http://www.cac.gov.cn/2009-04/10/c_126500533. htm. 4 Gang [1]. 5 Memorabilia of Internet from 1986 to 1993. http://www.cac.gov.cn/2009-04/10/c_126500533. htm.
4
1 40 Years of China’s Legal Construction in Cybersecurity
and Golden Card Project, which is intended to build China’s “information quasi-highspeed national highways”6 and raise the informatization level of the national economy from infrastructure construction, foreign trade and finance. During the construction of these information projects, China realized that only by improving the networking degree can computers achieve high-level application development. In April 1994, China’s NCFC project was opened through the 64 K international dedicated line connected to the Internet by Sprint Company of the United States, realizing full-function connection with the Internet, and China was officially recognized as the 77th country with full-function Internet internationally. In May 1994, the Institute of High Energy Physics, Chinese Academy of Sciences set up the first WEB server and launched the first set of web pages in China. In addition to introducing China’s high-tech development, there was also a column called “TourinChina”. Meanwhile, the National Research Center for Intelligent Computing Systems opened Shuguang BBS Station, the first BBS station in mainland China. In August 1995, the ChinaGBN Project was initially accomplished, and networking (satellite network) was opened in 24 provinces and cities, which was connected with international networks. In December of the same year, the “100-Institute Networking” Project of the Chinese Academy of Sciences was accomplished.7 China has gradually entered the preparatory stage of Internet development. In the realm of safety control, under the impetus of the development of computer science and technology, social and national security issues became complex and changeable along with the popularization of computer and networking applications in the early 1980s. Thereafter, Western developed countries adopted network security defense countermeasures in succession. Upon investigation, it was found that computer security turned into a topic of prominence in the international community. Sweden, the United States, Canada, Britain, France, Germany and other countries worked out or set up specialized legislation and research institutions. The United Nations set the IFIP/CSTC, which held an international conference on a yearly basis. Restricted by the ideology and Paris Coordinating Committee of NATO, computer technology has not yet been popularized and applied in socialist countries. China recognized that although domestic computers had just started and domestic computers were still in the experimental stage of research and development, the popularization and application of computers had proven to be an inevitable trend, and national and social security issues in the international community would also apply to China. If there were no sound precountermeasures, there would inevitably be potential security risks in building information infrastructure and setting up Internet applications in China with computing devices exposed to numerous hidden safety hazards. To address the potential threats to national security imposed by information technology, the central government took three strategic measures: ➀ set up special departments to stimulate the development of information technology; ➁ establish laws and 6
https://baike.baidu.com/item/ThreeGoldenProjects/106799?fr=aladdin. Memorabilia of Internet from 1994 to 1996. http://www.cac.gov.cn/2009-04/11/c_126500497. htm.
7
1.1 Cyberspace Governance in the View of Equipment Security
5
regulations and enact legislation to ensure that there are laws to abide by in the security work of China’s computer information system; and ➂ crack down upon information crimes and promote security and development simultaneously. In 1983, the Chinese public security unit set up a computer management and supervision institution—Public Information Network Security Supervision Bureau8 (Computer Administration and Supervision Bureau of the Ministry of Public Security), which was provided with two functions: first, planning and building the computer network system for public security, boosting the informatization and modernization of public security business, and forming and summing up the practical experience of computer security in China simultaneously; second, studying and judging the dynamics and trends of computer security at home and abroad, and working out national and social countermeasures for public security with Chinese characteristics. In addition, to ensure that the state has laws to abide by and rules to follow in protecting the computer information system as well as its associated networks, in 1982, China set up about launching legislative research around the security protection of computer information systems and gradually explored the construction of the cybersecurity rule of law in China with emphasis on equipment safety. After several years of investigation, analysis and legislative planning, it was recognized that China shall first set up the basic management system of computer security. In 1986, the Ministry of Public Security drafted China’s first computer security regulation and began to solicit opinions extensively, which were reported to the Ministry of Public Security, the Legal Affairs Office of the State Council and the Standing Committee of the State Council for examination and verification level by level. During the period of examination, with respect to the legislation hierarchy, the State Council considered that computer information security is a newly emerging thing that shall be coarse rather than fine, so it is more prudent to introduce administrative regulations first, leaving room for the later development of the computer industry and system adjustment. It is advisable that the administrative regulation system shall be upgraded to law with solid social practice experience after a certain period of enforcement. Throughout this process, computer viruses and special computer crimes had been increasingly rampant in all parts of the country, although computers in China were still in the stage of stand-alone application and a computer network had not yet taken shape. In July 1986, the case in which Chen, an accountant of Shekou Subbranch, Shenzhen Branch of Bank of China, and Su, an accountant of Dongmen Subbranch, Shenzhen Branch of Bank of China, jointly stealed customer deposits via computers, was solved, and it was the first computer-related crime discovered in China.9 In 1988, China discovered the first computer virus since the founding of New China, that is, bouncing ball virus. The virus influenced the running efficiency of computer 8
In 2008, the Public Information Network Security Supervision Bureau of the Ministry of Public Security was renamed as the Cyber Security Department of the Ministry of Public Security, and the cybersecurity teams of local public security departments were set up successively. 9 Analysis of the Development Trend of Computer Crimes. https://www.docin.com/p-6041481. html.
6
1 40 Years of China’s Legal Construction in Cybersecurity
software, with instant widespread accessibility. Since then, large-scale viruses such as 64 virus, Michelangelo virus and Black Friday virus have appeared continuously, which indirectly pushed forward computer security legislation at this stage. As computer security issues successively arose in various places, local legislation also played a crucial role in the early stage of China’s legal construction in cybersecurity. In September 1990, Heilongjiang Province People’s Government released the Regulations on Security Management of Computer Information System in Heilongjiang Province (now invalid), pointing out that computer information system refers to the information processing system (including single-closed system) made up of computers as well as related and supporting equipment, facilities, information and staff. Computer system security refers to avoiding all types of unintentional errors and damages, preventing the computer system and data from being illegally exploited or destroyed, and guaranteeing the normal operation of the computer system. As a local government regulation, this provision offered practical experience for the setting of Decree No. 147.
1.1.2 Legislative Process In February 1994, the State Council officially published the Regulations on the Protection of Computer Information System Security (Decree No. 147), which was China’s first administrative regulation specially worked out for cybersecurity issues. In line with the State Council’s guiding spirit that “the first regulation shall be coarse rather than fine principally and leave room for development and change”, Decree No. 147 basically implemented the three strategic measures proposed by China in the early days, focusing on guaranteeing the security of computer information systems. First, it clarified the supervision mechanism. As the security issues arising from the popularization and application of computers are considered social problems, a supervision system has been set up for the heads of public security units, the Ministry of National Security, the National Administration of State Secrets Protection and other relevant departments of the State Council to do relevant work well within the scope of their duties. Moreover, ensure that there are laws to abide by. Clearly, define the concept of computer information systems and their security protection, specify the scope of application and crucial objects of security protection principally, set up and carry out a series of regulations such as security classified protection, international networking filing, sales licenses for special products, etc., and fulfill computer security supervision in accordance with the laws. Finally, punish illegal crimes. Decree No. 147 grants the Ministry of Public Security certain security supervision authority. I. Unify and standardize, supervise, inspect and guide the security protection of computer information systems; II. Investigate and deal with illegal and criminal cases that endanger the security of computer information systems; III. Perform other supervisory duties of security protection of computer information systems; IV. Inform the user unit to take security protection measures in a prompt manner when potential security hazards are found; V. Grant the Ministry of Public Security emergency
1.1 Cyberspace Governance in the View of Equipment Security
7
legislative power for specific matters, that is, special general orders, in a bid to leave the Ministry of Public Security with authority and lay a foundation for subsequent application with uncertainty. Decree No. 147 defines a redline for national security protection and mandates that all units and individuals make use of computer information systems within the statutory security specifications. In brief, Decree No. 147 has three highlights. First, it incorporated cybersecurity into facility security for protection in the early 1990s, when the networking function was confined to a few areas and was not yet popularized. As the definition of a “computer information system” indicates, a computer serves as the main element, while the related and supporting equipment and facilities means the configuration of information system-related equipment, that is, the software and hardware required for the normal functioning of the system and the application of business data/information processing functions. The supporting facilities include computer room building, site environment, power supply, related communication equipment and lines inside and outside the system, etc. The reason why the network is included is that the basic functional characteristics of the network are interconnection and communication, and the network is an interrelated system made up of nodes and connecting lines, that is, the system. Computer systems and information systems chiefly composed of computing devices are characterized by interrelated operation, communication and resource sharing between their internal functions. If there is no correlation, the system and information are only isolated islands, and it is impossible to fulfill informatization and modernization. Thus, it is necessary to bring the network into the security of facilities for protection. In addition, it emphatically protects the security of computer information systems in crucial areas such as state affairs, economic construction, national defense construction, and cutting-edge science and technology. While drawing lessons from the relevant experience of crucial infrastructure legislation abroad, this article clarifies that the security of China’s computer information systems emphasizes the safe and normal running of national functions, the smooth progress of economic construction and scientific and technological development, and national defense construction and defense security. Therefore, it is proposed to emphatically protect the security of computer information systems in crucial areas, among which economic construction covers a wide range, and Decree No. 147 is not exhaustive. Finally, with respect to security supervision, public security units are granted supervisory powers in security protection, investigation and punishment of illegal crimes, etc., which shows the determination of the state to strongly guarantee the operation of computer information systems as well as their associated networks and the order and security of virtual social activities in cyberspace, facilitate the application and development of computers, and guarantee the smooth progress of socialist modernization. Specifically, Decree No. 147 has set up nine systems to guarantee the security of computer information systems, as follows: 1
Carry out legal and standardized security protection. Decree No. 147 requires that the construction and application of computer information systems shall be subjected to laws, administrative regulations and other relevant provisions of
8
2
3
1 40 Years of China’s Legal Construction in Cybersecurity
the state. The system construction and maintenance party shall comply with and carry out relevant laws and regulations and relevant state regulations, do well in system security construction and security maintenance management, and violations of law must be investigation; those who engage in business applications and information processing with system resources shall comply with laws and regulations and relevant state regulations, and lawbreakers must be prosecuted. Legalization renders it necessary to transform the national laws, regulations and provisions on security protection into the security policy system of computer information systems as well as their associated networks and integrate the system of security control rules in the course of data/information calculation and processing in the system operation and application to ensure the automatic execution of computing equipment. Finally, for security protection, construct the overall security defense system of computer information systems as well as their associated networks, dominated by the system of rules of legalization of security policy and with the security control mechanism of computing process of computing environment as the focus. Set up and implement the security classified protection system. Level, in essence, is a natural attribute, and the classification of levels is a benchmark scientific method for security protection. In the information age, all sorts of computer information systems and their associated networks in various areas of the country are vital strategic resources, and therefore, it is of significance to carry out scientific and reasonable security protection measures. From the point of reality, the construction of classified protection system is a necessary trend, and it is imperative to offer security classified protection for national computer information systems as well as their associated networks in line with the law and standards, and ensure the key points; construct a deep, multilevel and overall security defense system from small to large, from point to area and from inside to outside to enhance the security defense capability, dominated by the system of legal security policy and with the science of computing environment and safety control mechanism of computing process as the focus; carry out a classified protection system and build a five-in-one scientific protection system for the security and risk prevention of computing equipment, systems as well as their associated networks and virtual environment, which includes measurement (security level to be grasped in construction and management), assessment (selfassessment and evaluation), testing (self-testing and examination), supervision (industry supervision and law enforcement supervision) and investigation (selfinvestigation and law enforcement investigation), and enhance the capability of security protection. The classification of security protection levels chiefly considers the social and economic value level of system resources, the risk level of system resources facing hazards, the level of science and technology support capability of system security, and the level of security protection intensity that the country shall implement. Establish the security protection system for computer rooms. Computer room, data center, etc. are the essentials of computer information systems, and hence
1.1 Cyberspace Governance in the View of Equipment Security
4
5
6
7
8
9
9
the security protection of infrastructure such as computer rooms of important computer information systems shall comply with relevant state regulations. Construct the administration system of international networking filings. Upholding the concept that filing is a means and management is an end, Decree No. 147 specifies that the international networked computer information system shall comply with the relevant national and departmental regulations and standards on security protection and try to understand the international networking of computer information systems and the security protection of the access flow of data/information as much as possible. Implement the custom transit declaration system of computer information media. The incoming/outgoing computer information media passing through the customs gate shall be declared to the customs, and the customs shall be responsible and entitled to inspect the incoming/outgoing computer information media. Clarify the responsibility and institution of security management of computer information systems. The effectiveness of security protection work requires each unit’s strict performance of duties, the perfection of the security management system and the formation of a system operation mechanism. Carry out 24-h reporting system of cases. In the security management system of computer information systems, the responsibilities and procedures for case discovery, preliminary judgment, evidence retention, emergency response, and reporting shall be set up to cooperate with public security units to accept and investigate in a prompt manner and jointly safeguard the security of computer information systems. Set up and optimize centralized management systems for the prevention and control of harmful data such as computer viruses. Harmful data, such as computer viruses, easily diffuse by virtue of the interconnection and immediacy of the network. To prevent proliferation or more harm, it is under the centralized management of the Ministry of Public Security. Establish the sales license system of special products for security of computer information systems. To guarantee the security of computer information systems, the security concept shall be embodied throughout the life cycle of related equipment (products) from design to post maintenance. The security equipment (products) used to build security systems as well as their associated networks shall be guaranteed to conform to national standards and security regulations from the aspects of design scheme, production process, sales and use, aiming to strongly facilitate the autonomy and controllability of crucial information technologies through the sales license management system and government procurement system and to guarantee the security construction needs of computer information systems as well as their associated networks.
Furthermore, Decree No. 147 specifies that the measures for security protection for unconnected microcomputers shall be worked out separately. Since microcomputers include portable computing equipment, connecting it to computer information systems and their associated networks is terminal computing equipment, which is
10
1 40 Years of China’s Legal Construction in Cybersecurity
controlled by a system security mechanism. Unconnected microcomputers cover a wide range of areas, undergoing enormous changes and facing complicated situations. It is not suitable for the national legal level to offer a unified method for security protection. Decree No. 147 shall be worked out separately, which means that various industries, departments, units and institutions can draw up reasonable measures for security protection in consideration of the actual circumstances and needs and with reference to relevant regulations. Generally, the promulgation and enforcement of Decree No. 147 has made zero breakthroughs in China’s legislation of information security, filled the gap of legal norms in the information age, and laid a solid foundation for supporting systems and local legislation. Upon promulgation of Decree No. 147, the revision of the Criminal Law of the People’s Republic of China (hereinafter referred to as Criminal Law), the People’s Police Law of the People’s Republic of China (hereinafter referred to as the People’s Police Law), the Law of the People’s Republic of China on Penalties for Administration of Public Security (hereinafter referred to as Law on Penalties for Administration of Public Security), the setting and revision of departmental regulations, local regulations, relevant military regulations and relevant national information security protection standards have gradually started. With respect to the security classified protection system, in September 1999, the Ministry of Public Security organized the drafting, and the State Bureau of Technical Supervision published the first mandatory national standard for information security protection in China—Classified Criteria for Security Protection of Computer Information Systems (GB17859-1999). This standard also adopts the method in the principle of being coarse rather than fine, which is intended to offer technical guidance and foundation for the development of security products, the setting of specific standards, the construction and management of security systems, relevant laws and regulations and their enforcement. The standard classifies the security protection capability of computer systems into five levels, namely, user independent protection (Level 1), system audit protection (Level 2), security mark protection (Level 3), structured protection (Level 4), and access verification protection (Level 5). Along with the increase in security level, computer information systems have become increasingly capable of security protection. In April 1994, China officially accessed the Internet. To ensure that international networking has rules to follow and laws to abide by, in February 1996, the State Council released the Interim Regulations of the People’s Republic of China on the Administration of International Networking of Computer Information Networks (Decree No. 195) from the point of view of reinforcing industry management, requiring computer information networks to directly connect with international networks and use the international entrance and exit channels furnished by the national public telecommunication network of the Ministry of Posts and Telecommunications. No unit or individual may set up itself or connect with international networks through other channels. License management should be employed for the business activities to be working on, and the examination and approval system should be applied to the nonbusiness activities. Apart from that, providers of international
1.1 Cyberspace Governance in the View of Equipment Security
11
entrance and exit channels, interconnection units and access units shall set up corresponding network management centers, reinforce the management of their own units as well as their users, and do well in security management of network information. Units and individuals working on international networking business shall strictly execute the security and confidentiality system and shall not launch illegal and criminal activities such as endangering national security and revealing state secrets by taking advantage of international networking. Based on Decree No. 195, the Ministry of Posts and Telecommunications and the State Education Commission successively promulgated the Measures for the Administration of International Networking of Public Computer Internet in China and the Interim Measures for the Administration of Education and Research Computer Network in China in the same year, respectively, to reinforce the management of international networking of public computer Internet and education and research computer network (CERNET). The computer security problems faced by our country are not limited to the computer system security level by accessing the international network. To address the new problems endangering social security, such as the influx of illegal and harmful information incurred by the international networking of computers, in December 1997, the Ministry of Public Security released the Measures for the Administration of Security Protection for International Connections to Computer Information Networks (Decree No. 33 of the Ministry of Public Security) for the sake of guaranteeing the security of international networking of computers. Decree No. 33 of the Ministry of Public Security is based on the higher-level laws of Decree No. 147 and Decree No. 195, which specify that the computer management and supervision institution of the Ministry of Public Security shall be responsible for the security protection and management of international connections to computer information networks; Units and individuals working on international networking business shall accept the security supervision, testing and guidance of public security unit, truthfully furnish public security unit with information, materials and data associated with security protection, and offer assistance for public security unit to investigate and deal with illegal and criminal acts through computer information networks connected to the international network. Decree No. 33 also specifies five types of harmful behaviors of computer information cybersecurity that are prohibited, including accessing computer information networks or making use of computer information network resources without permission; deleting, modifying or adding functions of computer information networks; deleting, modifying or adding data and applications stored, processed or transmitted in the computer information network; and deliberately making and spreading destructive programs such as computer viruses, which endanger the security of computer information networks. Additionally, to cope with the inflow of a large amount of false and harmful network information after international networking, Decree No. 195 and Decree No. 33 of the Ministry of Public Security have clearly come up with the management of network information content. Decree No. 195 requires that information that hinders public order and contains obscene pornography shall not be produced, consulted, copied and disseminated; Decree No. 33 of the Ministry of Public Security prohibits the production, reproduction, consultation and dissemination of nine
12
1 40 Years of China’s Legal Construction in Cybersecurity
types of information, including fabricating or distorting facts, spreading rumors and disturbing social order; advocating feudal superstition, obscenity, pornography, gambling, violence, murder and terror, and abetting crimes; publicly insulting others or fabricating facts and slandering others. When the computer management and supervision institution of the public security unit discovers the addresses, directories and servers containing nine types of information content prohibited from being produced, copied, consulted, and disseminated, it shall inform the relevant units to close or delete them. With respect to the prevention and control of computer viruses, in April 2000, the Ministry of Public Security issued the Measures for the Administration of Prevention and Control of Computer Viruses (Decree No. 51 of the Ministry of Public Security). Decree No. 51 of the Ministry of Public Security is based on the higher-level law of Decree No. 147, which clarifies that exploiting units of computer information systems shall perform six duties, such as setting up their own management system for the prevention and control of computer viruses and using prevention and control products of computer viruses with sales licenses of special products for the security of computer information systems. Any unit or individual shall detect computer viruses when downloading programs and data from the computer information network or purchasing, maintaining or borrowing computer equipment. For the sales license of special products, in December 1997, the Ministry of Public Security issued the Measures for the Administration of Testing and Sales License of Special Products for the Security of Computer Information Systems (Decree No. 32 of the Ministry of Public Security). Decree No. 32 of the Ministry of Public Security takes Decree No. 147 as the basis of the higher-level law and makes further detailed regulations on the production, testing and sales licenses of special products for the security of information systems. It is stipulated that special security products in China shall enter the market for sale, and the sales license system shall be exercised. To apply for a license, the security function must be tested and identified by a testing institution approved by the computer management and supervision department of the Ministry of Public Security. In the same year, the Ministry of Public Security released the Classification Principles of Special Security Products for Computer Information Systems (GA163-1997), which classified the special security products of computer information systems from three aspects: physical security, operational security and information security. Specifically, information security includes operating system security, database security, cybersecurity, virus defense, access control, encryption and authentication. With respect to domain name management, in May 1997, the Leading Group of Informatization under the State Council released the Interim Measures for the Administration of Internet Domain Name Registration in China, which stipulate that the top-level domain name officially registered and operated by China in InterNIC was CN. Under the top-level domain name CN, the hierarchical structure is used to set domain names at all levels. Administration units of domain names below the third level (including the third level) are determined by means of level-by-level authorization. Administration units of domain names at all levels shall be responsible for the registration of their subordinate domain names.
1.1 Cyberspace Governance in the View of Equipment Security
13
As far as confidentiality management is concerned, the National Administration of State Secrets Protection has successively released the Interim Regulations on Confidentiality Administration of Computer Information Systems and the Regulations on Confidentiality Administration of International Connections to Computer Information Systems, which require that confidential information and data be collected, stored, processed, transmitted, used and destroyed in accordance with confidentiality regulations. Computer information systems involving state secrets shall not be directly or indirectly connected with the Internet or other public information networks and must be physically isolated. With regard to local legislation, Heilongjiang, Chongqing, Jiangsu, Zhejiang and other places have successively worked out the Regulations on Security Management of Computer Information System in Heilongjiang Province, the Regulations of Chongqing Municipality on Security Protection of Computer Information Systems, the Measures for the Administration of Security Protection of Computer Information Systems in Jiangsu Province and the Measures for the Administration of Classified Protection of Information Security in Zhejiang Province, etc., and pushed forward the enforcement of Decree No. 147 in light of local conditions. Following the application and development of computers and the emergence of computer crimes, the Criminal Law of 1997, as the last step to punish crimes, brought the illegal invasion or destruction of computer information systems into the regulation category and stipulated two crimes: illegally invading and destructing computer information systems. Specifically, for computer information systems in the areas of state affairs, national defense construction and cutting-edge science and technology, it shall constitute a crime once intrusion occurs, and it is not required to reach serious consequences, which shows that China has special protection for computer information systems in crucial areas that threaten national security. Apart from that, giving consideration to the role of destructive programs such as computer viruses in computer crimes, the Criminal Law specifies that intentional production and dissemination of destructive programs such as computer viruses, which influence the normal functioning of computer systems and result in serious consequences, are also crimes. In terms of responsibilities and authorization, the People’s Police Law of 1995 specifies that the people’s police of public security units shall be responsible for supervising and managing the security protection of computer information systems in accordance with the law, ensuring the authority of public security units in computer security protection at the basic law level.
1.1.3 Legislative Assessment In the last two decades of the twentieth century, China’s Internet application chiefly involved education, scientific research, economy and trade, finance, railways, government, and other crucial areas. The public networks, education networks, science and technology networks, economy and trade networks launched the basic network operation, and the networks were chiefly used as a tool for information processing,
14
1 40 Years of China’s Legal Construction in Cybersecurity
storage, and transmission. The major problems are the generation of computer viruses, network attacks and illegal and harmful information, which harm cybersecurity in crucial areas. The characteristics of the times in the early preparation stage of Internet development resulted in legislative work at this stage chiefly filling the gaps, establishing an early supervision system and exploiting the future development path. 1.
Chinese legislation in cybersecurity developed along an arduous road and experienced a process of emerging.
At the initial stage of computer development in China, computer applications were confined to a few areas. Although computer security issues appeared occasionally, the application areas were rather limited, which was insufficient to threaten social security and even national security. Thus, the legal construction in cybersecurity emphasized filling the vacancy and ensuring that there were laws to abide by first. From 1986, when the Ministry of Public Security drafted China’s first computer security regulations and began to solicit opinions, to 1994, when Decree No. 147 was officially promulgated, during which eight years of difficult exploration were launched. As China’s first special legislation in the computer realm, the core system design, the establishment of supervision mechanism, the setting of legal responsibilities and the choice of legislative level are all the balance between practical needs and legislative technology, computer development level and legislative foresight at this stage, which embodies the choice and consideration of legislators in the initial stage of the legal construction of cybersecurity, and profoundly proves that China’s legal construction in cybersecurity is not for the purpose of restraining or suppressing the development and application of information technology, but emphasizes the development while guaranteeing security and better guaranteeing security while achieving development. 2.
Chinese legislation in cybersecurity focused more on equipment safety and laid the groundwork for a sound legal system
At this stage, China’s information network construction was in the initial phase of development, and ICT infrastructure and network platforms remained to be developed. The legal system chiefly concentrated on protecting the security of computer information systems and ensuring the equitable distribution of basic Internet resources. More specifically, the cybersecurity laws in this stage focused more on the maintenance and protection of certain computer systems in crucial areas and valued the safety of physical devices and systems instead of the information content itself. For instance, Decree No. 147 clearly states that more emphasis will be placed on maintaining the security of computer information systems in crucial areas such as state affairs, economic construction, national defense construction, and cutting-edge science and technology. Meanwhile, the Decree raises requirements for the security of computer rooms and makes it clear that computer rooms shall comply with national standards and relevant national regulations, and the construction near computer rooms shall not jeopardize the security of computer information systems.
1.1 Cyberspace Governance in the View of Equipment Security
3.
15
The system was still incomplete, and the road remains to be explored
As mentioned earlier, Chinese society was still in the stage of single computer usage, computer networks had not yet come into being, the subsequent development of the network remained unclear, and the potential security risks had not been fully exposed, which rendered the legal supervision of cyberspace uncertain and impercipient about the increasingly rich Internet application and industry development, which was incurred by historical limitations. To ensure security and ensure the effective enforcement of the supervision system, including Decree No. 147, forwardlooking provisions were added to Decree No. 147. While endowing public security units with certain functions and powers, it was prescribed that the Ministry of Public Security may issue special general orders on specific matters concerning the security of computer information systems under emergent circumstances.
1.2 Cyberspace Governance in the View of Social Security (2000–2012) 1.2.1 Legislative Background At this stage, China was in a dramatic transformation period of increasing development from Web 1.0 to Web 3.0, and early information system and infrastructure construction was gradually accomplished. China began to put a high premium on the application and innovation of the Internet, raising informatization to the national strategic level, in a bid to boost the economy. On May 17, 1995 (World Telecommunication Day), the Ministry of Posts and Telecommunications announced that it would provide Internet access services for all sectors of domestic society and offer a variety of Internet service options.10 Since then, the network has entered the life of countless families, paving the way for the subsequent development and application innovation of the Internet industry. In September 1995, the CPC Central Committee released the Proposal of the Central Committee of the Communist Party of China on Formulating the “9th Five-year” Plan for National Economic and Social Development and the Long-term Goals for the Year of 2010, which listed speeding up the process of national economic informatization as one of the principal tasks of economic growth in the next 15 years. In April 1997, the National Conference on Industry and Informatization adopted the “9th Five-year” Plan for State Informatization Standardization and the Long-term Goals for the Year of 2010 and listed China’s Internet in the construction of national information infrastructure; in October, the
10
Min Dahong: Past and Present of Chinese Internet. https://tech.sina.com.cn/i/w/2004-04-23/090 2353403.shtml.
16
1 40 Years of China’s Legal Construction in Cybersecurity
four backbone Internet—CHINANET, CSTNet, CERNET and CHINAGBN were interconnected.11 During this time, three basic telecom service operators, Unicom, Telecom and Mobile, were set up, and the basic telecom market increasingly took shape. The emergence of such new applications and formats as public Internet sites, portals, online games, e-commerce and instant messaging gave rise to new economic growth points. In November 1996, Shihuakai Company opened the first Internet cafe in China— Shihuakai Internet Cafe12 beside Beijing Capital Gymnasium. In February 1997, InfoHighWay was established, and it was opened in Beijing, Shanghai, Guangzhou, Fuzhou, Shenzhen, Xi’an, Shenyang and Harbin within three months, becoming the earliest and largest private ISP and ICPc in China.13 Since then, JD. COM, the Alibaba Group and Dangdang have been founded in succession. Since 2003, Taobao, a shopping website, AliWangwang, PC-side communication software between buyers and sellers, and Alipay, a third-party online payment platform, have come into being successively, resulting in the rise of e-commerce. In 2000, the Fifth Plenary Session of the 15th CPC Central Committee upgraded informatization to a national strategic level. The meeting adopted the Proposal of the Central Committee of the Communist Party of China on Formulating the “10th Fiveyear” Plan for National Economic and Social Development. The central government points out that informatization is the major trend of economic and social development in the world today, as well as the key step to promote industry upgrading and fulfill industrialization and modernization in China; it is essential to expedite the application of information technology throughout the national economy and society and give priority to boosting economic and social informatization. At the end of 2000, China Mobile launched “Monternet”, which opened its existing WAP platform and short message platform to all partners, furnished customers with “one-point access, whole network service”, upgraded the billing system, and built the link between application service providers and users as a customer aggregator.14 The mobile Internet began to sprout. In March 2006, the National People’s Congress released the Outline of the “11th Five-year” Plan for National Economic and Social Development of the People’s Republic of China, which called for actively advancing informatization, insisting on driving industrialization by informatization, advancing informatization by industrialization and raising the level of economic and social informatization; it is required to expedite the informatization of the manufacturing industry, profoundly develop information resources, perfect information infrastructure and intensify information security. In the same month, the General Office of the CPC Central Committee and 11
Memorabilia of China’s Internet Access for 20 Years. http://www.cac.gov.cn/2014-04/20/c_1264 17746.htm. 12 Memorabilia of Internet from 1994 to 1996. http://www.cac.gov.cn/2009-04/11/c_126500497. htm. 13 Memorabilia of Internet from 1997 to 1999. http://www.cac.gov.cn/200904/12/c_126500441. htm. 14 Twenty Years of Internet in China: 1994–2014. http://www.cac.gov.cn/2014-11/16/c_1113265 290.htm.
1.2 Cyberspace Governance in the View of Social Security (2000–2012)
17
the General Office of the State Council released the National Strategy for Informatization Development 2006–2020, indicating that after years of development, China’s informatization development has already laid a certain foundation and initiated a new stage of all-round and multilevel advancement. It has become a significant and urgent strategic task in the new stage of China’s economic and social development to seize opportunities, rise to challenges, adapt to the needs of transforming the mode of economic growth and building a well-off society in an all-round way, update development concepts, address development issues, innovate development models and energetically push forward the development of informatization. Simultaneously, online media has developed in leaps and bounds, and information services such as portals, blogs and microblogs have been increasingly promoted and popularized. The status of online media has been recognized at the central level for the first time. In August 1995, the BBS system of “SMTH Station” at Tsinghua University was officially opened. In January 1997, people.cn, sponsored by People’s Daily, was admitted to the Internet and became the first central crucial news and publicity website in China. Fueled by the establishment of Netease, Sohu, Tencent and Sina, portal websites and blog businesses began to rise. In February 1999, Tencent’s Instant Messaging Service (OICQ) was opened, which was interconnected with wireless paging, GSM short messages and IP telephone networks. In November of the same year, the number of QQ users registered was up to 1 million. In 2000, Baidu Company was founded and launched an independent search portal, baidu.com. In August 2002, Blog was launched in China, and “blog” was translated as “博客” for the first time in China. In November of the same year, Jiang Zemin, then President of China, stated: “the Internet develops at an especially fast pace, and it has become a significant part of Chinese news media”. This was the first time that the top leaders of the Party and the country have made clear the status of online media. In 2003, Baidu surpassed Google and became the preferred search engine for Chinese netizens. Baidu Tieba, a Chinese community, was launched in the same period. In the second half of 2009, Sina, Tencent, Sohu, Netease and other portals started or tested the Weibo function successively. People’s Weibo, the microblog of people.cn, officially opened its public beta on February 1, 2010. In this context, the network began to give rise to a new type of network social relationship that is relatively independent of the traditional real society, and this kind of network social relationship can be transformed into communication in the real society, even impacting the original social relationship and order, and the network society began to take shape gradually. At this stage, China began to put a high premium on professional discipline education in the Internet domain and pushed forward academic research by holding professional conferences in a bid to create a cybersecurity regulatory ecosystem and to boost China’s Internet development and global influence. At the end of 2000, the Ministry of Education approved the establishment of e-commerce as an undergraduate major in ordinary colleges and universities. In March 2001, the Ministry of Education announced the list of undergraduate majors in colleges and universities registered or approved in 2000, Northern Jiaotong University (Beijing Jiaotong University), Beijing University of Posts and Telecommunications, Xi’an Jiaotong University and other universities were approved to set up the major of e-commerce,
18
1 40 Years of China’s Legal Construction in Cybersecurity
and Central China Normal University and Xi’an Jiaotong University were approved to set up second degrees in e-commerce. In November 2002, the Internet Society of China (ISC) held the first China Internet Conference in Shanghai. Carrying the theme of “Application of Internet - Calling for Innovation”, the conference was the largest conference in China’s Internet industry with the highest level and the richest content. Wu Jichuan, then Minister of Information Industry, said in his speech that the convening of the China Internet Conference symbolized a new stage in the development of China’s Internet industry.15 With regard to security, along with the enforcement of Decree No. 147 and the Classified Criteria for Security Protection of Computer Information Systems (GB17859-1999), the Ministry of Public Security reported to the National Development and Reform Commission to start the Security Classified Protection Project of Computer Information Systems (Project 1110) and organized the Third Research Institute of the Ministry of Public Security, Peking University, Venustech Company and other units and relevant experts to implement and complete the following major projects: Sales License Testing Center of Special Products for Computer Security, Security Classified Protection Evaluation Center of Computer Information Systems, Demonstration Project of Network Identity Authentication, Demonstration Project of System Security Construction, Implementation Administration Measures of Grade Protection System and Strategic Research of Security Protection as well as series of supporting standards. On the other hand, problems such as computer viruses, network attacks, spam, system vulnerabilities, network theft, illegal and harmful information, and cybercrimes have become increasingly prominent worldwide. Since June 1998, a vicious computer virus named “CIH” began to spread on the Internet. On August 27 of the same year, computers in dozens of units, such as the Communication Business Department of Beijing Telegraph and Telecommunications Bureau and Beijing Institute of Post and Telecommunications Technology, were paralyzed, which influenced the normal functioning of computer information systems in China. The Ministry of Public Security issued an urgent circular, indicating that CIH virus was the first computer virus found in China to directly attack and destroy hardware systems and was one of the most destructive viruses, requiring all units to take preventive work.16 In 2001, China’s Ministry of Public Security launched an online investigation of computer virus epidemics for the first time. Based on the survey, 73% of the respondents’ computers had been infected with viruses, and 59% of them had been infected with viruses more than three times. Among the infected computer viruses, destructive malignant viruses make up 43%, and the transmission proportion through e-mail and networks was gradually on the rise.17 At the end of 2006, a virus called “Nimaya” ravaged the Internet. Owing to its automatic transmission, automatic infection of 15
The First China Internet Conference was Convened in Shanghai. http://www.cntv.cn/lm/522/41/ 69059.html. 16 Jun [2]. 17 Jian [3].
1.2 Cyberspace Governance in the View of Social Security (2000–2012)
19
hard disks and powerful destructive capability, the virus quickly infected millions of computers throughout the country, and many enterprises were not spared. In 2001, after the Sino-US plane collision incident, a “hacker” war broke out between the two countries. In just six days, China’s honker captured over 1600 US websites, including over 900 government and military websites. Over 1100 websites in China were also captured, including more than 600 major websites.18 In addition, there was a raging and global influence of computer viruses such as Stuxnet, suggesting that it was insufficient to simply emphasize computer hardware security and physical isolation. Moreover, it is difficult to set up a comprehensive information security system only by emphasizing public power intervention after crime punishment, which poses a new challenge to the cybersecurity rule of law in China. Simultaneously, thanks to the rise of social media platforms such as blogs and microblogs, the ways and means for people to voice their opinions via the Internet have become diverse to a further extent. However, owing to the anonymity of the network and the fact that the network identity management system has not yet been set up, incidents such as insulting, slandering and infringing upon intellectual property rights via the network occur from time to time. Since 2006, the first case of blog vs. blog, the first case of blog sexual harassment, and the first case of “cyber manhunt” have occurred one after another. With the rise of online media, it has become a vital issue to protect personal privacy, reinforce the identity management of network users, enhance the responsibility of network operators and purify cyberspace. In July 2001, Jiang Zemin, then President of China, delivered a vital address, indicating that it is essential to further study and take practical and effective measures to ensure the information security of the country as well as other issues. While reinforcing the construction of cybersecurity systems, more importance should be attached to doing well in information network management and boosting the rapid and healthy development of information networks by making full use of legal means.19 Under the new circumstances, how to effectively prevent and combat cyber terrorism, cybercrimes, cyber-attacks and information disclosure, as well as the spread of illegal and harmful information on the Internet, has become an urgent task facing legislation, law enforcement and judicial departments. Furthermore, while cracking down upon computer crimes, problems such as how to quantify the severity of crimes, the force of law of electronic evidence and electronic data, and the procedures of collecting evidence have increasingly become prominent. Specialized teams await to be set up urgently, and procedural legislation such as the Criminal Procedure Law of the People’s Republic of China (hereinafter referred to as Criminal Procedure Law) and the Civil Procedure Law of the People’s Republic of China (hereinafter referred to as Civil Procedure Law) await to be revised and perfected.
18
Remember the Hacking War between China and the United States in 2001? Honker, China Honker VS American Hacker. https://baijiahao.baidu.com/s?id=1609648389901382197&wfr=spi der&for=pc. 19 Jiang Zemin Talked about Boosting the Rapid and Healthy Development of Information Networking. http://www.chinanews.com/2001-07-11/26/104229.html.
20
1 40 Years of China’s Legal Construction in Cybersecurity
In April 2003, the General Office of the State Council released the Legislative Plan of the State Council for the Year of 2003, which listed the network information security regulations (drafted by the State Council Informatization Office) as the laws and administrative regulations that await to be worked out and revised to maintain social stability and public security. To carry out this plan, the State Council Informatization Office entrusted Associate Professor Ma Minhu from the School of Humanities of Xi’an Jiaotong University at that time to conduct research on issues associated with network information security regulations. However, restricted by historical conditions, these regulations were not formally promulgated or enforced. Although comprehensive legislation had not yet promulgated, the governance of network society security at this stage shall include two meanings: first, the selfsecurity of network society, which chiefly refers to the security of equipment, facilities, network and environment in network society, guaranteeing operation security and data security, and ensuring the normal functioning of network functions; besides, it is the security relationship with the real society, avoiding the hazards posed by the network society, which chiefly refers to the legality of the dissemination contents, guaranteeing that the network is not abused arbitrarily, and maintaining the normal social order and public interests. In a general sense, the extension of the security of network society covers four aspects: I. entity security, which refers to protecting the environment, equipment and facilities of the network from man-made or accidental accidents; II. operation security, which refers to ensuring the smooth running of network information processing; III. Data security, which refers to guaranteeing the integrity, confidentiality, and availability of information; IV. content security, which refers to ensuring the legitimacy of the content carried by the network transmission information.
1.2.2 Legislative Process For China’s legislation at this stage, security and development still coexisted simultaneously. With respect to economic construction, unlike the comprehensive access to international networking resources in the early stage, China set out to concentrate on specific industries and impose restrictions on access to certain Internet industries. It successively promulgated the Regulations on Telecommunications of the People’s Republic of China (hereinafter referred to as the Regulations on Telecommunications), the Measures for the Administration of IP Address Archiving and the Regulations on the Administration of Business Sites of Internet Access Services, etc., which regulate telecommunications services, IP address allocation and business premises of Internet access services. Apart from that, considering the gradual integration of the Internet and the entity industry, China has adopted the Electronic Signature Law of the People’s Republic of China (hereinafter referred to as the Electronic Signature Law), the Electronic Payment Direction (No. 1) and their supporting systems to optimize resource allocation in the new technology domain.
1.2 Cyberspace Governance in the View of Social Security (2000–2012)
21
Overall, cybersecurity laws and standards of this stage weakened the sense of “management” and underlined the “standardization” of the procedure. They were mostly aimed at boosting the healthy development of the Internet industry, telecommunications industry, network information service industry and other sectors, as well as safeguarding the legitimate rights and interests of the state, society, and citizens. On the one hand, the legislation at this stage emphasized information security and strengthened information security through various means; on the other hand, as new technologies and new applications came into being, the governance field was continuously expanded, presenting a trend of wide coverage and diversified objects. Specifically, the cybersecurity legislation construction in this stage chiefly emphasized the following aspects:
1.2.2.1
Limited Access
At this stage, China increasingly expanded from the single management of international network access to the distribution rules of all types of basic Internet resources, such as telecommunication services, network information services and Internet IP addresses. On the part of telecommunications services, in September 2000, to standardize the order of the telecommunications market and assure the security of telecommunications networks and information, the State Council promulgated the Telecommunication Regulation of the People’s Republic of China (hereinafter referred to as the Telecommunication Regulation) (Decree No. 291), which restricted telecommunications activities and telecommunications-related activities in China. Decree No. 291 specifies that the state establishes a licensing system for telecommunications business according to the different categories of business. Telecommunications businesses include basic telecommunications businesses and value-added telecommunications businesses. Specifically, anyone who intends to be engaged in basic telecommunications business shall be approved by the competent department of the information industry of the State Council and obtain a Business License for Basic Telecommunications Business. When examining the application for operating basic telecommunication business, the competent department of information industry of the State Council shall take into consideration such factors as Stare security, telecommunication cybersecurity, sustainable utilization of telecommunication resources, environmental protection and competition of the telecommunication market. In September 2000, the State Council also issued the Regulation on Internet Information Service of the People’s Republic of China (Decree No. 292), which defines the rules for market access to Internet information services. Decree No. 292 classifies Internet information services into two categories: profitable Internet information services and nonprofitable Internet information services. The state carries out a licensing system for profitable Internet information services and a filing system for nonprofitable Internet information services. Anyone who does not obtain a license for profitable Internet information services or files for recording nonprofitable Internet information services shall not be engaged in such activities.
22
1 40 Years of China’s Legal Construction in Cybersecurity
Upon promulgation of Decree No. 291, China intensively introduced a series of regulations on telecommunication services. The Interim Measures for the Supervision and Administration of Telecom Service Quality specify that the tasks of supervision and administration over the quality of telecom services are to carry out administration, supervision and inspection over the quality of the telecom services offered by the telecom operators, to supervise the implementation of the standards for telecom services, to punish acts injuring the lawful rights and interests of the users. Provisions on the Management of Interconnection between Public Telecommunication Networks make clear that telecommunication service operators shall not refuse the interconnection requirements raised by other telecommunication service operators or violate the relevant State provisions by limiting without authorization the users to choose the telecommunication business opened by other telecommunication business operators in accordance with the law. Administrative Measures for the Network Access of Telecommunications Equipment clearly clarify that the State shall carry out the network access licensing system for telecommunication terminal equipment, radio communication equipment and telecommunication equipment involving interconnection between networks. Telecom equipment implementing the network access licensing system must gain the network access license issued by the Ministry of Industry and Information Technology. Measures on the Settlement of Disputes over Interconnection of Telecommunications Networks clearly specify that if there is any dispute over interconnection between telecommunications networks, both parties shall negotiate to settle the dispute; if the negotiation has failed, either of them may apply to the Ministry of Industry and Information Technology or the Communications Administration of the province, autonomous region or municipality directly under the Central Government for coordination; if the coordination has failed, the competent telecommunications department shall make an administrative decision; either party refusing to accept the administrative decision may, in accordance with the law, apply for administrative reconsideration or file an administrative litigation. The Measures for the Administration of Telecommunication Construction specify that the Ministry of Industry and Information Technology shall supervise and manage the construction of public telecommunication networks, private telecommunications networks and transmission networks. The Measures for the Administration of Code Number Resources in Telecommunication Networks clearly state that code number resources belong to the State, and the State carries out the system of paid use of code number resources. In addition, the state implements the approval system for the use of code number resources. The Telecommunications Service Specification clarifies the basic quality requirements that telecom service operators shall meet when offering telecommunications services. The Measures for the Administration of Permits for Operation of Telecommunication Business specify that the telecommunication business may be operated only after a business permit has been obtained from the telecommunication administrative department according to law. In the operation of the telecommunication business, a telecommunication operator shall abide by the provisions of its business permit and accept and cooperate in the supervision and administration conducted by the telecommunication administrative department.
1.2 Cyberspace Governance in the View of Social Security (2000–2012)
23
At this stage, the Ministry of Industry and Information Technology reinforces the management of service charges and charging behaviors of the mobile information service industry. In July 2002, the State Development Planning Commission and the Ministry of Industry and Information Technology issued the Provisions on Marking Clearly, the Prices of Telecommunications Services, which made it clear that telecommunication business operators shall follow the principles of openness, fairness and honesty and credibility and comply with the laws, regulations and policies concerning price affairs. In June 2006, the Ministry of Industry and Information Technology launched special campaigns to rectify and standardize the tariffs and charges of mobile information services.20 During the special campaign, the Ministry of Industry and Information Technology released the Notice on Regulating Service Fees and Charges of Mobile Information Service Industry, which prescribed that telecommunication enterprises shall be responsible for the accuracy of billing and charging of mobile information service industry, and shall respect users’ right to choose independently, to know and to trade fairly in the course of service use and charging. When users complain to basic telecommunication enterprises about the service tariffs and charges of mobile information services, the basic telecommunication enterprises shall be responsible for properly handling them and carrying out the “first-inquiry responsibility system”. With respect to international communication access, in June 2002, the Ministry of Industry and Information Technology issued the Measures for the Administration of International Communication Accesses and the Administrative Regulations on the Construction of International Communication Facilities. Specifically, the Measures for the Administration of International Communication Accesses clarify that international communication accesses (hereinafter referred to as “ICAs”) may be divided into three categories: international communication channel accesses, international communication business accesses and frontier international communication accesses. The power to approve and supervise the establishment of ICAs shall remain with the Ministry of Information Industry. The establishment of an ICA shall be applied by a wholly state-owned telecommunication business operator who shall undertake the operation and maintenance of the ICA. Without the approval of the Ministry of Information Industry, no entity or individual shall establish an ICA in any form. Provisions on the Administration of Construction of International Communication Facilities stipulate that whoever constructs international transmission networks and international communication channel accesses must have the power of management of international communication infrastructure. Whoever constructs international communication service accesses and border international communication accesses must have the power to manage international communication services. With respect to network information services, The Measures Regarding the Administration of Drug Information Service over the Internet classifies Internet drug information services into operational and nonoperational categories. Websites that intend to render Internet drug information services shall first gain the qualification 20
Special Rectification and Standardization of Tariffs and Charges for Mobile Information Services. http://www.gov.cn/ztzl/315/content_549953.htm.
24
1 40 Years of China’s Legal Construction in Cybersecurity
of providing Internet drug information services upon examination and approval and then apply to the relevant departments for business licenses or filing procedures. The Measures for the Administration of the Recordation of Nonoperational Internet Information Services specify that if to offer nonoperating network information services in China, the filing procedures shall be fulfilled in accordance with the law. Without filing, it is not allowed to engage in nonoperating Internet information services in China. The Administrative Regulations on Internet Audio-Visual Program Service clearly specify that to engage in Internet audio-visual program services, it is necessary to gain the Permit for Spreading of Audio-Visual Programs through Information Network issued by the competent department of radio, film and television or handle the archive-filing formalities. Regarding other resource allocation, in June 2002, a fire broke out in the “Lanjisu” Internet Cafe in Haidian District, Beijing, killing 25 people and injuring 12 others. The security and supervision of Internet cafes have aroused further concern. In September of the same year, the State Council released the Regulations on the Administration of Business Sites of Internet Access Services (Decree No. 363), which clarify that the State applies a permission system with respect to the operating entities, and the departments of cultural administration, public security, industry and commerce administration, telecommunication administration and other relevant departments shall, within their respective scope of duties, supervise and administer the operating entities in accordance with the present regulations, and the relevant laws and administrative regulations. In February 2005, the Ministry of Industry and Information Technology issued the Measures for the Administration of IP Address Archiving, which practices archival administration to the assignment and use of Internet IP addresses. In February 2008, the State Bureau of Surveying and Mapping, the Ministry of Foreign Affairs and the Ministry of Public Security released the Opinions on Strengthening the Supervision of Internet Mapping and Geographic Information Service Websites, requiring strict enforcement of the market access system for Internet mapping and geographic information service activities. To become involved in Internet map compilation activities, it must be examined and approved by the administrative department of surveying and mapping under the State Council and obtain the corresponding qualification certificate of surveying and mapping. To engage in Internet map publishing activities, it shall be examined and approved by the press and publication department under the State Council and gain an Internet publishing license.
1.2.2.2
Preliminary Integration with Industry
In March 1998, Wang Keping, who worked in the media, purchased 10 h of online time from 21 Vianet Company by logging into the website of Bank of China and finished the payment of the first online electronic transaction in China,21 and B2C and C2C online transaction modes increasingly emerged. 21
Twenty Years of Internet in China: 1994–2014. http://www.cac.gov.cn/2014-11/16/c_1113265 290.htm.
1.2 Cyberspace Governance in the View of Social Security (2000–2012)
25
At the beginning of the development of e-commerce, the first thing to be solved was the validity of electronic contracts and electronic signatures. China passed the Electronic Signature Law in 2004, which validates the legal effect of electronic signatures and electronic data. The law makes it clear that, except under certain circumstances, for any instrument where the parties agree to use electronic signature or electronic data, the legal effect of the document may not be denied solely because of the electronic form of the signatures or of the data Electronic data to be used as evidence may not be denied solely because they are produced, sent, received or stored by electronic, optical, magnetic or similar means. Reliable electronic signatures should be equally authentic as handwritten signatures or seals with respect to the force of law. In January 2005, the General Office of the State Council issued the Several Opinions on Accelerating the Development of E-commerce, making it clear that the development of e-commerce is a significant measure to drive industrialization by informatization, change the mode of economic growth, enhance the quality and efficiency of the national economy and take a new road of industrialization, which is of enormous significance to fulfill the grand goal of building a well-off society in an all-round way. It is required to perfect the environment of policies and regulations and standardize the development of e-commerce; step up the preparation of e-commerce development plans; conscientiously carry out the Electronic Signature Law, and firmly grasp the study of laws and regulations on electronic transactions, credit management, security certification, online payment, taxation, market access, privacy protection, information resource management, etc. To cope with the problems incurred by the rise of electronic payment tools and standardize and guide the healthy development of electronic payments, the People’s Bank of China released the Electronic Payment Direction (No. 1) in October 2005, making it clear that electronic payment instructions and paper payment vouchers can be mutually converted, and both have the same effect. In January 2006, the Measures for the Administration of Electronic Banking issued by the China Banking Regulatory Commission clearly stated that upon approval of the China Banking Regulatory Commission, financial institutions may start the E-banking business in China, furnish E-banking services to domestic enterprises, residents and other customers, and launch cross-border E-banking services in accordance with the relevant provisions of these measures. In June 2007, the National Development and Reform Commission and the State Council Informatization Office released the “11th Five-year” Plan for e-commerce Development, indicating that China’s e-commerce initiates a period of vigorous development opportunities. It is necessary to further standardize corporate behavior, maintain market order and facilitate mutual cooperation and the development of ecommerce among enterprises in accordance with relevant laws and regulations of e-commerce. To carry out the third-party certification system in electronic signatures, in February 2005, the Ministry of Industry and Information Technology issued the Measures for the Administration of Electronic Certification Services for the first time
26
1 40 Years of China’s Legal Construction in Cybersecurity
to regulate electronic certification services and supervise and administer electronic certification service providers. In 2010, the People’s Bank of China issued the Measures for the Administration of the Payment Services Provided by Nonfinancial Institutions and the Detailed Rules for the Implementation of Administrative Measures for the Payment Services Provided by Nonfinancial Institutions. The law makes it clear that to provide payment services, a nonfinancial institution shall obtain a payment business permit under these measures and become a payment institution. Payment institutions shall have the essential technical means to ensure the integrity, consistency and nonrepudiation of payment instructions, the timeliness and accuracy of payment business processing and the security of payment business; and have the capability of disaster recovery and emergency treatment to ensure the continuity of payment business. With respect to online games, legislation at this stage first concentrated on the illegal and criminal acts of gambling by taking advantage of online games. In January 2005, the General Administration of Press and Publication released the Notice on Prohibiting the Use of Online Games to Engage in Gambling Activities, clearly stating that all online game R&D and publishing institutions shall not develop, publish and operate all types of gambling games or disguised gambling games. All online game publishing and operating units shall not furnish platforms, tools or services for all types of online gambling games and other gambling activities in any name or form. In January 2007, the Ministry of Public Security, the Ministry of Industry and Information Technology, the Ministry of Culture and the General Administration of Press and Publication released the Notice on Regulating the Operation Order of Online Games and Prohibiting the Use of Online Game Gambling, demanding standardization of the operation behavior of the online game industry, organization of centralized clean-up work, cracking down upon gambling activities using online games in accordance with the law, organization of three-month special work nationwide to standardize the operation order of online games and banning the use of online gambling games. In addition, the legislation at this stage clarified the legal status of virtual currency in online games. In August 2003, online game player Li Hongchen filed a lawsuit against Beijing Science and Technology Development Co., Ltd., the operator of the online game Red Moon, in Chaoyang District People’s Court of Beijing. This was the first case in China in which a game player filed a lawsuit against a game company for the loss of virtual equipment, which resulted in the definition of network virtual property.22 In February 2007, the Ministry of Culture and 14 other ministries and commissions jointly released the Notice on Further Strengthening the Administration of Internet Cafes and Online Games to regulate virtual currency transactions in online games. The notice clearly stated that the People’s Bank of China shall consolidate the regulation and management of virtual currency in online games. If consumers need to redeem virtual currency into legal tender, the amount shall not be more than the original purchase amount, and it is strictly prohibited to resell virtual currency. In 22
Memorabilia of Internet from 2002 to 2003. http://www.cac.gov.cn/2009-04/14/c_126500426. htm.
1.2 Cyberspace Governance in the View of Social Security (2000–2012)
27
October 2008, the State Taxation Administration of the People’s Republic of China made an official reply, saying that the income acquired by individuals purchasing players’ virtual currency through the Internet and selling it to others by increasing the price shall belong to the taxable income of personal income tax, which shall be calculated and paid based on the item of “income from property transfer”. In June 2009, the Ministry of Culture and the Ministry of Commerce released the Notice on Strengthening the Administration of Virtual Money in Online Games, clearly stating that cultural administrative departments shall strictly access the market and reinforce the management of issuers and transaction service providers of virtual money in online games. Online game operators are not allowed to distribute game props or virtual currency by random means such as drawing lots, betting, etc. on the premise that users directly invest cash or virtual currency. Finally, in this stage, an anti-addiction system for minors’ online games was built and planned. Since June 2005, the General Administration of Press and Publication has organized relevant departments and major online game operators to develop and build an online game anti-addiction system. In March 2006, the development of the system was basically accomplished, and trial operation began. In April 2007, the General Administration of Press and Publication, the Office of the Advisory Committee of the Central Spiritual Civilization Construction, the Ministry of Education and other departments released the Notice on Implementing the Anti-addiction System of Online Games to Protect the Physical and Mental Health of Minors, deciding to carry out the anti-addiction system of online games in the whole country and requiring all online game operators to develop and set up the anti-addiction system of online games strictly in line with the requirements. In July 2011, the General Administration of Press and Publication, the Office of the Advisory Committee of the Central Spiritual Civilization Construction, the Ministry of Education and other departments released the Notice on Launching the Real-name Authentication for Anti-addiction of Online Games, deciding to launch the real-name verification of anti-addiction of online games nationwide, specifying that the National Citizen ID Number Enquiry Service Center under the Ministry of Public Security shall undertake the real-name verification of anti-addiction of online games, and requiring online game operators to spare no efforts to do all the relevant work of real-name verification of anti-addiction of online games.
1.2.2.3
Self-Security
During this time, the state attached importance to protecting the network’s own security and expediting policy legislation on classified protection of information security, information security guarantees, fighting cybercrimes, identity management of network users and personal information protection. In terms of classified protection of information security, to further carry out the system of classified protection of information security established by Decree No. 147, China has successively released the Opinions of the State Informatization Leading Group on Strengthening Information Security Guarantee (Z.B.F. [2003] No.
28
1 40 Years of China’s Legal Construction in Cybersecurity
27), the Implementation Opinions on Classified Protection of Information Security (G.T.Z. [2004] No. 66), the Measures for the Administration of Classified Protection of Information Security and other policies and regulations, to refine the system requirements. In 2003, China released the Opinions of the State Informatization Leading Group on Strengthening Information Security Guarantee (Z.B.F. [2003] No. 27, referred to as Document No. 27), making the protection of information security level the top priority of the national information security work. Document No. 27 stated that although China’s information security work had achieved marked results, there were still some problems, such as low protection level, backward crucial technologies as a whole, imperfect information security laws, regulations and standards, etc. To this end, Document No. 27 met ten requirements: enforcing classified protection of information security; strengthening the rule of law system and standardization of information security; consolidating the leadership of information security; and setting up and perfecting the management responsibility system of information security. Specifically, it was proposed to insist on the policy of active defense and comprehensive prevention, comprehensively balance security costs and risks, promote research on information security theory and strategy, step up the study and drafting of the Information Security Law, and build and perfect the legal system of information security. To further carry out the system of classified protection of information security established by Decree No. 147 and Document No. 27, in September 2004, the Ministry of Public Security, the National Administration of State Secrets Protection, the Office of the State Encryption Administration Commission and the State Council Informatization Office released the Implementation Opinions on Classified Protection of Information Security (G.T.Z. [2004] No. 66, referred to as Document No. 66). Document No. 66 stated that the focus of classified protection of information security is to classify information security and construct, manage and supervise it in line with the standards. Document No. 66 clarifies that China plans to carry out the system of classified protection of information security nationwide in three stages in about three years, respectively as below: ➀ preparation stage: before the full enforcement of the classified protection system, it takes about one year to make preparations, including speeding up the perfection of laws, regulations and standard systems, and stepping up the development of the Measures for the Administration of Classified Protection of Information Security and the Implementation Guide for Classified Protection of Information Security and Guidelines for the Evaluation of Classified Protection of Information Security as well as other laws and regulations; ➁ stage of crucial enforcement: while doing well in the preparatory work, it will take about one year to carry out the classified protection system in the basic information networks and vital information systems that are chiefly protected by the State and involve national security, economic lifeline and social stability. ➂ Stage of full enforcement: Based on the trial work, it will take approximately one year to fully carry out the system of classified protection of information security throughout the country.
1.2 Cyberspace Governance in the View of Social Security (2000–2012)
29
After the publication of Document No. 66, the preparatory stage of classified protection of information security in China and legislative thinking increasingly changed from placing emphasis on the classified protection of information security products to focusing on protecting information systems. To make good preparations and smoothly advance the system of classified protection of information security into the stage of crucial enforcement, in June 2007, the Ministry of Public Security, the National Administration of State Secrets Protection, the State Cryptography Administration and the State Council Informatization Office jointly issued the Measures for the Administration of Classified Protection of Information Security, clarifying that the national classified protection of information security insisted on the principle of independent classification and protection, and came up with two factors influencing the rating of information security protection levels: the significance of information systems in national security, economic construction and social life; the damage degree of information system to national security, social order, public interests and the legitimate rights and interests of citizens, legal persons and other institutions after being destroyed; and based on the above factors, the security protection level of information systems was classified into five levels from low to high. In July of the same year, the Ministry of Public Security, the National Administration of State Secrets Protection, State Cryptography Administration and the State Council Informatization Office released the Notice on Carrying out the Rating of Security Classified Protection of Important Information Systems throughout the Country, clearly stating that the four departments would organize the rating of security levels of vital information systems nationwide from July to October 2007. The designated vital information systems include basic information networks, vital information systems, important websites and office information systems of party and government organs at or above the city (prefecture) level, and information systems involving state secrets. In October of the same year, the Ministry of Public Security released the Detailed Rules for the Implementation of Filing of Classified Protection of Information Security, offering guidance for the filing of information systems above the second level not involving state secrets. These rules clearly specify that the public security unit shall order rectification within a time limit based on Decree No. 147 and other relevant laws and regulations; if it is still not filed within the time limit, the organ shall issue a warning and notify its superior competent department. Information security. Decree No. 291 requires telecom service operators to build and perfect the internal security system and carry out the security responsibility system in accordance with the relevant national regulations on telecommunications security. In the design, construction and operation of telecommunication networks, telecommunication service operators plan, construct and operate synchronously with the needs of national security and telecommunication cybersecurity. Decree No. 292 requires network information service providers and Internet access service providers to keep data and assist law enforcement obligations, keep relevant records for 60 days, and furnish such records when the relevant state authorities inquire in accordance with the law.
30
1 40 Years of China’s Legal Construction in Cybersecurity
In December 2005, the Ministry of Public Security released the Regulations on Technical Measures for Internet Security Protection, requiring Internet service providers and work units to use the network to fulfill the following basic obligations: (1) technical measures to prevent computer viruses, network intrusion, attack and destruction, and other matters or behaviors that endanger cybersecurity; (2) redundant backup measures for important databases and main equipment of the system; (3) technical measures to record and keep user login and exit time, calling number, account number, Internet address or domain name, and system maintenance log; (4) other technical measures for security protection that shall be enforced as prescribed by laws, regulations and rules. On this basis, higher security requirements were established for the units rendering Internet access services, units rendering Internet information services, units rendering Internet data center services, units using networking, and units rendering Internet access services. In February 2006, the Ministry of Industry and Information Technology issued the Measures for the Administration of Internet E-mail Services, requiring Internet E-mail service providers to record the sending or receiving time of Internet e-mails sent or received by their e-mail servers and the Internet e-mail addresses and IP addresses of senders and receivers. The above records shall be kept for 60 days and shall be provided to the relevant state organ at the time of lawful inquiry. Internet e-mail service providers are also required to consolidate the security management of e-mail service systems and take prompt security precautions after cybersecurity vulnerabilities are discovered. Cracking down upon cybercrimes. In December 2000, China released the Decision of the Standing Committee of the National People’s Congress on Safeguarding Internet Security, identifying a series of acts endangering the safety of Internet operation, threatening national security and social stability, threatening the order of socialist market economy and social management, and infringing on the legal rights of individuals, legal persons and other institutions by using the Internet as offences. Those who conduct an offence will bear the responsibility for their crimes in accordance with the Criminal Law. In February 2009, the Amendment (VII) to the Criminal Law of the People’s Republic of China was passed, and two paragraphs were added as the second and third paragraphs in Article 285 of the Criminal Law, namely, the crime of illegally accessing the data of computer information system, illegally controlling computer information system and the crime of offering programs and tools for invading and illegally controlling computer information system. Identity management of network users. To strengthen the management of network users, restrict network behaviors and purify network space, in December 2012, the Standing Committee of the National People’s Congress adopted the Decision of the Standing Committee of the NPC on Strengthening the Protection of Network Information, requiring the establishment of a network identity management system, commonly known as the “real-name registration system”, and explicitly requiring network service providers to take technical measures and other essential measures to ensure information security and strengthen the management of information disseminated by users.
1.2 Cyberspace Governance in the View of Social Security (2000–2012)
1.2.2.4
31
Content Security
Fueled by the rise of communication platforms such as portals, chat rooms and micro blogs, the channels through which netizens may gain and send information from the Internet have been further expanded, the social influence of online media has been significantly enhanced, and the value of public opinion supervision on the Internet has become prominent with each passing day. Several incidents, such as “hide-and-seek”, “sting operation”, “Fang Zhouzi’s counterfeiting” and “Li Gang’s son drunk driving and causing casualties”, have aroused widespread concern in society through the Internet. Meanwhile, false information and illegal and harmful information appear in large numbers on the Internet. In December 2000, the Ministry of Culture, the State Administration of Radio, Film, and Television, All-China Students’ Federation, State Informatization Promotion Office, China Telecom and China Mobile jointly launched the “Network Civilization Project”. At the launching ceremony, the then Vice Minister of Culture mentioned that from November 1999 to June 2000, the Ministry of Culture found through investigation that there exist many problems in the content of some domestic websites, and the online behavior of netizens also await standardization.23 To avoid further deterioration of the content ecology of network information, standardize network information services and purify cyberspace, China intensified the governance of information contents at this stage, which was mostly involved in relevant legislation. Decree No. 291 and Decree No. 292 both specify the information contents that are produced, copied, published and disseminated by the telecommunication network. Specifically, adopting the method of “listing miscellaneous”, Decree No. 292 clarifies nine types of information that network information service providers are not allowed to produce, copy, publish and disseminate, commonly known as “Nine Prohibitions”. These types of information can be chiefly classified into the following three categories: (1) information that endangers national security, including those opposing the basic principles determined by the constitution; endangering national security, revealing state secrets, subverting state power and undermining national unity; harming the honor and interests of the State; inciting national hatred and discrimination and undermining national unity; destroying the national religious policy and publicizing the information of cults and feudal superstitions; (2) information that endangers social stability and order, including those spreading rumors, disrupting social order and undermining social stability; spreading obscenity, pornography, gambling, violence, murder, terror or abetting crime; (3) information that infringes on personal rights and other private rights, including those insulting or slandering others and infringing on others’ reputation, privacy, intellectual property rights and other legitimate rights and interests. To regulate the news publishing business on Internet websites, the State Council Information Office and the Ministry of Industry and Information Technology jointly released the Interim Regulations for Administration of Internet Websites’ Publishing 23
China’s “Network Civilization Project” Officially Started. http://www.chinanews.com/2000-1207/26/60183.html.
32
1 40 Years of China’s Legal Construction in Cybersecurity
News in November 2000, clarifying that Internet websites legally established by central news institutions, news institutions of central state organs and departments, and news institutions directly in the provinces, autonomous regions and municipalities directly under the Central Government, where the people’s governments of provinces and autonomous regions are located, may engage in news publishing business upon approval. Other news institutions shall not set up news websites separately but may set up news webpages in news websites established by central news institutions or news institutions directly under provinces, autonomous regions and municipalities directly under the Central Government to engage in news publishing business upon approval. In 2003, Sun Zhigang, a young man from Hubei Province, was taken in and beaten to death ➀, indicating that the influence of online media in China is increasingly raised, and the governance of information content is more critical. In September 2005, the State Council Information Office and the Ministry of Industry and Information Technology released the Regulations for the Administration of Internet News Information Services for the first time, regulating Internet news information services, requiring Internet news information service providers to insist on the direction of serving the people and serving the socialism, and adhere to the correct guidance of public opinions. The Administrative Regulations on Internet Audio-Visual Program Service promulgated in December 2007 clearly specify that in the event of finding that an Internet-based audio-visual program service provider transmits any audio-visual program that violates these provisions, the competent department of radio, film and television shall take necessary measures to stop the act. The Internet-based audiovisual program service provider shall immediately delete the audio-visual program that violates these provisions, keep the relevant records, perform its reporting obligation and implement the administrative requirements of the relevant competent department. Major investors and operators of Internet-based audio-visual program service providers shall be responsible for the contents of audio-visual programs that are broadcasted and uploaded. In December 2011, the Ministry of Industry and Information Technology issued the Several Provisions on Regulating the Market Order of Internet Information Services, which restricted a series of market behaviors of network information service providers, including not infringing on the legitimate rights and interests of users and other network information service providers and raising requirements for bundled software, pop-up advertisements, collection and storage of personal information, system security protection, etc. If Internet information service providers conduct software downloading, installation, running, upgrading, uninstalling, and other such operations, they should provide clear and complete information on the functions of the software and obtain prior consent from the users. On March 20, 2003, Sun Zhigang, a young man from Hubei Province, was taken in and beaten to death in Guangzhou. The incident was first exposed by local newspapers and media, and the major online media in China actively intervened, which aroused widespread concern in society. The Internet played a powerful
1.2 Cyberspace Governance in the View of Social Security (2000–2012)
33
role in media supervision and urged relevant departments to resolve the case. On June 20, the State Council promulgated the Measures for the Administration of Relief for Vagrants and Beggars without Assured Living Sources in Cities and simultaneously abolished the Deportation Measures for Urban Vagrants and Beggars.
1.2.3 Legislative Assessment Unlike the security governance stage of network tools, which emphasizes solving the problem of growing out of nothing, China’s legal construction in cybersecurity was more comprehensive at this stage, and the two-way promotion of economic and social development and legal construction was embodied to some degree. On the one hand, the application of the Internet is increasingly extensive, and informatization construction speeds up the pace. It is required that legislation rationally allocate market resources and respond to the actual needs of economic growth; on the other hand, computer viruses, spam and other security issues become apparent, and the establishment of microblogs and other platforms gives a false impression that cyberspace is a “land beyond law”. While reinforcing security legislation, it is also essential to manage and restrict user identity and network behavior.
1.2.3.1
Improve Market Access and Boost Industrial Development
As three basic telecom service operators were set up and portals and microblogs and other platforms sprung up, China’s demand for optimal allocation of market resources was no longer confined to the field of international networking. At this stage, represented by Decree No. 291 and Decree No. 292, China set up licensing or filing systems in the telecommunications market, network information service market, Internet service business premises and other areas to improve market access. In the meantime, along with the rise of e-commerce, with a view to stimulate the development of industry and prosper the digital economy, it was essential to confirm the force of law of electronic contract, electronic signature and data message in a promptly manner, and confirm the evidential position of electronic data in the procedural law. Thus, China promulgated the Electronic Signature Law and revised the Criminal Procedure Law, the Civil Procedure Law and the Administrative Procedure Law of the People’s Republic of China (hereinafter referred to as the Administrative Procedure Law) and listed electronic data as one of the evidence.
34
1.2.3.2
1 40 Years of China’s Legal Construction in Cybersecurity
Security Issues Prominent, and Legislative Guarantees Highlighted
At this stage, computer viruses, network attacks, spam, system vulnerabilities, network theft, network crimes and other questions increasingly became prominent, threatening social and national security as a result. Therefore, on the one hand, China enforced the security classified protection system and intensified technical measures through Document No. 27, the Regulations on Technical Measures for Internet Security Protection, Measures for the Administration of Classified Protection of Information Security and other regulatory documents. On the other hand, China brought a series of acts endangering computer security into the regulation system of Criminal Law and strengthened the postpunishment of computer crimes via the Decision of the Standing Committee of the National People’s Congress on Safeguarding Internet Security and the Amendment (VII) to the Criminal Law of the People’s Republic of China. Furthermore, cyber citizens voiced their opinions freely through the Internet, and the illusion of unfettered expression in virtual space resulted in distortion of network information content, which awaited urgent elimination. On the one hand, China set up an identity management system through the Decision of the Standing Committee of the NPC on Strengthening the Protection of Network Information and restricted the identity of netizens through a real-name registration system; on the other hand, Decree No. 291, Decree No. 292 and other laws and regulations emphasized the responsibilities of network information service providers in information content management and clarified the types of information that netizens may not produce, copy, publish and disseminate through telecommunication networks, thus restricting netizens’ behaviors.
1.2.3.3
Legislation Fragmented and Lack of Coordination and Integration
At this stage, all types of departments, including the Ministry of Industry and Information Technology, the State Council Information Office, and the Ministry of Public Security, consolidated the legislation associated with cybersecurity within their respective functions and powers and launched interdepartmental or interdepartmental law enforcement actions, which played a certain role in regulating and guaranteeing Internet application and economic growth. However, owing to the separation of departments and the lack of overall coordination, the legislative system was comparatively scattered and disorganized, the responsibilities of supervisory departments were unclear, the situation of multidepartmental management was relatively serious, and the standardization of administrative responsibilities lacked unified guidance. In November 2013, in the explanation of the Decision of the Central Committee of the Communist Party of China on Several Major Issues of Comprehensively Deepening Reform made at the Third Plenary Session of the Eighteenth Central Committee of the Communist Party of China, General Secretary Xi Jinping stated that, “from a
1.2 Cyberspace Governance in the View of Social Security (2000–2012)
35
practical point of view, facing the vigorous development of Internet technology and application, there exist obvious drawbacks in the current management system, chiefly multihead management, overlapping functions, inconsistent powers and responsibilities and low efficiency. Meanwhile, along with the increasingly stronger attributes of Internet media, online media management and industrial management were far behind the development and changes of the situation. Especially in the face of the vigorous growth of users of social networks and instant messaging tools, such as microblogs and WeChat, which are characterized by fast dissemination, enormous influence, wide coverage and strong social mobilization capability, it has become a realistic outstanding problem facing us on how to reinforce the construction of legal construction of networks and the guidance of public opinions to ensure the order of network information dissemination, national security and social stability.”24 Apart from that, driven by the “Stuxnet” virus incident in Iran’s nuclear power plant and the power outage incident in Venezuela, cybersecurity increasingly rose to the level of national security. However, China still lacked unified basic legislation at the national level, and it was difficult to support and guarantee cybersecurity only by means of extended legislation, such as the decision of National People’s Congress, the Criminal Law and the Law on Penalties for Administration of Public Security, as well as administrative regulations and departmental regulations, such as Decree No. 147, Decree No. 291 and Decree No. 292.
1.3 Cyberspace Governance in the View of National Security (2013–2020) 1.3.1 Legislative Background Driven by the “Internet+” wave, the network was profoundly integrated with all areas of society, and new-generation information technologies such as cloud computing and big data eliminated the stale and brought forth the fresh. The network increasingly surpassed its “tool” value, cyberspace increasingly became a new territory for countries to compete, and cybersecurity rose to the height of national security. At this stage, China underwent 3G and 4G and increasingly moved toward the historic transformation of 5G commercialization. Approximately 2009, 3G commercialization, intelligent terminal development and social network platforms began to spring up, and China increasingly entered the Web 3.0 period focused on information interaction. In January 2011, Tencent launched the WeChat platform to render instant messaging services for intelligent terminals. By the end of June 2012, China was in possession of 538 million cyber citizens, and mobile phones surpassed desktop 24
Explanation on the Decision of the Central Committee of the Communist Party of China on Several Major Issues of Comprehensively Deepening Reform. http://cpc.people.com.cn/xuexi/n/ 2015/0720/c397563-27331312.html.
36
1 40 Years of China’s Legal Construction in Cybersecurity
computers to become the largest Internet terminal for Chinese cyber citizens.25 In July 2012, the State Council released the “12th Five-year” Plan for the Development of National Strategic Emerging Industries, which called for stepping up the development of a new generation of information technology industry, accelerating the construction of broadband, converged and secure next-generation information network, break through new-generation information technologies such as ultrahigh-speed optical fiber and wireless communication, Internet of Things, cloud computing, digital virtualization, advanced semiconductors and new display, and proposing major projects such as “Broadband China” project, Internet of Things and cloud computing project, and intelligent manufacturing equipment project. To carry out the “Broadband China” project, the State Council released the Strategy and Implementation Plan for “Broadband China” in August 2013. The plan proposes to carry out this strategy in three stages, specifically as follows: (1) overall speed-up stage (until the end of 2013). Emphatically reinforce the construction of optical fiber networks and 3G networks, increase the access rate of broadband networks, and improve and enhance users’ online experience. (2) Promotion and popularization stage (2014–2015). While increasing the speed of broadband networks, emphatically step up the expansion of coverage and scale of broadband networks and deepen the popularization of applications. (3) Optimization and upgrading stage (2016–2020). Emphatically boost the optimization of broadband networks and technology evolution and upgrading and make the service quality, application level and supporting capacity of broadband industry attain the world advanced level. In this process, China’s overall strategic guidance increasingly shifted from popularizing informatization and boosting informatization development to stimulating the integration of informatization and industrialization and driving the innovation and development of traditional industries with the development of the Internet industry. In November 2012, Yu Yang, founder of Analysys International Group, delivered a keynote speech at the 5th Mobile Expo of Analysys and came up with the concept of “Internet+” for the first time in the industry.26 In March 2015, the Third Session of the 12th National People’s Congress was convened in Beijing. In his Report on the Work of the Government, Premier Li Keqiang proposed for the first time that the “Internet+” action plan would be worked out. In May 2015, the State Council issued the Made in China 2025, proposing the strategic goal of manufacturing a powerful country through “three steps” based on national conditions and reality. The document calls for boosting the deep integration of informatization and industrialization and energetically facilitating breakthrough development in crucial areas as one of the strategic tasks. In July 2015, the State Council officially released the Guiding Opinions on Actively Promoting the “Internet+” Action, requiring full play of the scale and application advantages of China’s Internet, extending the Internet from the consumption field to the production field, and tremendously expanding the breadth and depth 25
Statistical Report on Internet Development in China (July 2012). http://www.cac.gov.cn/files/ pdf/hlwtjbg/hlwlfzzkdctjbg030.pdf. 26 Yu Yang: All Traditions and Services Should be Changed by the Internet. https://tech.qq.com/a/ 20121114/000080.htm.
1.3 Cyberspace Governance in the View of National Security …
37
of integration between the Internet and economic and social areas. Driven by that guidance, the State Council, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Agriculture, the Office of the Central Leading Group for Cybersecurity and Informatization and other departments released policy documents such as the Three-year Action Plan for “Internet+” Modern Agriculture, Guiding Opinions on Promoting the Development of “Internet+” Smart Energy, Guiding Opinions on Accelerating the Work of “Internet+” Government Services, Implementation Opinions on “Internet+” Efficient Logistics, Guiding Opinions on Deepening the “Internet+ Advanced Manufacturing Industry” and Developing Industrial Internet, Opinions on Promoting the Development of “Internet+ Medical Health” and Opinions on Promoting the Development of “Internet + Social Services”, setting off a “Internet+” upsurge in all sectors of the whole society and expediting the penetration of the Internet into all areas of economy and society. To further deepen the integration of manufacturing and the Internet and jointly push forward the “Made in China 2025” and “Internet+” action plan, in May 2016, the State Council released the Guiding Opinions on Deepening the Integration of Manufacturing and the Internet, clarifying that manufacturing is the main body of the national economy and the main battlefield for implementing the “Internet+”. It was proposed that by 2025, the integration of manufacturing and the Internet will attain a new height, the integration of mass entrepreneurship and innovation systems will be basically complete, the new integration and development model will be widely popularized, a new manufacturing system will basically take shape, and the comprehensive competitiveness of the manufacturing industry will be tremendously upgraded. Under the push of policy support and encouragement, economic growth and technological innovation, China’s e-commerce took the lead all the way, and new Internetbased formats and modes such as Internet finance, online taxi booking and sharing economy raced to emerge. In 2013, the online retail transaction volume in China was up to 1,85 trillion yuan, and China surpassed the United States to become the largest online retail market in the world.27 In the same year, Internet finance rose. In June of the same year, Alipay announced that it would cooperate with the Tianhong Fund to launch Yu’ebao, offering balance appreciation services and demand fund management service products. In October, Baidu announced that its “Baidu Financial Center - Financial Management” platform would be officially launched on October 28. Sina launched Weibo Wallet, Tencent launched Micro-Payment and Fund Supermarket, and JD. COM launched Jingbaobei. Internet financial products enriched people’s investment and financing channels and ways, and the traditional financial industry was impacted.28 In July 2015, the People’s Bank of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, 27
Based on eMarketer data, the online retail transaction volume in the United States in 2013 was up to US$ 258.9 billion, approximately CNY 1.566 trillion. http://www.cac.gov.cn/2014-05/22/c_1 26535820.htm. 28 Memorabilia of Internet Development in China in 2013. http://www.cac.gov.cn/2014-05/22/c12 6535820.htm.
38
1 40 Years of China’s Legal Construction in Cybersecurity
the Ministry of Finance and the State Internet Information Office and ten other ministries jointly released the Guiding Opinions on Promoting the Healthy Development of Internet Finance, clearly stating that the deep integration of the Internet and finance is the general trend, and the State actively encourages the innovation of Internet financial platforms, products and services to stimulate market vitality. To conform to the trend of deep integration between the Internet and manufacturing industry and deal with the new problems brought by the integration analysis of massive data and the traditional industries online, a new generation of information technology represented by big data and cloud computing came into being at the right moment. Cloud computing is the crucial infrastructure to carry all types of applications. In August 2006, Eric Emerson Schmidt, then CEO of Google, officially came up with the concept of cloud computing for the first time at the Search Engine Conference convened in San Jose. In May 2009, the first China Cloud Computing Conference was held, and29 China began to put a premium on the construction and development of cloud computing. In October 2010, the National Development and Reform Commission and the Ministry of Industry and Information Technology released the Notice on Doing a Good Job in the Demonstration of Innovation and Development Pilots of Cloud Computing Services, stating that the general idea of innovation and development of cloud computing at the present stage is “to consolidate overall planning, highlight security, create a good environment, facilitate industrial development, focus on pilot demonstration and achieve crucial breakthroughs”. In January 2012, the Ministry of Science and Technology took the China Cloud as one of the 19 crucial science and technology plans, aiming to form the overall technical scheme and construction standard of the China Cloud based on independent core technologies and master the core technologies of cloud computing and highperformance computing.30 In January 2015, the State Council released the Opinions on Promoting the Innovation and Development of Cloud Computing and Cultivating the New Format of Information Industry, intended to further boost the innovation and development of cloud computing in China and actively develop the new format of the information industry. In March 2017, the Ministry of Industry and Information Technology released the Three-Year Action Plan for Cloud Computing Development (2017–2019), indicating that cloud computing has increasingly been recognized and accepted by the market. At the end of the “12th Five-year” Plan, China’s cloud computing industry amounted to 150 billion.
29 On May 22, 2009, the first China Cloud Computing Conference was held. http://www.xinhuanet. com/science/2017-05/22/c_136298307.htm. 30 In January 2012, the Ministry of Science and Technology issued the “Twelfth Five-year” Special Plan for High-tech Industrialization and Environmental Construction (this document has expired). The plan intends to implement 19 crucial science and technology plans, including “China Cloud” Key Technology Project, which aims to form China’s overall cloud technology solutions and construction standards based on independent core technologies, command the core technologies of cloud computing and high-performance computing, build a national cloud computing platform, and guide departments, localities and enterprises to set up cloud computing platforms with different scales and different service modes.
1.3 Cyberspace Governance in the View of National Security …
39
Thanks to the basic support of cloud computing, it becomes possible to profoundly analyze and mine data on the strength of big data technology. In August 2015, the State Council released the Program of Action for Promoting the Development of Big Data, making it clear that data become a national basic strategic resource and that big data are increasingly exerting a significant influence on global production, circulation, distribution, consumption activities, economic operation mechanism, social lifestyle and national governance capacity. Under the impetus of the platform for action, the General Office of the State Council, the Ministry of Agriculture, the Ministry of Industry and Information Technology, the Ministry of Land and Resources, the National Development and Reform Commission, the Meteorological Bureau, the National Health Commission and other departments released the Implementation Opinions of the Ministry of Agriculture on Promoting the Development of Big Data in Agriculture and Rural Areas, the Notice on Organizing and Implementing Major Projects for Promoting Big Data Development, Guiding Opinions on Promoting and Regulating the Development of Big Data Application in Health Care, Implementation Opinions on Promoting the Development of Big Data Application of Land and Resources, Development Plan for Big Data Industry (2016–2020), Action Plan for Meteorological Big Data (2017–2020), Measures for the Administration of National Health and Medical Big Data Standards, Security and Services (Trial) and Guiding Opinions on the Development of Industrial Big Data, etc., so as stimulate the development and application of big data industry in different industries. In January 2016, the Ministry of Industry and Information Technology officially launched the 5G technology research and development test, which means that a critical stage of technology research and development and standard development has begun for China’s 5G development. As planned, China’s 5G test will be conducted in two steps. The first step is to conduct technology research and development experiments from 2015 to 2018, led by CAICT and involving operating enterprises, equipment enterprises and scientific research institutions; in the second step, from 2018 to 2021, domestic operators will take the lead in organizing and equipment enterprises, and scientific research institutions will participate jointly.31 In 1956, McCarthy, Minsky and other scientists met at Dartmouth College in the United States to explore “how to simulate human intelligence by making use of machines” and came up with the concept of “artificial intelligence (AI)” for the first time. Thanks to the development and application of information technologies such as the Internet, cloud computing and big data, artificial intelligence embraced another round of development opportunities in the new era. In March 2017, Premier Li Keqiang delivered a Report on the Work of the Government, considering it essential to expedite the cultivation and expansion of emerging industries, including artificial intelligence, and artificial intelligence was written into the national Report on the Work of the Government for the first time. In May of the same year, AlphaGo Master, an artificial intelligence system, and Ke Jie, the real-time No. 1 player in the human world, launched a man–machine confrontation in Weiqi and finally won three games 31
Ministry of Industry and Information Technology started 5G R&D test and completed typical business demonstration in 2018. http://it.people.com.cn/n1/2016/0108/c1009-28030054.html.
40
1 40 Years of China’s Legal Construction in Cybersecurity
in succession,32 once again triggering a hot discussion on artificial intelligence technology in society. In October 2018, Xi Jinping, General Secretary of the CPC Central Committee, when presiding over the study, stressed that artificial intelligence is a significant motive power for the new round of scientific and technological revolution and industrial transformation, and it is a strategic technology that leads this round of scientific and technological revolution and industrial transformation, exerting a leading wild goose effect with a strong spillover drive.33 In April 2019, the State Council released the Opinions of the State Council on Implementing the Division of Labor among Crucial Work Departments in the Report on the Work of the Government, requiring deepening the research and development of big data and artificial intelligence, developing a new generation of emerging industrial clusters such as information technology, high-end equipment, biomedicine, new energy vehicles and new materials, and expanding the digital economy. Meanwhile, China’s cybersecurity at home and abroad was confronted with an increasingly complex and severe situation. On the one hand, as cyberspace turns into a new field of human activities as significant as land, sea, sky and space, international competition and contests around cyberspace are becoming increasingly fierce, and the international environment is at loggerheads. Countries are generally aware that the network is a significant tool for diplomatic games and the balance of power. The network penetration of foreign hostile forces is becoming increasingly generalized, the asymmetry of network attacks is further highlighted, and a great clamour has arisen in cyber terrorism. Supply chain penetration threatens the security of crucial national information infrastructures such as energy, communications, and finance. In June 2013, Edward Joseph Snowden, a former CIA employee, disclosed a secret project code named “Prism” of the National Security Agency through The Guardian and The Washington Post. The Prism Project, officially named “US-984XN”, has been enforced since 2007 as a top-secret electronic monitoring program. Through this plan, the U.S. government joined with network giants to launch large-scale network monitoring on a global scale. The exposure of the “Prism” incident triggered global concerns about cyber hegemonism and the risks of national security and political security introduced through the Internet. In May 2017, a ransomware named WannaCry spread on a wider scale globally. The ransomware spreads by exploiting the vulnerabilities in port 445 of the Windows operating system, characterized by self-replication and active transmission. After the ransomware infects the user’s computer, it will encrypt the documents and pictures in the computer with high intensity and extort ransom from the user. As of the morning of May 16, approximately 3,041 million IP addresses in the world were attacked by “EternalBlue” SMB vulnerability, chiefly distributed in the United Arab Emirates, Taiwan Province, the United States and Russia, among which the number
32
AI, the top ten events of artificial intelligence in 2017, was first written into the Report on the Work of the Government. http://www.ce.cn/xwzx/gqpd/201712/28/t20171228_27460779.shtml. 33 Xi Jinping: Promote the Healthy Development of a New Generation of Artificial Intelligence in China. http://www.xinhuanet.com/2018-10/31/c_1123643321.htm.
1.3 Cyberspace Governance in the View of National Security …
41
of IP addresses in China was approximately 94,000.34 In this incident, the virus infected a large number of hospitals, education, energy, communications, manufacturing and government departments, including China, doing enormous damage to national security, social stability and citizens’ interests. On the other hand, China has increasingly developed into a large cyber country, and the scale of netizens ranks first throughout the world. While mobile devices such as mobile phones, mobile Internet, e-commerce and other areas are flourishing, new cybersecurity risks arise, and the content of domestic cyberspace governance becomes complex and changeable with each passing day. First, the network is profoundly integrated with all areas, and the degree of informatization in traditional areas rises continually. The fragility of information systems exposes the infrastructure supporting the operation of the country and society to the double security risks of physical and network attacks; moreover, the emergence of new technologies and applications renders it more difficult to apply traditional legislation. The development and popularization of technologies such as cloud computing and big data pose new challenges to data sovereignty and cross-border mobility, and new risks such as social ethics introduced by artificial intelligence await to be solved urgently; last, the increasing number of cyber citizens in China and the increasingly abundant network applications make the types and methods of data collected and used by network operators constantly refurbished, data leakage and abuse frequently occur, and the value created by the connection of massive user data makes personal privacy protection and data security become the focus issues. In 2008, 3·15 Party on CCTV exposed the problem of spam messages, which was rampant at that time. It was reported that Focus Radio Media Technology Co., Ltd. (hereinafter referred to as the Focus), which occupied 80% of the “spam messages” market, mastered over 200 million mobile phone number resources, making up approximately half of the over 500 million mobile phone users in China at that time. After acquiring the information of mobile phone users, Focus classified the owner information in detail, accurate to the owner’s gender, age, consumption level, etc., and sent spam messages “accurately”.35 Exposure to this incident caused the public to worry about the protection of personal information. In 2010, Tencent and 360 Company competed around the software functions developed by themselves, which was called the “3Q War”. During several rounds between the two parties, 360 once released a “privacy protector” tool, claiming that its function was to help users monitor all the behaviors of software in the computer in the background of the system, and prompt users that “a chat software” peeks at the user’s personal privacy files and data without the user’s permission. In this regard, Tencent filed a lawsuit, and in 2011, the court made a first-instance judgment. The court held that the “360 privacy protector” did not conform to the objective facts in monitoring the documents that might involve privacy in QQ2010 software. Meanwhile, QQ 34 Recent transmission of Wannacry ransomware worm. https://www.cert.org.cn/publish/main/9/ 2017/20170517075328471968938/20170517075328471968938_html. 35 “Focus” was accused of mastering the information of over 200 million mobile phone users. http:// epaper.southcn.com/nfdaily/html/2008-03/17/content_5071096.htm.
42
1 40 Years of China’s Legal Construction in Cybersecurity
software was evaluated and expressed in the interface language of the “360 privacy protector” and the 360 Security Center of the 360 website. These statements were made by expressing untrue facts or fabricating facts, with an obvious intention of unfair competition, which damaged Tencent’s commercial reputation and commodity reputation and constituted commercial slander. As a result, it was ordered that 360 shall stop issuing and using the “360 privacy protector” involved in the case, delete the infringing contents involved in the relevant websites, and publicly apologize and compensate for the losses.36 The protection of users’ personal information embodied by this incident once again aroused concern. In June 2012, the State Council issued Several Opinions on Vigorously Promoting the Development of Informatization and Effectively Safeguarding Information Security, requiring improved security protection administration and expedited security capacity construction; planned, constructed and operated critical information systems and basic information networks synchronously with security protection facilities; intensified technical prevention, strictly enforced security management, and effectively improved anti-attack, anti-tampering, anti-virus, anti-paralysis and anti-theft capabilities; strengthened the protection and management of basic information resources such as geography, population, legal persons and statistics; and consolidated the responsibility of enterprises and institutions to protect user data and basic national data in network economic activities. The severe cybersecurity situation at home and abroad in this stage raised new requirements for China’s rule of law in cybersecurity. In November 2013, the Third Plenary Session of the Eighteenth Central Committee of the Communist Party of China proposed insisting on the principles of active utilization, scientific development, legal management and guaranteeing security; intensifying the management of the network in accordance with the law; and perfecting the leadership system of Internet management, aiming to integrate the functions of relevant institutions, form the resultant force of Internet management from technology to content, from daily security to fighting crime, and ensure the correct use and security of the network. In April 2014, General Secretary Xi Jinping came up with the overall national security concept for the first time, bringing information security into the national security system, and stated that it is essential to build a national security system integrating political security, homeland security, military security, economic security, cultural security, social security, scientific and technological security, information security, ecological security, resource security and nuclear security. Cybersecurity has risen to the national strategic level. In 2010, the first China Information Security Law Conference was convened in Xi’an. As the first national academic conference in the domain of information security law in China, the China Information Security Law Conference, sponsored by Xi’an Jiaotong University, is dedicated to building a platform for collaborative communication among government and enterprises, state and society, technology and law, and supporting the construction of an innovative system of network social 36
Top Ten Typical Cases of People’s Courts in 2011. https://www.chinacourt.org/article/detail/ 2012/01/id/471077.shtml.
1.3 Cyberspace Governance in the View of National Security …
43
governance in China. The conference stated that cybersecurity is concerned with national security and social public interests; therefore, we need to combine hard constraints and soft constraints to ensure security. Although China has enacted a series of laws and regulations to raise requirements for security guarantees and crime control, the security issue in cyberspace is still rather thorny. Despite the development of new technologies and new applications, there is still a long way to go for China’s legal construction in cybersecurity. It has already become a fact that traditional “patch-type” legislative frameworks can no longer satisfy the requirements of cybersecurity, and comprehensive legislation is needed to address the problem that the object of protection is much too complicated. Therefore, China needs to upgrade the rule of law in cybersecurity to the basic law level and position basic cybersecurity legislation as a “guarantee law” rather than a “punishment law”, focusing on the construction of cybersecurity guarantee capacity, with dual value choices of “security” and “development”. In 2013, under the unified planning of the central government, the State Internet Information Office started to carry out special legislation for national information networks,37 comprehensive basic legislation on cybersecurity was put on the agenda, and the Cybersecurity Law was ready to come out.
1.3.2 Legislative Process During this time, China issued a special cybersecurity strategy and officially wrote cyber sovereignty into the top-level design. China’s first comprehensive and basic legislation in the domain of cybersecurity, Cybersecurity Law of the People’s Republic of China (hereinafter referred to as the Cybersecurity Law), was officially released, and supporting laws and regulations on cybersecurity classified protection, critical information infrastructure protection, data outbound security assessment, critical network equipment and specialized cybersecurity products, and personal information protection were worked out step by step.
1.3.2.1
Sovereign Security
At this stage, along with the upgrade of cybersecurity to the national strategic level, China successively released the Outline for the National IT Application Development Strategy, the National Cyberspace Security Strategy, and the International Strategy of Cooperation on Cyberspace to guide cybersecurity work from two aspects of domestic cyberspace governance and international cybersecurity games. In July 2016, the General Office of the CPC Central Committee and the General Office of the State Council released the Outline for the National Informatization 37
Interpretation of Cybersecurity Law: Start the Legislative Process of China’s Information Network. http://www.npc.gov.cn/zgrdw/npc/lfzt/rlyw/2016-11/10/content_2002309.htm.
44
1 40 Years of China’s Legal Construction in Cybersecurity
Development Strategy, which adjusted and developed the National Informatization Development Strategy 2006–2020 issued in 2006. It was pointed out that after entering the twenty-first century, particularly after the 18th National Congress of the Communist Party of China, China’s informatization has made considerable progress but is still far from the objectives of comprehensively constructing a moderately prosperous society and accelerating the modernization of socialism; it is extremely urgent and admits no delay to stick to the informatization development path with Chinese characteristics and innovation-driven modernization and build a cyber superpower. In December 2016, the State Internet Information Office released the National Cyberspace Security Strategy, clarifying China’s major position and proposition on cyberspace development and security, presenting guidelines and main tasks, and earnestly safeguarding the country’s sovereignty, security and development interests in cyberspace, clearly defining the strategic tasks of national cyberspace security work at present and in the future: to firmly defend cyberspace sovereignty, resolutely safeguard national security, protect critical information infrastructure, reinforce the construction of network culture, combat cyber terror and illegal crimes, perfect network governance system, consolidate the foundation of cybersecurity, enhance cyberspace protection capability and consolidate international cooperation in cyberspace, while perfecting the network governance system, emphasize the perfection of the cybersecurity laws and regulations, and draw up the cybersecurity law. As the first international strategy for cybersecurity in China, in March 2017, the Ministry of Foreign Affairs and the State Internet Information Office released the International Strategy of Cooperation on Cyberspace. The action plan for China to facilitate and engage in international cooperation in cyberspace was proposed from nine aspects, namely, maintaining cyberspace peace and stability, constructing cyberspace order on the basis of rules, developing cyberspace partnership, boosting the reform of global Internet governance system, cracking down upon cyber terrorism and cybercrime, protecting citizens’ rights and interests, stimulating the development of digital economy, reinforcing the construction and protection of global information infrastructure, and enhancing the exchange and mutual learning of cyber culture. In September 2020, China launched the Global Initiative on Data Security, calling for cooperation with other countries in the world to ensure the supply chain security of information technology products and services, protect data security and stimulate the development of the digital economy. It was proposed that all countries should take a comprehensive and objective view of data security based on facts and actively maintain the open, safe and stable supply chain of global information technology products and services. All countries shall respect the sovereignty, jurisdiction and security management rights of other countries and may not directly access data situated in other countries from enterprises or individuals without permission of other countries’ laws.
1.3 Cyberspace Governance in the View of National Security …
1.3.2.2
45
Fine Legislation
Maintaining cybersecurity is the common responsibility of the whole society, which requires the joint protection of all subjects and departments from different angles. To this end, China has passed the Law of the People’s Republic of China on Guarding State Secrets (hereinafter referred to as the Law on Guarding State Secrets), National Security Law of the People’s Republic of China (hereinafter referred to as the National Security Law), Counterterrorism Law of the People’s Republic of China (hereinafter referred to as the Counterterrorism Law), Cryptography Law of the People’s Republic of China (hereinafter referred to as the Cryptography Law), Cybersecurity Law of the People’s Republic of China (hereinafter referred to as the Cybersecurity Law), Data Security Law of the People’s Republic of China (hereinafter referred to as the Data Security Law), Personal Information Protection Law of the People’s Republic of China (hereinafter referred to as the Personal Information Protection Law) and other basic legislation to ensure cybersecurity from their respective entry points. In April 2010, the 14th meeting of the Standing Committee of the 11th National People’s Congress revised and passed the Law of the People’s Republic of China on Guarding State Secrets. From the angle of keeping state secrets, the Law of the People’s Republic of China on Guarding State Secrets specifies that government agencies and units shall reinforce the management of classified information systems, and no organization or individual may engage in such acts as connecting classified computers and classified storage devices to the Internet or other public information networks. Meanwhile, it stipulates the obligations of network operators to assist in law enforcement, including cooperating with relevant authorities to investigate cases of leaks; immediately stopping the transmission of information involving the disclosure of state secrets, keeping relevant records, and reporting to the departments of public security, state security organs or secrecy administrative departments, etc. In July 2015, the 15th meeting of the Standing Committee of the 12th National People’s Congress passed the National Security Law of the People’s Republic of China. From the point of view of safeguarding national security, the National Security Law of the People’s Republic of China clarifies the construction of a network and information security system in China, realizes the security and controllability of network and core information technologies, crucial infrastructure and information systems and data in crucial areas, and safeguards national cyberspace sovereignty, security and development interests. In December 2015, the 18th meeting of the Standing Committee of the 12th National People’s Congress passed the Counterterrorism Law. From the angle of preventing and punishing terrorist activities, the Counterterrorism Law endows telecom service operators and Internet service providers with obligations to provide a technical interface, assist in law enforcement, manage information content and examine identity. Apart from that, the law prescribes that after a terrorist incident occurs, the leading anti-terrorism organization responsible for dealing with it may decide that relevant departments and units shall control the Internet, radio and communication in a specific area.
46
1 40 Years of China’s Legal Construction in Cybersecurity
It took four years to draw up and revise the law. On November 7, 2016, the 24th meeting of the Standing Committee of the 12th National People’s Congress officially passed the Cybersecurity Law of the People’s Republic of China (hereinafter referred to as the “Cybersecurity Law”). As the first comprehensive and basic legislation of cyberspace in China, the Cybersecurity Law is made up of seven chapters and seventy-nine articles, clarifying a series of contents such as the cybersecurity classified protection system, the critical information infrastructure protection system, the national cybersecurity review system, the data localization system, the personal information protection system, and the information content management system, laying the foundation for the reinforcing special legislation in a targeted way in China. In April 2014, the annual legislative plan of the Standing Committee of the National People’s Congress officially listed the Cybersecurity Law as a legislative preparatory project, thus initiating a new process of China’s national cybersecurity legislation. In June 2015, the 15th meeting of the Standing Committee of the 12th National People’s Congress reviewed the Cybersecurity Law (Draft) for the first time. On July 6, 2015, the Cybersecurity Law (Draft) was open to the public for comments. After that, based on the members of the Standing Committee of the National People’s Congress and the opinions of all parties, the draft was revised to form the Cybersecurity Law (Second Review Draft). In June 2016, the 21st meeting of the Standing Committee of the 12th National People’s Congress reviewed the second draft. On July 5, 2016, the Cybersecurity Law (Second Review Draft) was released to solicit opinions from the public. On October 31, 2016, the Cybersecurity Law (Third Review Draft) was submitted to the Standing Committee of the National People’s Congress for deliberation. On November 7, 2016, the 24th meeting of the Standing Committee of the 12th National People’s Congress formally voted and passed the Cybersecurity Law, which was officially enforced on June 1, 2017. The international community attaches great importance to the development and promulgation of China’s Cybersecurity Law, and for its own benefit, it takes all approaches to exert pressure on China in an attempt to interfere with the design of cybersecurity laws and regulations. In August 2016, 46 foreign institutions headed by the American Chamber of Commerce issued a joint opinion letter on China’s Cybersecurity Law (Draft). In September 2017, the United States submitted a document on China’s Cybersecurity Law to the WTO Trade Services Committee, focusing on the data cross-border security assessment system prescribed in Article 37 of cybersecurity law. In the document, the United States considers that the cross-border security assessment measures for personal information and vital data employed by China’s Cybersecurity Law will seriously hinder the free flow of data and adversely influence foreign suppliers. For this reason, the United States wishes that China will suspend the
1.3 Cyberspace Governance in the View of National Security …
47
publication and enforcement of the final measures for cross-border security assessment of relevant data before the relevant issues are resolved.38 In the 2019 Sino-US trade negotiations, the Cybersecurity Law remains the core concern. As the basic law of cyberspace in China, Cybersecurity Law constitutes the legal system of cybersecurity management in China together with the Law on Guarding State Secrets, National Security Law, Counter-terrorism Law, Criminal Law, National Intelligence Law of the People’s Republic of China (hereinafter referred to as the National Intelligence Law), the Cryptography Law of the People’s Republic of China (hereinafter referred to as the Cryptography Law), the Law on Penalties for Administration of Public Security, the Decision of the Standing Committee of the National People’s Congress on Strengthening the Protection of Internet Information, the Decision of the Standing Committee of the National People’s Congress on Maintaining Internet Security, the Regulations on the Protection of the Security of Computer Information Systems, the Regulations on Telecommunications of the People’s Republic of China (hereinafter referred to as the Regulations on Telecommunications), and the Measures for the Administration of Internet Information Services and other laws and regulations. The main functions and contents of the Cybersecurity Law are as follows: First, it clarifies China’s cybersecurity supervision system. Before the promulgation of the Cybersecurity Law, the powers and responsibilities of the competent departments and between departments in the domain of cybersecurity in China were not clear, and the problems of unclear powers and responsibilities among departments, fighting in their own way, shirking responsibilities in law enforcement and low efficiency were prominent. Thus, Article 8 of the Cybersecurity Law clearly states that the national cyberspace administration shall be responsible for the overall planning and coordination of cybersecurity work and related supervision and administration. The competent telecommunications department under the State Council, the public security department and other relevant authorities shall be responsible for the protection, supervision, and administration of cybersecurity within the scope of their respective duties in accordance with the provisions of the Cybersecurity Law and other relevant laws and administrative regulations. The cybersecurity protection, supervision, and administration responsibilities of the relevant departments of the local people’s governments at or above the county level shall be determined in accordance with the relevant provisions of the state. In addition, it defines the basic rules of cybersecurity assurance. The law is classified into seven chapters: General Provisions, Cybersecurity Support and Promotion, Network Operation Security, Network Information Security, Monitoring, Early Warning and Emergency Response, Legal Liability and Supplementary Provisions. It is made clear that while maintaining cyberspace sovereignty, the state shall pay equal attention to cybersecurity and information-based development and follow the guidelines of positive use, scientific development, legal management and security 38
Dynamics | The United States requires China to suspend the enforcement of the final measures of the Cybersecurity Law through WTO (Translation and Analysis). https://mp.Weix-in.qq.com/s/ aFhlarZsW3zNVP6_c8ZusA.
48
1 40 Years of China’s Legal Construction in Cybersecurity
guarantees. To this end, the law specifies a series of regulations such as cybersecurity classified protection system, network key equipment and security specific product certification and testing system, network user identity management system, data retention and law enforcement assistance system, critical information infrastructure protection system, cybersecurity review system, data localization system, personal information protection system, personal information deletion and correction rights, network information content management system, monitoring, early warning and emergency response system, admonition system, and temporary restrictions on network communication, clarifying the baseline of China’s cybersecurity legislation and delimiting the scope of cybersecurity assurance. Additionally, it clarifies the responsibilities and obligations of network operators. Thanks to the development of new technologies and new formats, network operators play a crucial role in boosting technological innovation and prospering the digital economy. The state encourages and supports network operators to develop in accordance with the law and as warranted; meanwhile, as the middle layer between the government and individuals, network operators play a significant role in implementing the main responsibility of cybersecurity, restraining and guiding individual network behaviors, and undertake corresponding responsibilities and obligations in maintaining infrastructure security, reinforcing information content management, guaranteeing personal information security, responding to cybersecurity incidents, and cooperating with regulatory authorities in law enforcement. Finally, the Cybersecurity Law promotes the connection of administrative responsibilities and criminal responsibilities. In general, the legal responsibilities of the Cybersecurity Law chiefly impose public order administrative sanctions on network operators and users for their illegal acts, and most of the punishment measures concentrate on ordering correction, warning, fines, ordering suspension of related businesses, suspending business for rectification, closing websites, revoking related business operation permits or revoking business licenses. In addition, Article 74 of the Cybersecurity Law specifies the connections with the Civil Law, the Criminal Law and the Public Security Administration Punishments Law. Where violations of the provisions of the Cybersecurity Law cause harm to others, civil liability is borne in accordance with law. Where provisions of the Cybersecurity Law are violated, constituting a violation of public order administration, public order administrative sanctions will be imposed in accordance with law; where a crime is constituted, criminal responsibility will be pursued in accordance with law. The connection between the Cybersecurity Law and the illegal acts of computer-type crimes in the Criminal Law is specifically as below: (1) The act of stealing network data and offering programs and tools specially used for activities endangering cybersecurity in Article 63 of the Cybersecurity Law is connected with the crime of illegally acquiring the data of computer information systems and offering intrusion and illegal control of computer information system programs and tools in Article 285, Paragraph 2 of the Criminal Law; (2) the crime of offering technical support, advertising promotion, payment settlement and other assistance for others to engage in activities that endanger cybersecurity in Article 63 of the Cybersecurity Law is linked with the
1.3 Cyberspace Governance in the View of National Security …
49
crime of aiding information network criminal activities in Article 287-2 of the Criminal Law; (3) the crime of stealing or obtaining, illegally selling or illegally providing personal information to others in Article 64 of the Cybersecurity Law is connected with the crime of infringing citizens’ personal information in Article 253-1 of the Criminal Law; (4) the crime of setting up websites and communication groups for the enforcement of illegal and criminal activities, or publishing information associated with the enforcement of illegal and criminal activities on the Internet in Article 67 of the Cybersecurity Law is connected with the crime of illegally using information networks in Article 287-1 of the Criminal Law. In June 2017, the 28th meeting of the Standing Committee of the 12th National People’s Congress passed the National Intelligence Law of the People’s Republic of China (hereinafter referred to as the National Intelligence Law). From the point of view of reinforcing and safeguarding national intelligence work, the National Intelligence Law specifies that national intelligence agencies shall launch intelligence work at home and abroad based on work needs in necessary ways, means and channels. All institutions and citizens shall support, assist and cooperate with national intelligence work in accordance with the law and keep the secrets of the national intelligence work they know. National intelligence agencies shall raise the level of identification, screening, synthesis, judgment and analysis of intelligence information by scientific and technological means. In October 2019, the 14th meeting of the Standing Committee of the 13th National People’s Congress passed the Cryptography Law of the People’s Republic of China. From the point of view of standardizing cryptography application and management, the Cryptography Law of the People’s Republic of China is connected with the Cybersecurity Law in many ways. It is prescribed that the relevant provisions of the Cybersecurity Law shall apply to the testing and certification of commercial cryptography products in a bid to avoid repeated testing and certification. If a commercial cryptography service uses critical network equipment and specialized cybersecurity products, it shall be certified by a commercial cryptography certification institution. The security assessment of commercial cryptography applications should be connected with the security testing and assessment of critical information infrastructure and the cybersecurity level evaluation system to avoid repeated assessment and evaluation. Operators of critical information infrastructure who purchase network products and services involving commercial cryptography, which may influence national security, shall pass the national security review organized by the national network information department in conjunction with the national cryptography management department and other relevant departments in accordance with the provisions of the Cybersecurity Law. In May 2020, the Third Session of the 13th National People’s Congress passed the Civil Code of the People’s Republic of China (hereinafter referred to as the Civil Code). As the first codified legislation in China, the Civil Code relates to numerous aspects, such as personal information protection, network infringement, and electronic contracts. With regard to network infringement, the Civil Code specifies that if network service providers know or shall know that network users use their network
50
1 40 Years of China’s Legal Construction in Cybersecurity
services to infringe upon the civil rights and interests of others but fail to take essential measures, they shall assume joint and several liability with the network users. If a network user commits an infringement by using a network service, the oblige shall be entitled to inform the network service provider to take requisite measures such as deleting, shielding, and disconnecting links. Upon receipt of the notice, the network service provider shall promptly forward the notice to the relevant network user and take requisite measures based on the preliminary evidence of infringement and the type of service; if requisite measures are not taken in a prompt manner, the network service provider shall be jointly and severally liable with the network users for the expanded part of the damage. For the protection of personal information, the Civil Code specifies that the personal information of natural persons shall be protected by law. In August 2021, the Data Security Law was officially released, requiring the establishment of a national data security management system and improvement of the national data security governance system. Specifically, the core system design is as follows: (1) establish a classified and graded data protection system, formulate important data catalogs, emphatically protect the data listed in the catalogs, and implement a stricter management system for national core data; (2) set up a centralized, unified, efficient and authoritative assessment, reporting, information sharing, monitoring and early warning mechanism of data security risks, and consolidate the acquisition, analysis, judgment and early warning of data security risk information; (3) set up an emergency response mechanism for data security to effectively respond to and deal with data security incidents; (4) link with relevant laws, and set up a data security review system and export control system; (5) in view of some countries’ discriminatory and unreasonable measures against China’s related investment and trade, make clear that China can take corresponding measures in consideration of the actual situation.
1.3.2.3
Specialized Legislation
After the official release of the Cybersecurity Law, the supporting laws and regulations of its systems established, such as cybersecurity classified protection, critical information infrastructure protection, cybersecurity review, data outbound security assessment, cybersecurity vulnerability management and personal information protection, have been perfected successively, and an all-round, multiangle and systematic construction stage has begun in China’s legislation in the domain of cybersecurity.
Cybersecurity Classified Protection The classified protection system is a basic system set up in the domain of cybersecurity in China. In 1994, the State Council promulgated Decree No. 147, clearly stating for the first time that computer information systems shall be protected at
1.3 Cyberspace Governance in the View of National Security …
51
different levels, offering a legal basis for the enforcement of classified protection of information systems in China. After that, China successively issued Document No. 27, Document No. 66, Measures for the Administration of Classified Protection of Information Security, the Notice on Carrying out the Rating of Security Classified Protection of Important Information Systems throughout the Country, Detailed Rules for the Implementation of Filing of Classified Protection of Information Security, further refining the system of classified protection of information security. The establishment and perfection of the classified protection system enables China to set up standardized protection in the domain of cybersecurity, which increasingly becomes a system, playing a significant role in determining the basic situation and laying a solid foundation in the early stage of network development in China. In the new era, China’s cybersecurity threat situation is becoming increasingly severe, and the new situation and changes in cybersecurity raise new requirements for classified protection. The development of new technologies and applications such as cloud computing, the Internet of Things, the mobile Internet and industrial control systems constantly forces the innovation of classified protection modes. Article 21 and Article 59 of the Cybersecurity Law confirm the national cybersecurity classified protection system in the form of the basic law in the domain of cybersecurity, specify the baseline requirements of the security measures of the classified protection system and grant them coercive power. Meanwhile, Article 31 further requires that critical information infrastructures carry out the national cybersecurity classified protection system and highlight the protection priorities. The cybersecurity law promotes the classification of protection systems into the 2.0 era. The emphasis of cybersecurity classified protection 2.0 is inclined to the protection of vital information systems and vital network facilities, critical information infrastructure and personalized classified protection objects. In comparison with cybersecurity classified protection 1. 0, classified protection 2.0 chiefly brings four changes: (1) the Cybersecurity Law upgrades the classified protection system to law; (2) classified protection objects are further extended to cloud computing, mobile Internet, Internet of Things, industrial control systems, etc.; (3) to upgrade the classified protection system, it is urgent to further perfect the new policy system, standard system, technology system, education and training system, evaluation system and talent system of cybersecurity; (4) the connotation of five prescribed links, such as classification, filing, construction rectification, classification assessment and supervision and testing, becomes more abundant. In March 2018, the Ministry of Public Security issued the Measures for the Administration of Evaluation Institutions of Cybersecurity Classified Protection to reinforce the management of evaluation institutions of cybersecurity classified protection. In June of the same year, the Ministry of Public Security released the Regulations on Cybersecurity Classified Protection (Exposure Draft). The Exposure Draft is made up of 8 chapters and 73 articles, covering support and guarantee, cybersecurity protection, security protection of classified networks, cryptography management, supervision and management, legal liability and the like. In May 2019, the series of national standards for classified protection 2.0, which had been drawn up and revised for three years, were officially released, including the
52
1 40 Years of China’s Legal Construction in Cybersecurity
Basic Requirements for Cybersecurity Classified Protection of Information Security Technology, the Evaluation Requirements for Cybersecurity Classified Protection of Information Security Technology and the Technical Requirements for Security Design of Cybersecurity Classified Protection of Information Security Technology. While perfecting the original requirements, expansion requirements for cloud computing, mobile Internet, Internet of Things and industrial control systems are specially added. Subsequently, the 2.0 series of standards, the Implementation Guide for Cybersecurity Classified Protection of Information Security Technology and the Guide to the Classification of Cybersecurity Classified Protection of Information Security Technology, were released successively.
Protection of Critical Information Infrastructure Since Decree No. 147 confirmed the classified protection system, the legislative concept of hierarchical protection and guaranteeing key points has always been contained in the course of building China’s rule of law system of cybersecurity. As cyber terrorism, malicious network activities, cyber-attacks and cyber wars become increasingly frequent, the cybersecurity of significant industries and areas not only relates to the smooth operation within the industry areas but also concerns national security. In this context, the protection system of critical information infrastructure gradually emerges in the legislative thinking of classified protection, and the Cybersecurity Law officially clarifies the establishment of the protection system of critical information infrastructure in China. Article 31 of the Cybersecurity Law specifies that the state implements key protection for significant industries and areas such as public communication and information services, power, traffic, water resources, finance, public services, e-government, and other critical information infrastructures that—if destroyed, suffering a loss of function, or experiencing leakage of data—may seriously endanger national security, national welfare and the people’s livelihood, and public interests. The specific scope and measures for security protection of critical information infrastructure shall be worked out by the State Council. The state encourages network operators outside the critical information infrastructure to voluntarily engage in the protection system of critical information infrastructure. In the legislative model of “listing miscellaneous”, Article 31 preliminarily determines the scope of China’s critical information infrastructure, pointing out that “if destroyed, suffering a loss of function, or experiencing leakage of data, national security, national economy and people’s livelihood, and public interests may be seriously endangered”, and clarifying that the basic requirement of critical information infrastructure protection is “to implement key protection on the basis of cybersecurity classified protection system”, and authorize the State Council to draw up specific scope and security protection measures of critical information infrastructure. To further clarify the specific scope and security protection methods of critical information infrastructure, in July 2017, the State Internet Information Office
1.3 Cyberspace Governance in the View of National Security …
53
released the Regulations on the Security Protection of Critical Information Infrastructure (Exposure Draft), comprehensively prescribing the security protection principles of critical information infrastructure (CII), the responsibilities of relevant regulatory authorities, state support and safeguard measures, the scope of critical information infrastructure, the security protection obligations of operators, the security review of products and services, the cybersecurity monitoring and early warning system and information notification system. In July 2020, the Ministry of Public Security released the Guiding Opinions on Implementing the Cybersecurity Classified Protection System and the Security Protection System of Critical Information Infrastructure, making clear that public security units shall guide and supervise the security protection of critical information infrastructure, and the working mechanism where public security bodies take the lead in the work of cybersecurity classified protection and critical information infrastructure protection shall be formally established. On August 17, 2021, the Regulations on the Security Protection of Critical Information Infrastructure, which took five years to formulate, were officially released and came into force on September 1, 2021. As the administrative regulations are clearly authorized by the Cybersecurity Law, the regulations are crucial to improve China’s cybersecurity legal system, implement critical information infrastructure security protection obligations, and strengthen the implementation efficiency of cybersecurity legislation.
Critical Network Equipment and Specialized Cybersecurity Products Article 23 of the Cybersecurity Law specifies that critical network equipment and specialized cybersecurity products may be sold or furnished only after qualified institutions have passed the security certification or security testing conforms to the requirements in line with the mandatory requirements of relevant national standards. The national network information department, in conjunction with the relevant departments of the State Council, shall prepare and publish the catalog of critical network equipment and specialized cybersecurity products and facilitate mutual recognition of security certification and security testing results to avoid duplicate certification and testing. In this context, in June 2017, the State Internet Information Office, in conjunction with the Ministry of Industry and Information Technology, the Ministry of Public Security and the Certification and Accreditation Administration of the P.R.C., released the Catalog of Critical Network Equipment and Specialized Cybersecurity Products (First Batch). Equipment and products explicitly listed in the catalog may be sold or furnished only after the qualified institutions have passed the security certification or the security testing and conformed to the requirements in line with the mandatory requirements of relevant national standards. Qualified institutions shall be jointly identified by the four ministries in accordance with the relevant provisions of the state. In March 2018, the four ministries released the Directory of Institutions Undertaking Security Certification and Security Testing Tasks for Critical Network
54
1 40 Years of China’s Legal Construction in Cybersecurity
Equipment and Specialized Cybersecurity Products (First Batch), making it clear that 16 institutions may undertake security certification or security monitoring tasks. With respect to security certification, in May 2018, the Certification and Accreditation Administration of the P.R.C. and the State Internet Information Office released the Implementation Requirements for Security Certification of Critical Network Equipment and Specialized Cybersecurity Products, clarifying that if the product manufacturers in the catalog choose security certification methods, they shall apply for security certification to the recognized certification bodies, and the certification bodies shall carry out certification based on the Implementation Rules for Security Certification of Critical Network Equipment and Specialized Cybersecurity Products. In June, the Certification and Accreditation Administration of the P.R.C. released the Implementation Rules for Security Certification of Critical Network Equipment and Specialized Cybersecurity Products. With regard to security testing, in June 2019, the Ministry of Industry and Information Technology released Critical Network Equipment Security Testing Implementing Measures (Draft for Comment). The draft clarifies that the Ministry of Industry and Information Technology shall be responsible for organizing and implementing the security testing of critical network equipment, and the Ministry of Industry and Information Technology’s critical network equipment security testing service portal (hereinafter referred to as the “service portal”) centrally receives the relevant materials for critical network equipment security testing. The manufacturer shall select samples and entrust qualified institutions to launch security testing. After the requirements of security testing are met, the testing institution shall submit the security testing report of critical network equipment to the service portal.
Cybersecurity Vulnerability Management Security vulnerability is an inevitable result of the construction of cyberspace systems. Along with the continuous extension of products and services, security vulnerabilities have increasingly evolved from objects that await repair in the early stage to valuable special objects that are scarce within a specific time limit in cyberspace, exist for a long time, can be expected to be discovered, and can be attached to different carriers, presenting the dual characteristics of nontraditional defects and resources.39 Cybersecurity vulnerabilities have become the strategic resources and game capital of national cyberspace warfare, and cybersecurity vulnerabilities relating to critical information infrastructure are directly concerned with national security. In December 2015, Yuan, as an intern white hat of WooYun.org, detected the vulnerability of a well-known marriage website in China by virtue of SQLmap software and found that there were vulnerabilities on the website. Upon confirmation of the vulnerability, Yuan submitted the vulnerability through WooYun.org, and WooYun.org informed the website that day. Subsequently, the website confirmed and 39
Daoli and Minhu [4].
1.3 Cyberspace Governance in the View of National Security …
55
fixed the vulnerability and expressed thanks to WooYun.org and Yuan. In January 2016, the main operator of the website reported to the public security unit that it was attacked by SQL injection. In March 2016, the public security unit criminally detained Yuan for the “crime of illegally acquiring the data of computer information systems” and then approved the arrest for the same crime.40 Yuan’s case reveals the urgent legislative need to set up a cybersecurity vulnerability management system and clarify the legal base and responsibility distribution of white hats, vulnerability platforms and network operators. The Cybersecurity Law offers normative guidance for the rectification, notification, reporting, response and release of vulnerabilities. Article 25 of the Cybersecurity Law specifies that network operators shall formulate emergency response plans for cybersecurity incidents and promptly deal with cybersecurity risks such as system vulnerabilities, computer viruses, cyber-attacks and network intrusion. When cybersecurity incidents occur, network operators should immediately launch the emergency response plan, take corresponding remedial measures, and report to the relevant competent department in accordance with the regulations. Article 26 prescribes that those carrying out cybersecurity certification, testing, and risk assessment or other such activities or publicly publishing cybersecurity information such as system vulnerabilities, computer viruses, network attacks, and network intrusions shall comply with relevant state regulations. In the Regulations on Cybersecurity Classified Protection (Exposure Draft), which have been released for public comment, and the Regulations on Security Protection of Critical Information Infrastructure that have been issued, clarify the vulnerability management requirements of networks above Level 3 and critical information infrastructure are defined as well. Specifically, the Regulations on Cybersecurity Classified Protection (Exposure Draft) require that personnel who render security services for networks above Level 3 shall not engage in network attack and defense activities of overseas institutions arbitrarily; the Regulations on the Security Protection of Critical Information Infrastructure (Exposure Draft) requires that no organization or individual shall perform vulnerability detection and penetration testing on critical information infrastructure without authorization. In June 2018, the Office of the Central Cyberspace Affairs Commission and the Ministry of Public Security jointly released the Notice on Regulating and Promoting Cybersecurity Competition Activities. The notice requires that cybersecurity vulnerabilities and hidden dangers discovered in the competition that may endanger national security and public interests shall be reported to the public security and other relevant departments in a prompt manner and notified to the product provider; it is not allowed to arbitrarily disclose, transfer or publish the technical details, utilization methods and tools, etc. When taking part in overseas cybersecurity competitions, it is not allowed to furnish overseas institutions and individuals with sensitive information, such as cybersecurity vulnerabilities and hidden dangers, that may endanger China’s national security and public interests. Units and individuals participating in major
40
Wentao [5].
56
1 40 Years of China’s Legal Construction in Cybersecurity
national and military cybersecurity projects and special tasks and participating in overseas cybersecurity competitions shall report to public security departments. In June 2019, the Ministry of Industry and Information Technology released the Regulations on Cybersecurity Vulnerability Administration (Exposure Draft), refining the obligations of network operators, network products and service providers involved in the Cybersecurity Law in the life cycle management of security vulnerabilities and making clear the requirements of relevant responsible subjects in the management links of fixing, prevention and release of cybersecurity vulnerabilities. In July 2021, the draft was officially released under the name of “Regulations on the Management of Network Product Security Vulnerability”, serving as the first special legislation on cybersecurity vulnerability management in China. In May 2020, the Ministry of Human Resources and Social Security released the Announcement on Publicizing the New Career Information to be Released, adding information security testers (4-04-04-04), targeted at those who find security problems through penetration tests on the network and system of the evaluation target and put forward improvement suggestions to protect the network and system from malicious attacks. This Announcement endows “White Hats” with professional status, which plays a certain role in promoting the establishment of China’s cybersecurity vulnerability management system.
Cybersecurity Review Article 35 of the Cybersecurity Law specifies that if operators of critical information infrastructure purchase network products and services, which may influence national security, they shall pass the national security review organized by the national network information department in conjunction with relevant departments of the State Council. In May 2017, the State Internet Information Office issued the Measures for Security Reviews of Network Products and Services (Trial), refining the core contents of the network security review system, such as the review scope, content and procedures, and making the review system enter a substantive operational level. Pursuant to the Measures, critical network products and services used in network and information systems relating to national security are subject to a network security review, which emphasizes their security and controllability. In April 2020, twelve departments, including the State Internet Information Office, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of National Security, and the State Cryptography Administration, jointly issued the Cybersecurity Review Measures, intended to guarantee the supply chain security of critical information infrastructure. It is clear that if an operator purchases network products and services, it shall predict the national security risks that may arise from the products and services after they are put into use. If it influences or may influence national security, it shall report to the Cybersecurity Review Office for cybersecurity review. The measures will be enforced from June 1, 2020, and the Measures for the Security
1.3 Cyberspace Governance in the View of National Security …
57
Review of Network Products and Services (Trial) will be abolished simultaneously. In July 2021, the Cyberspace Administration of China released a draft of the revised Cybersecurity Review Measures for public consultation. The draft added the “Data Security Law” as a legislative basis, treated data processing activities as a key regulatory object, provided a quantitative description of data operators, and added the new requirement that “any operator that holds the personal information of more than 1 million users must report to the Cyber Security Review Office for a cybersecurity review before listing abroad”. The obligation subject of the cybersecurity review system is confined to critical information infrastructure operators, and recognizing and identifying critical information infrastructure operators becomes the precondition and primary condition of the cybersecurity review system. Currently, the Regulations for the Security Protection of Critical Information Infrastructure are still in the formulation process, and the specific guidelines and standards for recognition and identification of critical information infrastructure have not yet been fully determined. In this regard, the State Internet Information Office stated that in the spirit of the Notice on Matters Related to the Security Protection of Critical Information Infrastructure of the Office of the Central Cyberspace Affairs Commission, operators of important networks and information systems in telecommunications, radio and television, energy, finance, highway and waterway transportation, railway, civil aviation, postal service, water conservancy, emergency management, health, social security, national defense science and technology industry, etc., shall consider applying for cybersecurity review when purchasing network products and services.41 Currently, the Regulations on the Security Protection of Critical Information Infrastructure have been officially passed, which means that the specific guidelines and standards for the identification and determination of critical information infrastructure have been fully determined.
Data Outbound Security Assessment Fueled by the rise of the digital economy and the deepening of globalization, crossborder services such as e-commerce and cloud services are becoming frequent each passing day, and the cross-border flow of data is going normalized. Meanwhile, based on the needs of safeguarding national security and social public order, protecting personal privacy, boosting the efficiency of law enforcement and stimulating the development of local industries, all countries set off a wave of “data localization” legislation. China has relevant provisions on data localization in the Cybersecurity Law, Administrative Regulations on Credit Information Industry, Measures for the Administration of Population Health Information (Trial), Administrative Regulations on Maps (State Council No. 664), Administrative Regulations on Online Publishing Services (Decree No. 5 of the State Administration of Press, Publication, Radio, Film 41
Answers to Reporter’s Questions in the Measures for Cybersecurity Review. http://www.cac.gov. cn/2020-04/27/c_1589535446378477.htm.
58
1 40 Years of China’s Legal Construction in Cybersecurity
and Television), and Interim Measures for the Administration of Online Booking Taxi Administration Services. Specifically, Article 37 of the Cybersecurity Law specifies that the personal information and vital data collected and produced by the operators of critical information infrastructure during operation within the territory of the People’s Republic of China shall be stored within the territory. If it is indeed necessary to furnish such information and data overseas for business needs, security assessment shall be conducted in accordance with the measures prepared by the national network information department in conjunction with the relevant departments of the State Council; unless otherwise provided by laws and administrative regulations, such provisions shall prevail. Prior to the promulgation of the Cybersecurity Law, China’s laws on data localization are scattered in the following provisions: (1) the Administrative Regulations on Credit Information Industry prescribe that the collation, preservation and processing of information collected by credit reporting agencies in China shall be carried out in China. When offering information to overseas institutions or individuals, credit reporting agencies shall comply with laws, administrative regulations and the relevant provisions of the credit reporting supervision department of the State Council. (2) The Measures for the Administration of Population Health Information (Trial) prescribe that population health information shall not be stored, hosted or leased in overseas servers. (3) In accordance with the Interim Measures for the Supervision of Internet Insurance Business, the self-operated network platform for an insurance institution to carry out the Internet insurance business shall be accessed within the territory of the People’s Republic of China. If an insurance institution conducts an Internet insurance business through a third-party network platform, the website access place of the third-party network platform should also be within the territory of the People’s Republic of China. (4) The Administrative Regulations on Maps specify that an Internet map service unit shall set a server for storing map data within the territory of the People’s Republic of China. (5) The Administrative Regulations on Online Publishing Services prescribe that if publishing units of books, audio-visual products, electronics, newspapers and periodicals working on online publishing services are in possession of the technical equipment required for online publishing services, relevant servers and storage equipment must be stored in the territory of the People’s Republic of China. (6) The Interim Measures for the Administration of Online Booking Taxi Administration Services stipulate that personal information collected and business data generated by online car-hailing platform companies shall be stored and used in mainland China, and the retention period shall not be less than 2 years. Except as otherwise provided by laws and regulations, the above information and data shall not flow out. Upon promulgation of the Cybersecurity Law, China expedited the setting of supporting systems for data outbound security assessment. In April 2017, the State Internet Information Office issued the Measures for Outbound Security Assessment of Personal Information and Important Data (Exposure Draft), prescribing the subject, object, scope, methods and safeguard measures of outbound security assessment. In May 2017, the National Information Security Standardization Technical
1.3 Cyberspace Governance in the View of National Security …
59
Committee released the national standard Guidelines for Outbound Security Assessment of Information Security Technical Data (Draft), further clarifying the definition and scope of personal information and vital data and prescribing the specific procedures and contents of security assessment. In June 2019, the State Internet Information Office issued the Measures for the Assessment of Personal Information Outbound Security (Exposure Draft). These measures are the same as the Measures for Outbound Security Assessment of Personal Information and Important Data (Exposure Draft) in April 2017, which are applicable to all network operators, but there are enormous changes in assessment procedures, assessment priorities, contract contents, and responsible subjects. The significant progress lies in distinguishing the exit of personal information from the exit of vital data, which makes clearer legislative orientation of exit norms of personal information attaching greater importance to the protection of individual rights and interests. In August 2019, the State Council released the Overall Plan for Port-surrounding New Areas in China (Shanghai) Pilot Free Trade Zone, clearly stating that the security assessment of cross-border data flow will be conducted on a pilot basis, and data security management mechanisms such as data protection capability certification, data flow backup review, cross-border data flow and transaction risk assessment will be set up.
Data Security Thanks to the development of big data and cloud computing technology, the value of massive data fusion and in-depth mining is inestimable, and data have become the most valuable resource in the present era. In 2018, the Data Security Law and the Personal Information Protection Law were included in the legislative plan of the Standing Committee of the 13th National People’s Congress as draft laws with relatively mature conditions; in December 2019, the Legislative Affairs Committee of the National People’s Congress stated that the Personal Information Protection Law and Data Security Law would be enacted in 2020. Special legislation on data security has entered the fast lane. In June 2021, the Data Security Law was officially released. In March 2018, the General Office of the State Council issued the Measures for the Administration of Scientific Data, requiring relevant scientific research institutes, universities, enterprises and other legal entities to set up a scientific data preservation system, equip with necessary facilities for data storage, management, service and protection, and ensure the integrity and security of scientific data. In accordance with the national cybersecurity management regulations, legal entities and scientific data centers shall set up a cybersecurity assurance system, adopt safe and reliable products and services, perfect management measures such as data control, attribute management, identification, behavior tracing, blacklist, etc., and perfect anti-tampering, anti-leakage, anti-attack and anti-virus security protection systems.
60
1 40 Years of China’s Legal Construction in Cybersecurity
In May 2019, the State Internet Information Office issued the Measures for the Administration of Data Security (Exposure Draft), regulating the activities of data collection, storage, transmission, processing and use, as well as the protection, supervision and management of data security within the territory. The Exposure Draft requires that network operators gain personal information from other channels and assume the same protection responsibilities and obligations as collecting personal information directly. If a network operator collects vital data or sensitive personal information for business purposes, it shall report to the local network information department for the record. The filing contents include the rules of collection and use and the purpose, scale, mode, scope, type and time limit of collection and use, excluding the data content itself. In April 2020, the Central Committee of the Communist Party of China and the State Council released the Opinions on Building a More Perfect System for Marketbased Allocation of Factors of Production, proposing to expedite the cultivation of the data element market, explore the establishment of a unified and standardized data management system, upgrade data quality and standardization, and enrich data products. Study and perfect the nature of property rights according to the nature of data, work out data privacy protection system and security review system, promote the perfection of classified and graded security protection system of data applicable to big data environment, and strengthen the protection of government data, business secrets and personal data. In April 2020, the Ministry of Industry and Information Technology released the Guidelines for the Construction of Standard System of Network Data Security (Exposure Draft), clarifying that China’s standard system of network data security includes four categories of standards: basic commonality, crucial technologies, security management and crucial areas, and proposing to set up a network data security standard system, effectively implement the network data security management requirements, basically meet the needs of industry network data security protection, promote the application of standards in key enterprises and key fields, and develop more than 20 industry standards for network data security by 2021. In August 2020, the Ministry of Commerce released the Overall Plan for Comprehensively Deepening the Innovation and Development of Service Trade, proposing that the pilot work of comprehensively deepening the innovation and development of service trade will be carried out in 28 provinces and cities (regions), making clear that the pilot work of data cross-border transmission security management will be carried out in areas with relatively good conditions. With regard to targeted legislation of departments, in the financial sector, in May 2018, the China Banking and Insurance Regulatory Commission issued the Guidelines for Data Governance of Banking Financial Institutions, clarifying the data management requirements, proposing to set up a self-assessment mechanism and an accountability and incentive mechanism to ensure the efficient operation of data management, comprehensively raising data quality requirements and establishing a data quality control mechanism. In February 2020, the Ministry of Industry and Information Technology issued the Guide to the Classification and Grading of Industrial Data (Trial). Based on the Guide, industrial data may be classified into three levels:
1.3 Cyberspace Governance in the View of National Security …
61
Level 1, Level 2 and Level 3 based on the potential impact of different types of industrial data on industrial production and economic benefits after being tampered with, destroyed, leaked or illegally exploited. The protective measures taken by enterprises against the third-level data shall be able to resist large-scale malicious attacks from state-level hostile institutions; the protective measures taken against secondary data shall be able to resist large-scale and comparatively strong malicious attacks; the protective measures taken against Level 1 data shall be able to resist general malicious attacks. In February 2020, the General Department of the National Medical Products Administration released the Standard for Drug Record and Data Administration (Exposure Draft) to further standardize the record and data management of drug development, production, operation and use activities. In May 2020, the Ministry of Industry and Information Technology released the Guiding Opinions on the Development of Industrial Big Data, intended to support the crucial technological breakthrough of data flow, build a credible industrial data circulation environment, strengthen the construction of industrial big data standard system, expedite the development of crucial standards such as data quality, data governance and data security, and select industries and regions with mature conditions to launch experimental verification and pilot promotion. In June 2020, the General Office of the Ministry of Transport issued the Measures for the Administration of Scientific Data in Transportation (Exposure Draft), requiring management units to consolidate the security management of scientific data throughout its life cycle, draw up measures for security protection for scientific data, and refine the utilization process and security review system of scientific data. On the part of data security legislation, some local legislations try first and first pilot, offering support for China to draw up unified data security management norms. In June 2019, the Tianjin Internet Information Office released the Measures for the Administration of Tianjin Data Security (Provisional), requiring municipal network information authorities to set up the city’s data security information filing system and organize data operators of personal information and vital data to launch filing work on information associated with the city’s data security protection work. In August 2019, the 11th meeting of the Standing Committee of the 13th People’s Congress of Guizhou Province passed the Regulations of Guizhou Province on Big Data Security, clearly enforcing the responsibility system for big data security and ensuring the security of big data in its whole life cycle. The responsibility for big data security is subjected to the principles of who owns, holds, manages, uses and collects shall assume responsibility, respectively. In July 2020, the Judicial Bureau of Shenzhen Municipality released the Shenzhen Special Economic Zone Data Regulations (Exposure Draft). For the first time, the Exposure Draft proposes that natural persons, legal persons and unincorporated institutions enjoy data rights in accordance with laws, regulations and rules, and data rights are the right of the obligee to independently decide, control, process, benefit and compensate for damage to specific data in accordance with the law. Natural persons legally have data rights to their personal data, while market entities of data elements enjoy data rights to their legally collected data and data generated by themselves. In the same month, the Tianjin Internet Information Office released the Interim Measures for Data Transaction Management in
62
1 40 Years of China’s Legal Construction in Cybersecurity
Tianjin (Exposure Draft). Based on the exposure draft, the data provider conducts security risk assessment on the trading data and issues a security risk assessment report. Data exchange service institutions shall, in accordance with the mandatory requirements of laws, administrative regulations and national standards, build and perfect the whole process data security management system, organize security education and training, and take corresponding technical measures and other requisite measures to maintain data security. In July 2021, the Shenzhen Municipal Government Service Data Administration officially issued the Shenzhen Special Economic Zone Data Regulations, stipulating that the personal data processing rules should be based on “notification-consent”, and users have the right to refuse to be profiled and recommended.
Personal Information Protection Personal information protection has always been the emphasis of China’s legal construction of cybersecurity. From 2003, when the State Council Informatization Office planned the legislative research work of the Personal Information Protection Law, to 2018, the Standing Committee of the 13th National People’s Congress officially listed the Personal Information Protection Law in the legislative plan, the legislative research of personal information protection in China has gone through 16 years. During this time, the Decision of the Standing Committee of the NPC on Strengthening the Protection of Network Information, Criminal Law and the Regulations on Protecting the Personal Information of Telecommunications and Internet Users and other laws and regulations all made provisions on the protection of personal information. Overall, the legislative level of personal information protection in China is promoted step by step, the system is gradually perfected, the rules are increasingly refined, and the protection strength is constantly in line with international standards. In February 2013, China’s first national standard for personal information protection, i.e., Information Security Technology—Guidelines on Personal Information Protection of Public and Commercial Service Information Systems, was enforced, marking that China’s personal information protection work officially enters the stage of “having standards to follow”. The most striking feature of the guidelines is that explicit authorization must be obtained from the data subject before collecting and utilizing sensitive personal information.42 In July 2013, the Ministry of Industry and Information Technology released the Regulations on Protecting the Personal Information of Telecommunications and Internet Users and the Regulations on the Registration of True Identity Information of Telephone Users, further clarifying the measures that telecom service operators and network information service providers shall take to prevent the leakage, destruction, alteration or loss of users’ personal information, and the real-name registration
42
China’s first national standard for personal information protection will be enforced from February 1. http://www.gov.cn/jrzg/2013-01/21/content_2316909.htm.
1.3 Cyberspace Governance in the View of National Security …
63
system requirements for telephone users when they go through the network access procedures. In October 2013, the Law of the People’s Republic of China on the Protection of Consumer Rights and Interests (hereinafter referred to as the Law on the Protection of the Rights and Interests of Consumers) was revised. Article 29 specifies that when collecting and using personal information of consumers, operators shall follow the principles of legality, justness and necessity, obtain consumers’ consent and provide notice of the purpose, method, and scope of the use and collection of personal information. Operators must take appropriate measures (technical and otherwise) to protect consumers’ personal information from unauthorized disclosure or loss and must take steps to immediately remediate any unauthorized disclosure or loss. In August 2016, Xu Yuyu, a candidate for Shandong college entrance examination, was cheated out of the college tuition of 9900 yuan by fraudulent telephone and became heartbroken, eventually resulting in cardiac arrest. Upon investigation, from November 2015 to August 2016, defendants Chen Wenhui, Huang Jinchun, Chen Baosheng and others banded together to purchase student information and citizens’ purchase information through the Internet, posing staff members of the Education Bureau, Finance Bureau and Real Estate Bureau, respectively. In the name of issuing student grants and housing purchase subsidies to poor students and with college entrance examination students as the main targets of fraud, they made fraudulent phone calls more than 23,000 times, defrauding others of money totaling over 560,000 yuan, and causing the victim Xu Yuyu to die. Eventually, the court sentenced Chen Wenhui, the principal offender, to life imprisonment, deprived of his political rights for life, confiscated all his personal property, and sentenced the defendants Zheng Jinfeng and Huang Jinchun to fixed-term imprisonment ranging from 3 to 15 years for fraud.43 The Xu Yuyu case once again aroused the concern of society about telecommunication fraud and the protection of personal information behind it. In December 2016, the Supreme People’s Court, the Supreme People’s Procuratorate and the Ministry of Public Security jointly released the Opinions on Several Issues Concerning the Application of Laws in the Handling of Telecommunication Network Fraud and other Criminal Cases, clarifying that one that implements telecommunication network fraud, reaches the corresponding amount standards, and falls under any of the following circumstances shall be subject to a heavier punishment as the case may be: (1) causing suicide, death or mental disorder of a victim or any of his close relatives, or any other serious consequences; (2) Committing fraud by posing as the functionary of a judiciary or any other state department.; (3) Defrauding the disabled, the elderly, a minor, a student, or a person without ability to work of property, or defrauding a person suffering a critical disease or any of his relatives of property. In March 2017, the protection of personal information was written into the General Principles of Civil Law of the People’s Republic of China (hereinafter referred to as the General Principles of Civil Law). Article 111 of the General Principles of Civil Law specifies that personal information of natural persons shall be protected 43
Typical cases of telecommunication network fraud. http://www.court.gov.cn/zixun-xiangqing200671.html.
64
1 40 Years of China’s Legal Construction in Cybersecurity
by law. Each organization or individual shall acquire and ensure the security of others’ personal information in accordance with the law. Any person, whether an organization or an individual, shall not illegally collect, use, process, transmit, buy, sell, provide or disclose others’ personal information. In November 2018, the Supreme People’s Procuratorate released the Guidelines for Procuratorial Organs to Handle Cases of Infringement of Citizens’ Personal Information, clarifying the basic requirements for evidence review, issues that need special attention, social risk review, detention necessity review, etc. in the same month, the Cyber Security Department of the Ministry of Public Security released the Guidelines for Internet Personal Information Security Protection (Exposure Draft), guiding Internet enterprises to build and perfect the management system and technical measures for citizens’ personal information security protection. In August 2019, the State Internet Information Office released the Regulation on Online Protection of Children’s Personal Information (Decree No. 4 of the State Internet Information Office). Protecting children’s personal information from the point of view of collection, storage, use, transfer, disclosure and other activities, it is required that network operators formulate dedicated policies and user agreements for children’s personal information protection and appoint a children’s personal information protection officer or assign dedicated personnel responsible to ensure the protection of children’s personal information. Network operators shall take the principle of minimum authorized use of children’s information by personnel, strictly set information access permissions, and control access to children’s personal information. Staff accessing children’s personal information shall be approved by the personal information protection officer or other designated personnel, who shall record the access and take technical measures to avoid illegal copying and downloading of children’s personal information. In December 2019, the State Internet Information Office, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation jointly released the Methods for Identifying Unlawful Acts of Applications to Collect and Use Personal Information. The Methods clarify activities that constitute illegal collection and use of personal data via Apps: “failing to disclose collection and use rules”, “failing to indicate the purpose, method and scope of collection and use of personal information”, “collecting and using personal information without users’ consent”, “collecting personal information unrelated to the services in violation of the principle of necessity”, “sharing personal data with third parties without obtaining users’ consent”, “failing to process users’ request to correct or delete their personal data in accordance with the law” or “failing to publish information such as complaints and reporting methods”. In February 2020, during the COVID-19 epidemic, to properly protect the personal information collected for the prevention and control of the epidemic and prevent leakage or abuse, the Office of the Central Cyberspace Affairs Commission released the Notification on Personal Information Protection and Using Big Data to Support Joint Prevention and Control Efforts, requiring the collection of the personal information required for joint prevention and control with reference to the national standard Personal Information Security Specification and adhering to the principle of
1.3 Cyberspace Governance in the View of National Security …
65
minimum scope. Principally, the targets for collection should be limited to key groups such as confirmed cases, suspected cases, and those with close contact and generally should not target all groups in a specific area to prevent de facto discrimination against people in that specific area. Personal information collected for epidemic prevention and control or disease prevention and control must not be used for other purposes. Without the consent of the person whose information is being collected, units and individuals must not disclose names, ages, ID numbers, telephone numbers, home addresses, or other such personal information, except as needed for joint control efforts and after processing for desensitization. In August 2021, the Personal Information Protection Law was officially promulgated. Generally, the law is “both flexible and tight”, which mainly presents the characteristics of optimizing personal information processing rules, strengthening restrictions on processors, detailing key links, and catering for industrial development.
Ecological Management of Network Information Contents From Decree No. 195 to Decree No. 292, China increasingly intensified the governance of information content and purified cyberspace at all legislative levels. As new technologies and formats spring up, the objects of information content control become more complex, and the forms are more concealed. Based on the Notice of the State Council on Authorizing the State Internet Information Office to be Responsible for the Administration of Network Information Content in 2014, the State Internet Information Office is currently responsible for the management of network information content in China, as well as supervision, management and law enforcement. In August 2014, the State Internet Information Office released the Interim Provisions on the Administration of the Development of Public Information Services Provided through Instant Messaging Tools, chiefly restricting the service providers and users of instant messaging tools, and required that instant messaging tool service users opening public accounts to engage in public information service activities shall undergo examination and verification by the instant messaging tool service provider, the instant messaging tool service provider files them in a categorized manner with the controlling department for Internet information and content. Instant messaging tool service providers shall, in view of the circumstances, adopt measures such as warnings, restricting publication, suspension of refreshing, and closure of accounts against instant messaging tool service users violating the agreed terms, store relevant records, and carry out their duty of reporting the matter to relevant controlling departments. In June 2016, the State Internet Information Office released the Administrative Regulations on Mobile Internet Application Information Services, chiefly restricting providers of mobile Internet applications and service providers of Internet application stores, requiring service providers of Internet application stores to fulfill management responsibilities for application providers, including auditing the authenticity, security and legality of application providers, establishing a credit management
66
1 40 Years of China’s Legal Construction in Cybersecurity
system, and filing them with the Internet information offices of local provinces, autonomous regions and municipalities directly under the Central Government. For application providers who violate the regulations, service providers of Internet application stores shall take measures such as warning, suspension of publishing, and removal of applications as appropriate, keep records and report to relevant competent departments. In November 2016, the State Internet Information Office released the Provisions on the Administration of Internet Live-Streaming Services, chiefly regulating providers and users of Internet live-streaming services, requiring providers of Internet live-streaming services to establish platforms for reviewing live-streaming content, implement level-based and category-based management according to the content category and user scale of Internet live-streaming, add or broadcast platform identifying information to live-streaming content such as images and texts, videos and audios, and manage Internet news information live-streaming and the content of its interaction in such a way that they are reviewed before being published. Providers of Internet live-streaming services shall, based on the circumstances, give warnings, temporary suspensions of publication, account closure and other punitive measures to internet live-streaming service users that violate provisions of laws and service agreements, and promptly eliminate the violating live-streaming content, preserve records, and report it to the competent department. Furthermore, in September 2016, the State Administration of Press, Publication, Radio, Film and Television released the Notice on Strengthening the Administration of Live-Streaming Services for Network Audiovisual Programs, requiring that five days before the live broadcast of major political, military, economic, social, cultural, sports and other activities and events, and 48 h before the live broadcast of organizational activities such as cultural activities and sports events of general social groups, the service institutions of Internet audiovisual programs that render audio-visual program live broadcast service through the Internet shall report the relevant information of the specific activities to be broadcast to the local provincial press, publication, radio and television administrative department for the record. After the enforcement of the Cybersecurity Law, to further reinforce the management of live broadcast content, in August 2018, the National “AntiPornography and Anti-illegal Affairs “ Office, the National Radio and Television Administration, and the State Internet Information Office and six other departments jointly released the Notice on Strengthening the Administration of Internet LiveStreaming Services, requiring Internet live-streaming service providers to record the content and log information released by Internet live-streaming service users and keep them for a certain period of time. For Internet live-streaming service providers who do not have storage capacity and do not purchase storage services, network access service providers are not allowed to render services. Network access service providers and Internet live-streaming service providers should cooperate with the supervision and inspection, investigation and evidence collection of relevant departments in accordance with the law and furnish essential documents, materials and data. In December 2016, the Ministry of Culture issued the Measures for the Administration of Cyber Performance Business Operations, chiefly regulating the cyber
1.3 Cyberspace Governance in the View of National Security …
67
performance business entities, requiring them to set up an internal inspection, supervision and administration system to supervise the online performance in real time. The cyber performance business entities shall record all the online performance video data, keep them properly for no less than 60 days, and provide the data when relevant departments inquire in accordance with the law. Nonreal-time cyber performance audios and videos (including those uploaded by users) furnished by cyber performance business entities to the public shall be strictly self-examined before going online. Along with the formal promulgation and enforcement of the Cybersecurity Law, the developing information content governance system of China sets out to take the Cybersecurity Law as the basis of the higher-level laws. Since 2017, the State Internet Information Office has promulgated the Regulations for the Administration of Internet News Information Services in the form of Decree No. 1 and successively promulgated the Detailed Rules for the Implementation of License Administration of Internet News Information Services, the Administrative Regulations on Internet Post Comment Services, the Administrative Regulations on Community Services in Internet Forum, the Administrative Regulations on Public Account Information Services for Internet Users, the Administrative Regulations on Internet Group Information Services, the Administrative Regulations on Microblog Information Services, Regulations on Security Assessment of Internet Information Services with Public Opinion Attributes or Social Mobilization Ability, and the Administrative Regulations on Financial Information Services as well as a series of other regulations, strengthening information control in the news field, community, public and Internet group Abbilization, and the Administrative Regulations on Financial Information Services as other environments. In May 2017, China released the Regulations for the Administration of Internet News Information Services in the form of Decree No. 1 of the State Internet Information Office, clearly stating that the Internet news information service license shall be acquired for rendering Internet news information services to the public through Internet websites, applications, forums, blogs, microblogs, public accounts, instant messaging tools, and live webcasts. Subsequently, the State Internet Information Office released the Detailed Rules for the Implementation of License Administration of Internet News Information Services, refining the license conditions, application materials and handling conditions. In August 2017, the State Internet Information Office released the Administrative Regulations on Internet Post Comment Services, chiefly regulating the postcomment service providers, requiring the postcomment service providers as well as their employees not to interfere with public opinions by selectively deleting or recommending postcomment services for the sake of illegitimate interests or based on wrong value orientations. Service providers and users of post comments shall not disseminate specific information, interfere with the normal order of post comments or mislead public opinions by utilizing software or hiring commercial institutions and personnel. Postcomment service providers shall set up a tiered user management system, conduct credit assessment on users’ postcomment behaviors, determine service scope and functions based on credit rating, blacklist users with serious
68
1 40 Years of China’s Legal Construction in Cybersecurity
dishonesty, stop offering services to blacklisted users, and prohibit them from using postcomment services through reregistration. In August 2017, the State Internet Information Office released the Provisions on the Management of Internet Forum Community Services, chiefly restricting Internet forum community service providers and requiring Internet forum community service providers and their employees not to seek improper benefits through the publication, reprinting or deleting information, or interfering with search results, interfering with presentation sequences on dissemination platforms and other such methods. In September 2017, the State Internet Information Office released the Administrative Regulations on Public Account Information Services for Internet Users, chiefly restricting service providers and users of public account information of cyber citizens and requiring service providers of public account information of cyber citizens to build databases based on the registered subjects, published contents, number of account subscriptions, and article readings of users’ public accounts, carry out hierarchical and classified management of cyber citizens’ public accounts, draw up specific management systems, and file them with Internet information offices of the State, province, autonomous region or municipality directly under the Central Government. In September 2017, the State Internet Information Office released the Administrative Regulations on Internet Group Information Services, chiefly restricting Internet group information service providers and users, requiring Internet group information service providers to set up a credit rating management system for Internet group information service users and furnish corresponding services based on credit ratings. Internet group information service providers shall take warning and rectification measures, suspend publishing, close the group and other disposal measures in accordance with the law for Internet groups violating laws and regulations and the relevant provisions of the State, keep relevant records and report to the relevant competent departments. Internet group information service providers shall take management measures such as lowering credit ratings, suspending management authority, and cancelling group establishment qualifications for users who violate laws, regulations and relevant provisions of the state, keep relevant records, and report to relevant competent departments. In October 2017, the State Internet Information Office released the Administrative Regulations on Security Assessment of New Technologies and New Applications for Internet News Information Services, chiefly restricting the security assessment of new technologies and new applications of Internet news information services. The regulation requires that where one of the following circumstances is present, an Internet news information service provider shall organize and execute a new technology and new application security assessment themselves, compile a written security assessment report, and bear responsibility over the assessment outcome: (1) where they apply new technology, or adjust or add application functions with a news or public opinion nature or social mobilization capabilities; (2) where a change in user scope, nature of functions, technical realization methods, or basic resource allocation through new technologies or new application functions leads to a major change in the news and public opinion nature or social mobilization capacity. Internet news information service providers shall request the state or provincial, autonomous
1.3 Cyberspace Governance in the View of National Security …
69
region or municipal Internet information office to organize and execute a security assessment within 10 working days upon completion of the security assessment. In October 2017, the State Internet Information Office issued the Measures for the Administration of Content Administration Employees in Internet News Information Service Units, chiefly restricting the content management employees in Internet news information service units and requiring the State Internet Information Office to set up a unified management information system for employees, record the basic information, training experience and rewards and punishments of employees, and update and adjust them in a prompt manner. The local network information office shall be responsible for establishing a management information system for local employees and promptly reporting the update and adjustment to the network information office at the next higher level. In February 2018, the State Internet Information Office released the Administrative Regulations on Microblog Information Services, chiefly restricting the microblog service providers and users and requiring the microblog service users to furnish valid certification materials that are consistent with the certification information when applying for the real-name authentication account at the front desk. Party and government organs at all levels, enterprises and institutions, people’s organizations, news media and other institutions shall be responsible for the management of the information content released by the front desk real-name authentication account and its post comments. Microblog service providers shall furnish essential support, such as management authorities. In July 2018, the People’s Bank of China released the Notice on Strengthening the Administration of Cross-border Financial Networks and Information Services, clarifying the compliance obligations of overseas providers and domestic users, and requiring overseas providers to reasonably fulfill the reporting obligations of prior events, service events, change events and emergency events. In July 2018, the State Internet Information Office and the Ministry of Public Security released the Regulations for the Security Assessment of Internet Information Services Having Public Opinion Properties or Social Mobilization Capacity, chiefly restricting Internet information services and related new technologies and new applications with public opinion attributes or social mobilization capabilities. According to the Regulations, Internet information service providers meeting one of the following conditions shall conduct security assessment according to these Regulations on their own accord and take responsibility for the assessment results: (1) those whose information services with public opinion properties or social mobilization capacity are online, or who add on corresponding functions to their information services; (2) those whose use of new technologies and new applications, cause the functional properties, technical realization methods, basic resource allocation, etc., of their information services to undergo major change, leading to major changes in their public opinion properties or social mobilization capacity; (3) those whose user base is markedly increasing, leading to major changes in the public opinion properties or social mobilization capacity of their information services; (4) those where unlawful or harmful information has been disseminated and spread, indicating it is
70
1 40 Years of China’s Legal Construction in Cybersecurity
difficult for existing security measures to effectively prevent and control cybersecurity risks; (5) other circumstances where district/city-level or higher cyberspace and informatization departments or public security bodies notify in writing that a security assessment is required. In December 2018, the State Internet Information Office released the Administrative Regulations on Financial Information Services, chiefly restricting financial information services and requiring financial information service providers to gain corresponding qualifications for engaging in Internet news information services, legally licensed or financial businesses that shall be filed and accept the supervision and management of relevant competent departments. In November 2019, the State Internet Information Office, the Ministry of Culture and Tourism, and the National Radio and Television Administration released the Administrative Regulations on Network Audio and Video Information Services, chiefly restricting network audio and video information services, requiring that when network audio and video information service providers launch audio and video information services with media attributes or social mobilization functions based on new technologies and applications such as deep learning and virtual reality, or to adjust and add related functions, they shall launch security assessment in accordance with relevant state regulations. If network audio and video information service providers and users make use of new technologies and applications based on deep learning and virtual reality to produce, publish and disseminate untrue audio and video information, they should be marked in a significant way. In December 2019, the State Internet Information Office released the Regulations on Ecological Governance of Network Information Content in the form of Decree No. 5 of the State Internet Information Office, chiefly restricting network information content producers, network information content service platforms, network information content service users and Internet industry organizations. The regulations require network information content service platforms to set up an ecological governance mechanism for network information content, develop detailed rules for ecological governance of network information content on the platform, improve the systems of user registration, account management, information release and examination, post and comment examination, ecological page management, real-time inspection, emergency response and cyber rumor, and information disposal of the black industry chain. Network information content service users, network information content producers, and network information content service platforms shall not commit traffic fraud, traffic hijacking, false registration of accounts, illegal trading of accounts, manipulation of user accounts, etc. by artificial means or technical means, thus undermining the network ecological order. At this stage, the Ministry of Culture revised the Interim Administrative Regulations on Internet Culture and incorporated the Internet Security Law into the basis of the higher-level law and adjusted its contents. The State Administration of Press, Publication, Radio, Film and Television released the Notice on Adjusting the Business Classification Catalog of Internet Audiovisual Programs (Trial), the Notice on Strengthening the Administration of Medical Advertisements in the Field of Network
1.3 Cyberspace Governance in the View of National Security …
71
Audiovisual Programs, and the Notice on Further Regulating the Communication Order of Network Audiovisual Programs. Furthermore, in August 2018, the National Radio and Television Administration released the Administrative Regulations on Minors’ Programs (Exposure Draft), clarifying that when inviting minors to engage in the production of programs, it is required to shall the prior consent of their parents or other legal guardians and it is forbidden to force or induce minors to engage in the production of programs by intimidation, deception or buy-over. In September 2018, the National Religious Affairs Administration issued the Measures for the Administration of Religious Information Services on the Internet (Exposure Draft), which is the first time that China has worked out relevant regulations on religious information services on the Internet. In September 2018, the National Radio and Television Administration released the Administrative Regulations on the Introduction and Dissemination of Overseas Audiovisual Programs (Exposure Draft), making it clear that the State enforces a licensing system for the introduction of overseas audiovisual programs. In July 2019, the State Internet Information Office issued the Measures for the Administration of Credit Information of Subjects with Serious Loss of Trust in Internet Information Services (Exposure Draft), making it clear that the network information departments shall publish the blacklisted information in the principles of openness, fairness and justice, strict control and protection of rights and interests.
Monitoring, Early Warning and Emergency Response The fifth chapter of the Cybersecurity Law specifies the system of monitoring, early warning and emergency response and clarifies that the state shall establish a cybersecurity monitoring, early warning, and information communication system. Where sudden emergencies or production security accidents occur as a result of cybersecurity incidents, they shall be handled in accordance with the provisions of the “Emergency Response Law of the People’s Republic of China,” the “Production Safety Law of the People’s Republic of China,” and other relevant laws and administrative regulations. To fulfill the need to protect national security and the social public order and to respond to the requirements of major security incidents within society, it is possible, as stipulated or approved by the State Council, to take temporary measures regarding network communications in a specially designated region, such as limiting such communications. In January 2017, the Office of the Central Cyberspace Affairs Commission released the National Cybersecurity Incident Response Plan. The plan classifies cybersecurity incidents into four levels: extraordinarily significant cybersecurity incidents, significant cybersecurity incidents, relatively significant cybersecurity incidents and general cybersecurity incidents. On this basis, the requirements for monitoring and early warning and the corresponding emergency response are specified. In August 2017, the Ministry of Industry and Information Technology issued the Public Internet Cybersecurity Threat Monitoring and Mitigation Measures, requiring
72
1 40 Years of China’s Legal Construction in Cybersecurity
that relevant professional organizations, basic telecommunication enterprises, cybersecurity enterprises, Internet companies, domain name registration management and service organs, etc., shall be classified as the units own issue, and shall immediately begin mitigation, involve other entities, information shall be submitted to MIIT, provincial, autonomous region, and municipal communications authorities in a timely manner and in according with the content, indicators, and format of relevant regulations. In November 2017, the Ministry of Industry and Information Technology released the Emergency Plan for Public Internet Cybersecurity Emergencies, clarifying the requirements for monitoring, early warning and emergency response of public Internet cybersecurity incidents under the guidance of the National Emergency Plan for Cybersecurity Incidents. Apart from that, specific areas such as finance and industrial control have released the Work Guide for Emergency Management of Information Security Incidents in Industrial Control Systems and the Emergency Plan for Network and Information Security Incidents in Securities and Futures Industry, regulating these areas in view of their characteristics.
Cybersecurity Law Enforcement After the formal enforcement of the Cybersecurity Law, administrative law enforcement and special campaigns of departments such as network information, industrial information, public security and market have been launched in an all-round way, and promoting the standardization and modernization of law enforcement and raising the professional level of law enforcement teams have become new problems that await to be solved under the new era background. In May 2017, the State Internet Information Office released the Regulations for Internet Content Management Administration Law Enforcement Procedures in the form of Decree No. 2 of the State Internet Information Office, intended to regulate the administrative law enforcement of network information content management departments, and made clear that electronic data obtained through network inspection and other technical means that possess reliability can be used as a basis for the facts of a case. To collect and preserve electronic data, the Internet information content management department may take on-site forensics, remote forensics, and order relevant units and individuals to fix and submit them. Internet information content management departments may conduct interviews with network information service providers pursuant to relevant regulations before making administrative punishment decisions on illegal acts of network information service providers. In September 2018, the Ministry of Public Security released the Regulations on Internet Security Supervision and Inspection by Public Security Organs, intended to standardize the Internet security supervision and inspection of public security organs, and making it clear that the Internet security supervision and inspection shall be enforced by public security organs in the places where the network service operators of Internet service providers and the network management institutions of online users are situated. Where an Internet service provider is an individual, it may
1.3 Cyberspace Governance in the View of National Security …
73
be enforced by public security organs in the place of his or her habitual residence. During the period of major national cybersecurity protection tasks, public security organs may launch special security supervision and inspection for Internet service providers and online users associated with major national cybersecurity protection tasks. Moreover, in September 2016, the Supreme People’s Court, the Supreme People’s Procuratorate and the Ministry of Public Security jointly introduced the Regulations on Collecting, Extracting and Judging Electronic Data in Criminal Cases to standardize the collection, extraction, examination and judgment of electronic data and improve the handling quality of criminal cases. In January 2019, the Ministry of Public Security released the Rules for Public Security Organs to Handle Electronic Data Forensics in Criminal Cases, regulating public security organs to handle electronic data forensics in criminal cases, ensuring the quality of electronic data forensics and boosting the efficiency of electronic data forensics.
New Technologies and Applications As new technologies and applications constantly emerge, security risks continue to rise. Relevant departments have issued relevant legal documents on booking taxis online (“online car-hailing”), cloud computing, artificial intelligence and blockchain, aiming to facilitate technology utilization and lower security risks through standardized management simultaneously. In 2016, the online car-hailing industry increasingly emerged, and China successively issued a series of regulations, such as the Interim Measures for the Administration of Online Booking Taxi Administration Services, the Measures for the Administration of the Operation of the Supervision Information Interaction Platform for Online Booking of Taxis and the Notice on Strengthening the Relevant Work of the Operational and Post operational Joint Supervision of the Online Booking Taxi Industry. With regard to cloud computing, in July 2018, the Ministry of Industry and Information Technology released the Implementation Guide for Promoting Enterprises to Go to the Cloud (2018–2020) to guide and facilitate enterprises to expedite the transformation and upgrading of digitalization, networking and intelligence by making use of cloud computing. In July 2019, the State Internet Information Office, the National Development and Reform Commission, the Ministry of Industry and Information Technology, and the Ministry of Finance jointly issued the Measures for Security Assessment of Cloud Computing Services. It is introduced that the four ministries and commissions jointly launch the security assessment of cloud computing services, intended to enhance the security and controllable level of party and government organs and critical information infrastructure operators in purchasing and using cloud computing services, reducing the cybersecurity risks incurred by purchasing and using cloud computing services, and boosting the confidence of party and government organs and critical information infrastructure operators in migrating business and data to the cloud service platform.
74
1 40 Years of China’s Legal Construction in Cybersecurity
In terms of artificial intelligence, in May 2016, the National Development and Reform Commission, the Ministry of Science and Technology, the Ministry of Industry and Information Technology, and the Office of the Central Cyberspace Affairs Commission jointly released the Three-year Action Plan for “Internet+” Artificial Intelligence, proposing that by 2018, the basic resources and innovation platform of artificial intelligence will be realized, the artificial intelligence industry system, innovative service system and standardization system will be basically established, the basic core technology will be broken, the overall technological and industrial development will keep pace with the international trend, and the applicationlevel technology and system-level technology will achieve local leadership through core technology research and development and industrialization projects, public service platform projects of basic resources, smart home demonstration projects, intelligent unmanned system application projects, and intelligent robot research and development and application projects. In July 2017, the State Council released the New Generation Artificial Intelligence Development Plan, proposing that a three-step strategy with three nodes in 2020, 2025 and 2030 will be taken and that by 2030, China’s AI theories, technologies, and applications should achieve world-leading levels, making China the world’s primary AI innovation center, achieving visible results in intelligent economy and intelligent society applications, and laying an important foundation for becoming a leading innovation-style nation and an economic power. To carry out the requirements of the Development Plan for New Generation Artificial Intelligence, in August 2019, the Ministry of Science and Technology released the Guidelines for the Construction of National New Generation Artificial Intelligence Open Innovation Platforms and the Guidelines for the Construction of National New Generation Artificial Intelligence Innovation and Development Experimental Zones, requiring the establishment of new generation artificial intelligence open innovation platform sand new generation artificial intelligence innovation development experimental zones. In March 2020, the Ministry of Industry and Information Technology issued the Measures for the Administration of the Manufacturing of Civil UAVs (Exposure Draft). The exposure draft classifies civil UAVs into five types, micro, light, small, medium and large, and requires the manufacturers of civil UAVs to do well in information security protection in accordance with the requirements of relevant information security standards to prevent unauthorized access to civil UAV links. In June 2019, the National Professional Committee for the Governance of New Generation Artificial Intelligence released the Governance Principles for the New Generation Artificial Intelligence ——Developing Responsible Artificial Intelligence, proposing the framework and action guide for artificial intelligence governance. Carrying the theme of developing responsible artificial intelligence aims to better coordinate the relationship between the development and governance of artificial intelligence, guarantee the security, controllability and reliability of artificial intelligence, facilitate the sustainable development of economy, society and ecology, jointly build a community of human destiny, wishing to run through the research and development of artificial intelligence with responsibility and facilitate the healthy development of technology.
1.3 Cyberspace Governance in the View of National Security …
75
In August 2020, the Standardization Administration, the Office of the Central Cyberspace Affairs Commission, the National Development and Reform Commission, the Ministry of Science and Technology, and the Ministry of Industry and Information Technology jointly released the Guide to the Building of a National Standard Framework for New Generation Artificial Intelligence, clarifying that the standard framework of artificial intelligence will be made up of eight parts: basic commonness, supporting technologies and products, basic software and hardware platforms, critical general technologies, critical field technologies, products and services, industry applications, and security/ethics. With respect to self-driving technology, since 2013, China has released the Interim Regulations on Pilot Administration of Civil UAV Systems, the Notice on Frequency Use of UAV Systems, the Measures for the Administration of Air Traffic of Civil UAV Systems, the Regulations on the Administration of the Real-name System Registration of Civil UAVs, Guidelines for the Construction of Standard System of UAV Systems (2017–2018 Edition), Measures for the Administration of Commercial Flight Activities of Civil UAVs (Provisional), Regulations on the Administration of Flight Dynamic Data of Light and Small Civil UAVs, etc., restricting and managing the relevant links of UAVs. Among the rest, in December 2017, the Ministry of Industry and Information Technology released the Guiding Opinions on Promoting and Regulating the Development of Manufacturing Industry of Civil UAVs, intended to boosting and standardizing the development of manufacturing industry of civil UAVs, promoting enterprises to build basic product information database and enterprise-level product monitoring service platform, guaranteeing the registration of all product information and realizing the whole life cycle management of civil UAVs. Since 2017, the Ministry of Industry and Information Technology and other departments have successively issued the Guidelines for the Construction of National IoV Industry Standard System (Intelligent Networked Vehicles), Guidelines for the Construction of National IoV Industry Standard System (General Requirements) and Guidelines for the Construction of National IoV Industry Standard System (Vehicle Intelligent Management) to reinforce the construction of IoV industry standard system. In February 2020, the National Development and Reform Commission, the Office of the Central Cyberspace Affairs Commission, the Ministry of Science and Technology and other departments jointly released the Smart Car Innovation and Development Strategy, proposing to open up new models, develop new formats, and enhance the basic industrial capacity and chain level, with the supply-side structural reform as the main line, the development of China’s standard smart cars as the direction, building a smart car power as the goal, and the promotion of industrial integration and development as the approach. In March 2020, the Ministry of Industry and Information Technology issued the Administrative Measures for the Manufacturing of Civil UAVs (Exposure Draft). The Exposure Draft classifies civil drones into five types, micro, light, small, medium and large, and requires civil UAV manufacturers to do well in information security protection in line with relevant standards and requirements of information security to prevent unauthorized access to civil UAV links.
76
1 40 Years of China’s Legal Construction in Cybersecurity
With respect to blockchain, in January 2019, the State Internet Information Office released the Provisions on the Administration of Blockchain Information Services in the form of Decree No.3 of the State Internet Information Office, requiring that a BISP shall, within ten working days after beginning to provide services, use the blockchain information service filing management system of the CAC to submit the name of the service provider, service category, service form, application domain, server address, etc., and fulfill filing procedures. If a BISP changes its service program, the platform URL, or other matters, it shall conduct change procedures within five working days after the date of the change. In August 2019, the State Internet Information Office specifically released the Announcement on Clarifying the Clause Involving Security Assessment in the Provisions on the Administration of Blockchain Information Services, making it clear that the Certification and Accreditation Administration of the P.R.C. The Commission under the State Administration for Market Regulation has set up a complete certification system in information security management and information technology service management and possesses a number of accredited assessment institutions. The State Internet Information Office has not designated or authorized any unit or institution to launch testing and security assessment of blockchain security technology. After the enforcement of the regulations, the State Internet Information Office issued three batches of record numbers, which were the first batch of 197 blockchain information service names and record numbers in March 2019; the second batch of 309 domestic blockchain information service record numbers in October 2019; and the third batch of 224 domestic blockchain information service names and record numbers in April 2020. In October 2019, General Secretary Xi Jinping stressed in the 18th collective study of the Political Bureau of the Central Committee that “we must take blockchain as an important breakthrough for independent innovation of core technologies and accelerate the development of blockchain and industrial innovation”. General Secretary Xi stressed that it is essential to consolidate the guidance and standardization of blockchain technology, intensify the research and analysis of blockchain security risks, closely track the development trends, and actively explore the law of development; it is essential to explore the establishment of a security system that adapts to the blockchain technology mechanism, guide and facilitate blockchain developers and platform operators to consolidate industry self-discipline and carry out security responsibilities; it is essential to incorporate the legal management of the network into the management of blockchain and facilitate the safe and orderly development of blockchain.44 For 5G, in March 2020, the Ministry of Industry and Information Technology released the Notice concerning Promoting the Accelerated Development of 5G,
44
In the 18th collective study of the Political Bureau of the Central Committee, Xi Jinping stressed that blockchain shall be regarded as a significant breakthrough in independent innovation of core technologies to expedite the innovation and development of blockchain technology and industry. http://www.cac.gov.cn/2019-10/25/c_1573535013319838.htm.
1.3 Cyberspace Governance in the View of National Security …
77
intended to fully advance 5G network construction, usage, popularization, technology development and security protection, give full rein to the effects of the scale and driving role of new 5G infrastructure, and support high-quality economic growth.
Platform Economy Over years of development, China’s platform economy, including e-commerce, has increasingly become an example for the world. In February 2013, the State Taxation Administration issued the Measures for the Management of Online Invoices, which standardizes matters such as account opening registration, online invoice collection procedures, online issuance, transmission, inspection, and cancellation of the online electronic invoicing system for units and individuals in China. In August 2013, the State Council issued Opinions concerning Stimulating Information Consumption and Expanding Internal Demand, indicating that the scale of China’s market is huge, and information consumption has a good development basis and huge development potential. Simultaneously, China’s information consumption is confronted with some problems, such as the fact that basic infrastructure support capacity remains to be upgraded, product and service innovation capacity is weak, market access thresholds are high, supplementary policies are incomplete, sectoral barriers are grave, structures and mechanisms are not adapted. In this regard, it is necessary to consolidate the supply capacity of information products, cultivate the demand for information consumption and reinforce the construction of an information consumption environment. To solve the problems of information asymmetry and personal information protection arising from virtual transactions, in January 2014, the State Administration for Industry and Commerce issued the Measures for the Supervision and Administration of Online Transactions to regulate online commodity transactions as well as related services. While extending offline trading rules to online transactions, special provisions are proposed for third-party trading platforms as well. In May 2015, the State Council released the Opinions on Striving to Develop E-commerce to Speed up the Cultivation of New Economic Driving Force, requiring us to follow the principles of active promotion, gradual standardization and strengthening guidance, and boost the establishment of an integrated, open, secure and reliable e-commerce market featuring orderly competition, integrity and law-abiding practices. To thoroughly carry out these Opinions, in November 2015, the General Office of the State Council released the Opinions on Strengthening the Governance of Infringement and Counterfeiting in the Internet Domain, requiring a severe crackdown on the illegal and criminal acts of infringing intellectual property rights as well as manufacturing and selling fake and shoddy goods in the Internet field. In July 2016, the State Administration for Industry and Commerce released the Interim Measures for the Administration of Internet Advertisements, clarifying that Internet advertisements must be clearly distinguished and must be marked with the words “advertisement”. Furthermore, paid-search advertisements must be clearly distinguished from other search results not related to advertisements.
78
1 40 Years of China’s Legal Construction in Cybersecurity
In September 2017, the Ministry of Industry and Information Technology released the Three-Year Action Plan for the Development of Industrial E-commerce, planning the development of industrial e-commerce in the next three years, expediting the innovation of trading methods, business models, organizational forms and management systems of industrial enterprises, constantly stimulating the innovation vitality, development potential and transformation momentum of manufacturing enterprises, and finally pushing forward the construction of a manufacturing and cyber superpower. In 2013, China initiated the legislation of the E-commerce Law and finally passed the E-Commerce Law of the People’s Republic of China (hereinafter referred to as the E-Commerce Law) in August 2018 after several revisions. The law requires ecommerce platform operators to take technical measures and other requisite measures to ensure the safe and stable operation of their network, prevent illegal and criminal activities on the network, effectively respond to cybersecurity incidents and assure the security of e-commerce transactions. In March 2018, China’s first-ever Interim Regulation on Express Delivery was introduced, requiring enterprises operating express delivery businesses to set up express waybills and electronic data management systems, properly keep electronic data such as user information, regularly destroy express waybills, and take effective technical means to ensure user information security. Enterprises operating express delivery businesses and their employees shall not sell, disclose or illegally furnish user information known in the course of express delivery services. Where user information leakage occurs or may occur, enterprises operating the express delivery business should immediately take remedial measures and report to the local postal administration department. In June 2019, the State Post Bureau and the Ministry of Commerce released the Guiding Opinions of the State Post Bureau and the Ministry of Commerce on Regulating the Interconnection and Sharing of Data between Express Delivery and E-commerce Industries to reinforce the control of e-commerce and express delivery data. It is explicitly required to set up a notification and reporting system for the interruption of e-commerce and express delivery data, not to maliciously interrupt data transmission, and come up with clear requirements for data security and emergency management. When an incident endangering cybersecurity occurs, the entity shall immediately start the emergency plan according to law, take corresponding remedial measures, and report to the relevant competent departments. In August 2019, the General Office of the State Council released the Guiding Opinions on Promoting the Well-regulated and Sound Development of Platform Economy, which aims at boosting the standardized and healthy development of platform economy, requiring to optimize and improve market access conditions, reduce compliance costs for enterprises; innovate regulatory concepts and methods, implement inclusive and prudential regulation; encourage the development of new formats of platform economy, expedite the cultivation of new growth points; optimize the platform economic development environment, consolidate the growth foundation of new business forms; effectively protecting the legitimate rights and interests of participants of platform economy and reinforce the legal protection for the development of platform economy.
1.3 Cyberspace Governance in the View of National Security …
79
In February 2020, the National Development and Reform Commission, the Publicity Department of the Communist Party of China, the Ministry of Education, the Ministry of Industry and Information Technology, the Ministry of Public Security and other departments released the Implementation Opinions on Promoting Consumption Expansion, and Quality Improvement and Accelerating the Creation of a Strong Domestic Market, proposing to encourage the development of new consumption patterns that integrate online and offline, energetically develop the “Internet+ social service” consumption model, improve the “Internet+” consumption ecosystem, encourage the construction of “smart stores,” “smart neighborhoods”, and “smart business circles” to promote online offline interaction and business travel stylistic coordination. In June 2020, the China Banking and Insurance Regulatory Commission released the Notice on Regulating the Traceable Management of Internet Insurance Sales, requiring insurance institutions to follow the principles of legality, legitimacy and necessity and take effective measures to protect consumers’ right to information security and data. In July 2020, the China Banking and Insurance Regulatory Commission released the Interim Measures for the Administration of Internet Loans of Commercial Banks, requiring commercial banks to set up a safe, compliant, efficient and reliable Internet loan information system to satisfy the needs of Internet loan business operation and risk management. Commercial banks shall take essential network security defending measures, consolidate network access control and behavior monitoring, and effectively prevent threats such as network attacks. The COVID-19 epidemic has provided the telecommuting and live broadcast industry with opportunities to prosper, and live-streaming e-commerce has become common. Leading cadres from all parts of the country have walked into live broadcast rooms and stimulated the sales of local specialty products and poverty alleviation products, thus revitalizing the local economy. To better regulate the development of the live streaming marketing industry, in July 2020, the State Administration for Market Regulation released the Guiding Opinions on Strengthening the Supervision of Live Streaming Marketing Activities (Exposure Draft), requiring clarifying the legal responsibilities of online platform operators, commodity suppliers, network anchors and other relevant entities, strictly regulating live streaming marketing behaviors, and finally investigating and punishing illegal activities of live streaming marketing in accordance with the law. In November 2020, the draft was formally adopted. In August 2020, the Ministry of Industry and Information Technology released the Administrative Regulations on Communication Short Message and Voice Call Service (Exposure Draft). Based on the Exposure Draft, no organization or individual may send commercial short messages or make commercial phone calls to users without their consent or request or if users explicitly refuse. If users do not explicitly agree, it shall be deemed refusal. If the user explicitly refuses to accept after consent, it shall stop. In August 2020, the Ministry of Culture and Tourism released the Interim Provisions on the Administration of Online Tourism Business Services, requiring online tourism operators to carry out the rules for graded protection of cybersecurity and
80
1 40 Years of China’s Legal Construction in Cybersecurity
implement cybersecurity management and technical measures in accordance with the Cybersecurity Law of the People’s Republic of China and other relevant laws. Online tour operators should protect the security of tourists’ personal information and other data, clearly state the purpose, method and scope of collection and gain the consent of tourists in advance when collecting tourists’ information. Online tour operators shall not abuse big data analysis and other technical means to set unfair trading conditions based on tourists’ consumption records and travel preferences or infringe on the legitimate rights and interests of tourists.
Cryptography Security Cryptographic security is deeply associated with national security. Under the new circumstances, the domestic and international situation concerning cryptography struggle becomes increasingly severe, and the demand for legalization of cryptography work in China also becomes increasingly urgent. On October 26, 2019, the Cryptography Law was officially promulgated. In compliance with the Cryptography Law, China has made several updates and refinements on cryptography security systems and commercial cryptography management systems. Upon promulgation of the Cryptography Law, the State Cryptography Administration, the Ministry of Commerce, the General Administration of Customs, the State Administration for Market Regulation, the General Office of the State Council and other departments issued numerous normative documents, including the Announcement on Adjusting the Management Methods of Commercial Cryptography Products by the State Cryptography Administration and the State Administration for Market Regulation and the Announcement on Doing a Good Job in the Transition and Connection of Import and Exit Administration of Commercial Ciphers by the State Cryptography Administration, the Ministry of Commerce and the General Administration of Customs; the Measures for the Administration of the Construction of National Government Information Projects by the General Office of the State Council; Implementation Opinions on Testing and Certification of Commercial Ciphers by the State Administration for Market Regulation and the State Cryptography Administration; the announcements of the State Administration for Market Regulation and the State Cryptography Administration on the Catalog of Certification of Commercial Cryptography Products (First Batch) and the Rules for Certification of Commercial Cryptography Products, etc., adjusting the legal system of commercial cryptography. In August 2020, the State Cryptography Administration released the Administration Regulations on Commercial Ciphers (Exposure Draft on Revised Draft), revising the Administration Regulations on Commercial Ciphers of 1999 in light of the new situation and new requirements. In the same month, the Ministry of Commerce and the Ministry of Science and Technology adjusted and released the Catalog of Technologies Prohibited from Export and Restricted from Export in China, adding cryptography security technology as a technology item restricted from export.
1.3 Cyberspace Governance in the View of National Security …
81
Other Cybersecurity Systems With respect to online games, in May 2016, the State Administration of Press, Publication, Radio, Film and Television released the Notice on the Administration of Mobile Game Publishing Services, further standardizing the management order of publishing services of mobile games, and making it clear that a game publishing service provider shall be responsible for examining the contents of the mobile games, application for publication and applying for obtaining the game publication number. In December 2017, the Publicity Department of the Communist Party of China, the Office of the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, the Ministry of Education, the Ministry of Public Security and other departments jointly released the Opinions on Strictly Regulating the Administration of Online Game Market, indicating that there are still some problems in China’s online gaming industry, such as lack of cultural contion, serious risks, prominent business problems, online game security system and user security risks.45 As far as anti-addiction of online games is concerned, in July 2014, the General Office of the State Administration of Press, Publication, Radio, Film and Television released the Notice on Deepening the Real-name Authentication of Anti-addiction of Online Games, making it clear that the enforcement of anti-addiction system of online games shall be applicable to all online games except mobile online games. Restricted by hardware, technology and other factors, the enforcement of anti-addiction systems for online games is not applicable to mobile online games for the time being. In October 2019, the National Press and Publication Administration released the Notice on Preventing Minors from Indulging in Online Games, requiring strict control of the time and duration of minors’ use of online games. From 22:00 every day to 8:00 the next day, online game enterprises shall not furnish game services for minors in any form. The cumulative time for online game enterprises to furnish game services to minors shall not exceed 3 h per day on legal holidays and 1.5 h per day at other times. It is important to note that age-appropriate tips are not equivalent to the Western classifying system, and harmful contents such as pornography, blood, violence and gambling are never allowed to exist in games for minors. In the field of industrial Internet, in November 2017, promoted by the “Internet+” wave, the State Council released the Guiding Opinions of the State Council on Deepening the “Internet+ Advanced Manufacturing Industry” to Develop the Industrial Internet, proposing seven major projects, including upgrading and reconstruction of industrial Internet infrastructure, construction and promotion of industrial Internet platform, standard development and test verification, industrialization of crucial technologies, integration, innovation and application of industrial Internet, regional innovation demonstration construction and security guarantee capability improvement. It was also indicated that a special working group on the industrial Internet will be set up under the leading group for building manufacturing power to make overall 45
The ministries issued a document requesting strict regulation of the management of the online game market, http://www.ce.cn/culture/gd/201712/29/t20171229_27492946.shtml
82
1 40 Years of China’s Legal Construction in Cybersecurity
plans for major work associated with the industrial Internet. In February 2018, the Office of the Leading Group for Building a Manufacturing Power issued a notice to formally set up a special working group on the industrial Internet. In May 2018, the special working group of the industrial Internet released the Action Plan for Industrial Internet Development (2018–2020), proposing that the industrial Internet infrastructure and industrial system would be initially built by the end of 2020. Guided by the above documents, Guidelines for the Construction and Promotion of Industrial Internet Platform, Evaluation Methods of Industrial Internet Platform, Guidelines for the Construction and Promotion of Industrial Internet Network, Guidelines for the Construction of Integrated Standardization System of Industrial Internet and Guiding Opinions on Strengthening Industrial Internet Security have been issued successively. In 2020, as the closing year of the Action Plan for Industrial Internet Development, in February, General Secretary Xi Jinping presided over the meeting of the Political Bureau of the CPC Central Committee, demanding to expedite the development of biomedicine, medical equipment, 5G networks and industrial Internet46 ; in March, the Standing Committee of the Political Bureau of the CPC Central Committee convened a meeting, demanding to expedite the construction of new infrastructure such as 5G network and data center.47 In this context, in March 2020, the Ministry of Industry and Information Technology released the Notice on Accelerating the Development of Industrial Internet, taking speeding up the construction of new infrastructure as the primary task, requiring the transformation and upgrading of the internal and external networks of industrial Internet, reinforcing and perfecting the identification system of industrial Internet, upgrading the core capabilities of industrial Internet platform and building a big data center of industrial Internet. With respect to the security of industrial control systems, in September 2011, the Ministry of Industry and Information Technology released the Notice on Strengthening the Information Security Management of Industrial Control Systems, specifying the information security management requirements of industrial control systems in critical areas, requiring the establishment of a security evaluation, inspection and vulnerability release system for industrial control systems, and further reinforcing the organization and leadership of information security work of industrial control systems. It is stated that the critical areas to consolidate the information security management of industrial control systems include nuclear facilities, iron and steel, nonferrous metals, chemical industry, petroleum and petrochemical industry, electric power, natural gas, advanced manufacturing, water conservancy hub, environmental protection, railway, urban rail transit, civil aviation, urban water supply, 46
Xi Jinping presided over the meeting of the Political Bureau of the CPC Central Committee to study the prevention and control work for Covid-19 epidemic and make overall plans for epidemic prevention and control and economic and social development. http://paper.people.com.cn/rmrbhwb/ html/2020-02/22/content1972466.htm. 47 The Standing Committee of the Political Bureau of the CPC Central Committee convened a meeting to study the crucial tasks of preventing and controlling the Covid-19 epidemic and stabilizing the economic and social operation, and General Secretary of the CPC Central Committee Xi Jinping presided over the meeting. http://www.xinhuanet.com/politics/leaders/2020-03/04/c_1125 663518.htm.
1.3 Cyberspace Governance in the View of National Security …
83
gas supply and heating and other areas closely associated with national economy and people’s livelihood. In October 2016, the Ministry of Industry and Information Technology released the Guidelines for Information Security Protection of Industrial Control Systems, raising requirements for application enterprises of industrial control systems to do well in industrial control security protection. In 2017, the Ministry of Industry and Information Technology successively released the Work Guide for Emergency Management of Information Security Incidents in Industrial Control Systems, the Measures for the Administration of Assessment Work of Information Security Protection Ability of Industrial Control Systems and the Action Plan for Information Security of Industrial Control Systems (2018–2020) (hereinafter referred to as the Action Plan). Specifically, the Action Plan proposes that by 2020, the system-wide industrial control security management system will be basically set up, and awareness of industrial control security in society will be significantly enhanced; the national online monitoring network, emergency resource pool, simulation test, information sharing and information notification platform (one network, one pool and three platforms) will be built, and the capabilities of situation awareness, security protection and emergency response will be significantly enhanced. In the field of e-government, China set out to reinforce the construction and application of e-government in the late 1990s. In 2000, China’s Ministry of Personnel proposed launching the work of e-government. The National Strategy for Informatization Development 2006–2020 of 2006 also emphasizes the enforcement of egovernment by enhancing public services, reinforcing social management, strengthening comprehensive supervision, and improving macrocontrol. Since 2008, China has successively issued the Notice on Strengthening the Information Security Risk Assessment of National E-government Construction Projects, Measures for the Administration of E-government Electronic Certification Services, Notice on Further Strengthening the Construction and Application of National E-government Network, Guiding Opinions of the General Office of the State Council on Promoting the Coordinated Development of E-government, Interim Measures for the Administration of Government Information Resources Sharing, Guiding Opinions on Accelerating the Work of “Internet+” Government Services, Implementation Plan for Integration and Sharing of Government Information Systems, Guidelines for the Development of Government Websites, Notice of the General Office of the State Council on Strengthening the Domain Name Management of Government Websites, Guidelines for the Compilation of Government Information Resources Catalog (Trial), Requirements for Assessing the Quality of E-government E-certification Services, Business Rules and Specifications of E-government E-certification Services, and Several Issues of the State Council on Online Government Services and Measures for the Administration of the Construction of National Government Information Projects, strengthening the development of e-government. In the educational field, in December 2018, the General Office of the Ministry of Education released the Notice on Prohibiting Harmful APPs from Entering Primary and Secondary Schools, requiring all localities to take effective measures to resolutely prevent harmful APPs from entering primary and secondary schools; in July
84
1 40 Years of China’s Legal Construction in Cybersecurity
2019, the Ministry of Education and other six departments released the Implementation Opinions on Regulating Off-campus Online Training, requiring the enforcement of the filing review system, and completing the filing and investigation of off-campus online training and institutions nationwide by the end of December 2019; in August 2019, the Opinions of the Ministry of Education and Other Eight Departments on Guiding and Standardizing the Orderly and Healthy Development of Mobile Online Education Apps were issued to guide and standardize the orderly and healthy development of educational mobile applications and give full play to the driving and leading role of educational informatization; in September 2019, the Ministry of Education and other 11 departments released the Guiding Opinions on Promoting the Healthy Development of Online Education to facilitate the healthy, standardized and orderly development of online education. In August 2017, the Secretariat of the Office of the Central Leading Group for Cybersecurity and Informatization and the General Office of the Ministry of Education issued the Measures for the Administration of the Construction Demonstration Project of First-class Cybersecurity Colleges, and the Office of the Central Cyberspace Affairs Commission and the Ministry of Education decided to carry out the construction demonstration project of first-class cybersecurity colleges from 2017 to 2027. In September 2017, the Office of the Central Cyberspace Affairs Commission and the Ministry of Education announced the first batch of first-class demonstration projects for the construction of cybersecurity colleges, including seven universities, namely, Xidian University, Southeast University, Wuhan University, Beihang University, Sichuan University, University of Science and Technology of China and Information Engineering University. In September 2019, the list of the second batch of construction demonstration projects of first-class cybersecurity colleges was announced, namely, Huazhong University of Science and Technology, Beijing University of Posts and Telecommunications, Shanghai Jiaotong University and Shandong University. In other areas, in September 2018, the National Energy Administration released the Guiding Opinions on Strengthening Cybersecurity in the Power Industry; in August 2019, the Ministry of Water Resources released the Measures for the Administration of Water Conservancy Cybersecurity (Trial); in April 2020, the China Meteorological Administration released the Measures for the Administration of the Cybersecurity of the China Meteorological Administration (Trial). The above laws and regulations have raised specific requirements for cybersecurity in combination with the characteristics of the industries. Additionally, in June 2018, the Office of the Central Cyberspace Affairs Commission and the Ministry of Public Security released the Notice on Regulating the Promotion of Cybersecurity Competitions, clarifying that cybersecurity competitions and conferences that use the terms “China,” “Nationwide,” “National,” “Global,” or the like shall report to national cyberspace affairs departments for approval. Competitions that have already been named shall perform approval procedures again or discontinue such naming practices. In principle, government departments shall not organize, co-organize, or undertake commercial cybersecurity competitions, nor shall they act as guiding units of commercial cybersecurity competitions.
1.3 Cyberspace Governance in the View of National Security …
85
1.3.3 Legislative Evaluation Thanks to the in-depth application of social networks, e-commerce and egovernment, the network has penetrated all sectors of society, and the network society is intertwined with the real society. In the second decade of the twenty-first century, the Snowden incident was exposed, reveling the grim situation faced by China in the security management of network society and prompting the country to consolidate the top-level design of the security management of network society. In 2016, the Cybersecurity Law was officially promulgated, and the top-level design was intensified, expediting the pace of legislation associated with cybersecurity in China. Furthermore, with the rapid rise of China’s international status and the continuous enhancement of its competitiveness, China occupies a position in the formulation of international cyberspace rules, and the principle of network sovereignty put forward by China has been deeply rooted in the hearts of the people. Generally, the characteristics of China’s cybersecurity policies and laws at this stage were as follows:
1.3.3.1
National Game Integrated into the Legislative Pattern, and the Principle of Cyber Sovereignty Confirmed
Fueled by the rise of cybersecurity to the height of national security, the legislative purpose and pattern of cybersecurity are no longer confined to the domestic security and development of a single country but increasingly take into account factors such as the diplomatic game of cyberspace and global supply chain security. WannaCry ransomware is sweeping the world, cross-border cybercrime becomes rampant, and cyber terrorism makes a great clamor… these problems suggest that the governance and prevention of cybersecurity risks is no longer a problem of one country or one place, but is becoming a common problem facing the whole world; the “Prism” incident suggests that information network technology has become a significant means for individual countries to monitor other countries and establish Internet hegemony; specific countries continue to suppress the development of Huawei 5G in the global market through domestic legislation and political means, indicating that political and economic factors such as ideology are increasingly brought into the consideration of cybersecurity legislation; the principle of long-arm jurisdiction, which is represented by the Clarifying Lawful Overseas Use of Data Act (i.e., CLOUD Act), introduces the reform of the international judicial assistance system into a passive position. In this regard, China has established the principle of cyber sovereignty through the National Cyberspace Security Strategy, the International Strategy of Cooperation on Cyberspace, National Security Law and the Cybersecurity Law. The International Strategy of Cooperation on Cyberspace clearly states that the principle of sovereign equality confirmed in the Charter of the United Nations is the basic norm of contemporary international relations, covering all areas of state-to-state exchanges, and shall also be applied to cyberspace. Premised on the principle of cyber sovereignty, China’s
86
1 40 Years of China’s Legal Construction in Cybersecurity
legal construction in cybersecurity does not engage in Internet hegemony or interfere in other countries’ internal affairs and is free from any external interference. China upholds the concepts of road self-confidence, theoretical self-confidence and institutional self-confidence and is dedicated to building a socialist legal system with Chinese characteristics.
1.3.3.2
The Concept of Legislation Pre-Emptive and the System Design Extending Multidirectionally
Once the critical information infrastructure suffers any damage, loss of function or data leakage, it might have serious consequences for national security, national economy, people’s livelihood and public interests. Currently, the critical information infrastructure of significant industries has been regarded as the key target of network attacks. Specifically, government, medical care, education, etc. are more seriously attacked by ransomware, and APT attacks are chiefly concentrated in military defense, government, finance, diplomacy, energy and other areas.48 The asymmetry of cyber-attacks is further aggravated, and the significance of cybersecurity to national security makes the legislative concept of cybersecurity in China change from the traditional authorization type to the prevention type, taking into account the preemptive transformation, covering the situation awareness of treats, cyber sovereignty and countermeasures, security information sharing and the like. The Cybersecurity Law requires building a cybersecurity monitoring and early warning and information notification system, and the national network information department coordinates the establishment of a sound risk assessment and emergency response mechanism. General Secretary Xi Jinping clearly stated in his April 19 speech that sensing the cybersecurity situation is the most basic work, and it is essential to sense the cybersecurity situation in all directions around the clock.49 While changing the concept, the legislation of China’s cybersecurity policy has been fully rolled out, the supporting system of the Cybersecurity Law has been increasingly perfected, and the breadth and depth of cybersecurity legislation have been continuously expanded. In breadth, in the context of the “Internet+” Internet of Everything, traditional areas and information technology have been continuously merged, and cybersecurity has expanded from the simple computer realm to the whole industry. Targeted policy documents have been issued in power, transportation, finance, education and other areas to consolidate cybersecurity legislation. In depth, after the promulgation of the Cybersecurity Law, supporting systems have been worked out successively, and the responsibilities of implementing the Cybersecurity Law have been detailed in numerous aspects, such as infrastructure security, cybersecurity review, data security, network information content management, network public opinion governance, and new-generation information technology. 48
Summary of China’s Internet Cybersecurity Situation in 2018 by CNCERT. The full text of Xi Jinping’s speech at the symposium on network information work is published. http://www.xinhuanet.com//politics/2016-04/25/c_1118731175.htm.
49
1.3 Cyberspace Governance in the View of National Security …
87
Meanwhile, along with the constant changes in the cybersecurity environment at home and abroad, new technologies and new applications get rid of the stale and bring forth the fresh, traditional security issues present new features, and new security issues come up with new requirements for legislation. The traditional system shall be endowed with a new connotation of the times, and the system design shall be innovated in consideration of the actual needs. Under the Cybersecurity Law, the 2.0 era began for the cybersecurity classified protection system, and the protected objects and contents were further upgraded. The protection system of critical information infrastructure increasingly emerges from the concept of classified protection and is formally confirmed as one of the basic systems of cyberspace in China by the Cybersecurity Law.
1.3.3.3
Data Security as a Focus of Concern, and Special Legislation Officially Released
As the most valuable resource today, data have turned into the basic strategic resource for information technology innovation and economic growth. Large-scale data leakage incidents at home and abroad take place frequently; cybercrime activities, including cyberfraud and routine loans, arising from the disclosure of personal information are on rampage for a time, and the Xu Yuyu case once again sounds the alarm of personal information protection; the political tendency behind the data abuse incident of Facebook further aggravates countries’ concerns about data security, while advocating “the network is borderless” and the free flow of data, individual countries constantly consolidate access control through domestic legislation, which makes the global flow of data face adverse conditions. In this regard, China intensifies the protection of personal information through the Decision of the Standing Committee of the NPC on Strengthening the Protection of Network Information, the Civil Code, the Personal Information Protection Law and other policies and legislation; strictly cracks down upon crimes of infringing citizens’ personal information through the Criminal Law and its judicial interpretation; refines the system requirements through the standard system such as Personal Information Security Specification; consolidates the data localization system through the Cybersecurity Law, the Data Security Law, the Administration Regulations on Credit Information Industry, Measures for the Administration of Population Health Information (Trial) and the Administration Regulations on Maps. Meanwhile, the Measures for the Administration of Data Security and the Measures for the Assessment of Outbound Security of Personal Information are in the formulation process, and the Exposure Draft has been openly released to the public; in May 2020, the Legislative Affairs Commission of the Standing Committee of the National People’s Congress stated that the Personal Information Protection Law (draft) had been formed, and after further improvement based on opinions from all quarters, it would endeavor to submit the draft to the meeting of the Standing Committee of the National People’s
88
1 40 Years of China’s Legal Construction in Cybersecurity
Congress for deliberation with the least delay possible based on the legislative work arrangement of the Standing Committee of the National People’s Congress.50
1.3.3.4
New Technologies and Formats Constantly Emerging, and the Chinese Approach Making a Figure
While boosting economic growth, new-generation information technologies such as big data, cloud computing, artificial intelligence and blockchain are also extensively used in activities threatening cybersecurity such as network crimes and network attacks. Artificial intelligence boosts attack efficiency by automating vulnerability mining, injection, and attack; the virtual currency system supported by blockchain renders it more difficult to track illegal income and aggravates the concealment of cybercrimes; the new-generation information technology also introduces new threats such as ethical risks and algorithm security. In this regard, China has issued a series of policy documents, such as the Measures for Security Assessment of Cloud Computing Services, the Program of Action for Promoting the Development of Big Data, the Three-year Action Plan for “Internet+” Artificial Intelligence, Development Plan for New Generation Artificial Intelligence, Interim Measures for the Administration of Online Booking Taxi Administration Services and the Measures for the Administration of the Operation of the Supervision Information Interaction Platform for Online Booking of Taxis, to deal with the accompanying security issues while ensuring the development of new technologies and new applications. With respect to new business formats, China is in possession of a huge number of cyber citizens and boasts the broad market potential of the digital economy. In addition, the development of the mobile Internet has spawned and prospered new business formats, such as e-commerce, mobile payment, online car-hailing and sharing economies, contributing to boosting economic growth and enhancing production and life. E-commerce represented by Taobao and JD. COM, mobile payment represented by Alipay and WeChat payment, and sharing economy represented by bicycle sharing go abroad and influence the whole world. China’s legislative ideas and legislative concepts in related areas are ahead of those of the international community.
1.3.3.5
Entity Responsibility Enhancing Security and Security Compliance Baseline Requirements
The basic supporting subjects of cyberspace are numerous network operators as well as their intermediate platforms, and the open, shared and interconnected network platform is inevitably the center of the vortex and the meeting point of contradictions
50
The Legislative Affairs Commission of the Standing Committee of the National People’s Congress: the Personal Information Protection Law is being drafted. https://www.chinacourt.org/ article/detail/2020/05/id/5220984.shtml.
1.3 Cyberspace Governance in the View of National Security …
89
and disputes.51 Under the system of the Cybersecurity Law, network operators, as compliance subjects, undertake a series of legal obligations, such as implementing a cybersecurity classified protection system, critical information infrastructure protection system, data localization system, personal information protection system, and information content management system. The compliance degree and security level of network operators determine the overall cybersecurity level and cyberspace governance capability in China to a certain extent. In the information content management system, special emphasis is placed on reinforcing the entity responsibility of network operators. At this time, network operators are actually in the middle layer between the regulatory authorities and users, possess certain management and restraint capability on user behaviors, and assume the obligation to undertake the mission of guiding network public opinions and purifying cyberspace. China attaches enormous importance to and emphasizes the role orientation and legal obligations of network operators in the course of legal construction in cybersecurity. The Cybersecurity Law and its supporting systems clarify the compliance obligations of network operators and specify corresponding administrative responsibilities. The Amendment (IX) to the Criminal Law of the People’s Republic of China specially adds the crime of failing to fulfil the security management obligations for an information network, raising the security responsibility of network operators to criminal responsibility and forming a connection with the administrative responsibility of the Cybersecurity Law. Apart from that, in the series of supporting laws and regulations of the Cybersecurity Law, the related technologies and management protection responsibilities of network operators, network service providers, network information content service users and producers are brought to the forefront.
1.3.3.6
The Effectiveness of Legislative Enforcement Has yet to be Verified, and Refinement and Enforcement are just at the Right Time
Thanks to four decades of construction and development, China’s cybersecurity lawbased governance system has basically taken shape. The Cybersecurity Law offers basic guidance for the legal construction of cybersecurity, and the supervision system of network information departments coordinating and each department fulfilling its own duties clarifies the power boundary for cybersecurity supervision and management. Cyberspace is an area where new technologies and applications are constantly being renovated. Cybersecurity issues are not static, and cybersecurity is always relatively and dynamically changing. Currently, new cybersecurity issues represented by artificial intelligence and 5G applications await joint exploration by regulatory authorities and academic research areas. Apart from that, since the enforcement of the Cybersecurity Law, special campaigns including the “Network-purifying Action” have been pushed forward at different levels, and administrative law enforcement activities of cybersecurity 51
Siyuan [6].
90
1 40 Years of China’s Legal Construction in Cybersecurity
have been launched in an orderly manner in all places. Network operators conduct active compliance and passive supervision under the Cybersecurity Law, examining the effectiveness of China’s rule of law system of cybersecurity from a practical point of view. After the Cybersecurity Law gives administrative responsibility to illegal acts in the domain of cybersecurity, the problems facing China in the new era are how to grasp the transparency of law enforcement, how to effectively fulfill the effective connection between administrative responsibility and criminal responsibility, how to bring complex and changeable illegal and criminal acts into the legal responsibility system, how to balance the discretion standards of different provinces and regions under different economic growth levels, and how to improve the capability of frontline law enforcement personnel to deal with illegal and criminal acts.
References 1. L. Gang, Crossing Time and Space-Typical Application set of Electronic Information System in China (Seismological Press, Beijing,1992) 2. X. Jun, CIH a malignant computer virus that occurs on 26th of every month. Modern Electron. Tech. 1998(07), 39–40 (1998) 3. Z. Jian, Report on on-line investigation of computer virus epidemic situation. Netw. Secur. Technol. Appl. (09), 48–50 (2001) 4. H. Daoli, M. Minhu, Legitimacy boundary of security vulnerability discovery: framework of behavior elements in authorization mode. J. Xi’an Jiaotong Univ. (Soc. Sci. Ed.) 37(02): 67-75, (2017) 5. W. Wentao, White Hats in the legal Whirlpool. Fangyuan (21), 15–19 (2016) 6. W. Siyuan, On the security obligation of network operators. Contemp. Law Rev. 31(01), 27–37 (2016)
Chapter 2
40 Years of China’s Regulatory Development in Cybersecurity
Looking back on the development of China’s cyberspace regulation since the 1980s, China’s network regulation system and supervision institutions have been constantly adjusted and perfected along with changes in the network environment and periodic tasks. China’s cyberspace governance has adopted the traditional political management mode from the beginning, that is, the government-led top-down mode. Especially in the early stage of network development, the government played a dominant position in network regulation. For a long time, all departments in the domain of network regulation in China have introduced various regulatory measures by virtue of administrative power, presenting a situation of overlapping functions and multiadministration. From the supervision of the public security departments in the early stage to the multidepartmental office online, to the basic formation of the Internet regulation mechanism led by the Cyberspace Administration of China, the Ministry of Industry and Information Technology and the Ministry of Public Security, and then to the establishment of the overall coordination and administration pattern of the Office of the Central Cyberspace Affairs Commission—overall, China’s cyberspace regulation can be classified into four models: the police-led supervision model, the multisectoral participation model, the initial overall coordination model, the strengthened overall coordination model. The regulation mechanism is constantly improved during continuous adjustments. In addition, as information technology develops, the problems arising from government leads have become increasingly prominent. China has begun to explore new ideas of Internet regulation, and the cyberspace governance mode has increasingly changed from one-way administration to multiway interaction. The participation of industries and citizens has been continuously enhanced, and the construction of a cyberspace governance pattern based on collaborative cooperation, joint governance, and shared benefits has been continuously pushed forward in the new era.
© Huazhong University of Science and Technology Press 2022 D. Huang, Research on the Rule of Law of China’s Cybersecurity, https://doi.org/10.1007/978-981-16-8356-5_2
91
92
2 40 Years of China’s Regulatory Development in Cybersecurity
2.1 The Early Stage of Internet Administration Construction: The Police-Led Supervision Model (1994–1999) Since the reform and opening up, the vigorous development of information technology and the rise of the information technology revolution have aroused enormous concern from national leadership. To seize this historical opportunity, China has taken a series of significant measures and initially set up an informatization management system. In the construction of an informatization leadership mechanism, in the early 1980s, under the care and guidance of Deng Xiaoping and Song Ping, China set out to explore the establishment of an informatization leadership mechanism. In 1982, the State Council set up a leading group on computers and large-scale integrated circuits, which determined the selection basis for developing large- and medium-sized computers and minicomputers in China. In 1984, in a bid to consolidate the centralized and unified leadership over the development of electronics and information industry and stimulate the development of information industry, the State Council decided to change the leading group of electronic computers and large-scale integrated circuits of the State Council into the leading group of electronic revitalization of the State Council, with Li Peng, then Vice Premier of the State Council, as the leader. As the leading group of the State Council for electronic and information undertakings, the leading group’s principal tasks were to consolidate the unified leadership of the electronic industry and information undertakings, draw up development strategies, principles, policies and major measures, and coordinate major issues in scientific research and major project construction between departments and regions in the course of developing electronic industry and information undertakings. In 1986, to lead the construction of a national economic information system in a unified way, China set up the leading group of national economic information management while setting up the National Economic Information Center. In the 1990s, following the rise of the Internet, informatization became a significant strategic goal of China. The Report on the Work of the Government of 1991 proposed driving the extensive application of electronic technology in the national economy and social life. The Report on the Work of the Government of 1993 proposed putting electronic information and other high and new technologies in an important position, increasing investment intensity, and striving to promote and apply them in various fields.1 At the end of the same year, the State Council approved the establishment of the National Economic Informatization Joint Conference, which unified leadership, organization and coordination of government and economic informatization construction. In 1996, the General Office of the State Council released the Notice on Establishing the Leading Group for Informatization of the State Council (Guo Ban Fa [1996] No. 15), changing the former office of the National Economic
1
Hanhua and Miaohan [1].
2.1 The Early Stage of Internet Administration Construction …
93
Informatization Joint Conference into the office of the Leading Group for Informatization of the State Council, leading national informatization work. In the same year, the State Council promulgated the Interim Provisions for the Administration of International Networking of Computer Information Networks, making it clear that the Leading Group for Informatization of the State Council is responsible for coordinating and solving major issues in international connections. In 1999, to consolidate the leadership of national informatization work, the State Council released the Notice of the General Office of the State Council on Establishing the State Leading Group for Informatization and decided to set up the State Leading Group for Informatization. The main responsibility of the Leading Group is to organize and coordinate major issues in national computer networks and information security management and to organize and coordinate issues associated with major information technology development and information engineering across departments and industries. The Leading Group includes the Office of Computer Network and Information Security Management (situated in the National Computer Network and Information Security Management Center) and the State Informatization Promotion Office (situated in the Informatization Promotion Department of the Ministry of Industry and Information Technology); Office of Computer Y2K Emergency Work (situated in the Electronic Information Products Management Department of the Ministry of Industry and Information Technology, as a temporary organization); State Expert Advisory Group for Informatization (responsible for making recommendations to the leading group on major issues in China’s informatization work). In line with the requirements of the notice, the State Leading Group for Informatization not merely set up offices but undertook the specific work by the Ministry of Industry and Information Technology and renamed the State Informatization Office the State Informatization Promotion Office. All provinces, autonomous regions and municipalities directly under the central government would no longer set up interdepartmental coordination leading bodies for informatization. At the level of division of responsibilities of departments and institutions, with the realization of full-function connection of China’s Internet in 1994, Internet industry has made big strides forward. Accordingly, China has also promulgated a series of policies and regulations and set up some Internet supervision institutions. The Regulations on the Protection of the Security of Computer Information Systems in 1994 and the People’s Police Law of the People’s Republic of China in 1995 (hereinafter referred to as the People’s Police Law) defined the supervision duties of public security organs over computer information system security protection work and clarified the special functions of confidentiality and security departments in charge of security of computer information systems. In 1996, the Interim Provisions on the Administration of International Connections to Computer Information Networks clarified that the Leading Group of Informatization Work under the State Council is responsible for coordinating and solving major issues in the work of international connections; the Ministry of Posts and Telecommunications, the Ministry of Electronic Industry, the State Education Commission and the Chinese Academy of Sciences shall take charge of the established Internet; and defined the supervisory duties of public security organs in international connections. After that, the State Council promulgated
94
2 40 Years of China’s Regulatory Development in Cybersecurity
the Administration Regulations on Commercial Ciphers, defining the State Encryption Administration Commission and its offices as the competent departments of commercial cipher management in China. 1998 was a crucial year for Internet management. This year, the Public Information Network Security Supervision Bureau of the Ministry of Public Security was formally set up. The “Internet police” officially joined the police family. From the point of view of functional orientation, the “Internet police” shall be responsible for cybersecurity supervision, inspection and guidance, inspecting and handling illegal information on the network, organizing the disposal and investigation of unexpected incidents in the network society, and investigating and cracking down on illegal crimes on the network based on its jurisdiction,2 providing intelligence and technical support for other police agencies in terms of Internet-enabled crimes. In all, the Internet police have administrative law enforcement powers, criminal investigation powers and network technical investigation powers, becoming the most complete police classification of public security organs in history. In the same year, the Ministry of Industry and Information Technology was set up. Along with the further institutional reform of the State Council, the former Office of the Leading Group for Informatization of the State Council was incorporated into the newly formed Ministry of Industry and Information Technology. The State Informatization Office was set up under the Ministry of Industry and Information Technology, which shall be responsible for boosting the informatization of the national economy and social services. Apart from that, thanks to the popularity of the Internet, crimes against computer systems kept on the rise. To protect the information security of computer systems, the Criminal Law revised in March 1997 made special penalty provisions for intrusion into computer systems and destruction of computer systems in Articles 285 and 286. The supervisory duties of the public security unit, people’s procuratorates and people’s courts in fighting computer crimes were further clarified. At this stage, China was in the early stage of building the supervision and administration system in the Internet domain. In addition, Internet applications have not yet 2
Based on the division of jurisdiction over criminal cases of the Ministry of Public Security, cybersecurity bureaus have jurisdiction over 7 kinds of cases: illegally invading computer information systems, illegally acquiring the data of computer information systems and illegally controlling computer information systems, offering programs and tools for invading and illegally controlling computer information systems as prescribed in Article 285 of the Criminal Law of the People’s Republic of China, destroying computer information systems as prescribed in Article 286, refusing to fulfill information cybersecurity management obligations as prescribed in Article 286-1, illegally using information networks as prescribed in Article 287-1, aiding information network criminal activities as prescribed in Article 287. If major criminal acts are found carried out online, including cases of propagating terrorism, extremism and inciting terrorist activities through the Internet (Article 120-2), cases of illegally holding articles propagating terrorism and extremism (Article 120-6), cases of infringing citizens’ personal information (Article 253-1), cases of illegally producing and selling special equipment for eavesdropping and stealing photos (Article 230), cases of organizing cheating in exams (Paragraphs 2 and 3, Article 280-1), cases of illegally selling, providing test questions and answers (Paragraph 3, Article 284-1), cases of replacing others in tests (Paragraph 4, Article 284-1), cases of fabricating and deliberately spreading false information (Paragraph 2, Article 291-1), the cybersecurity bureaus may file a case for investigation, and other crime investigation bureaus shall actively assist and cooperate.
2.1 The Early Stage of Internet Administration Construction …
95
been popularized, and the illegal and criminal acts and security issues of the Internet are not distinct. Administrative supervision in this stage in China chiefly aimed to determine the basic situation and boost Internet development. In July 1996, the State Council Informatization Office organized several experts from relevant departments to investigate the technical facilities and management status of the country’s four major Internet networks and nearly 30 ISPs, pushing forward the standardized management of networks.3
2.2 The Emergence of the Multisectoral Participation Model (2000–2007) In October 2000, the Fifth Plenary Session of the 15th CPC Central Committee raised informatization to the national strategic level, indicating that “informatization is the major trend of economic and social development in the world today, and it is also the key step to promote industry upgrading and fulfill industrialization and modernization in China.”; “It is important to give priority to boosting the informatization of national economy and society”; “It is a strategic measure covering the overall situation of modernization to energetically facilitate national economic and social informatization. It is essential to push forward industrialization with informatization, take the advantage of starting later and realize rapid development of social productive forces”. In July 2001, Jiang Zemin, then General Secretary of the CPC Central Committee, came up with the 16-character policy of Internet supervision in China in a lecture on ensuring and facilitating the healthy development of information networks by using legal means. He stressed that our basic Internet policy was to actively develop, consolidate management, seek advantages and avoid disadvantages, make use of our own advantages, and endeavor to take the initiative position in the development of global information networking.4 In summary, China’s attitude toward the Internet is developing after weighing up supervision and development. We shall introduce and develop Internet technology and consolidate Internet supervision for our own use; in addition, we shall not merely actively stimulate the development of information network infrastructure but also energetically consolidate regulations to drive the rapid and healthy development of information networks.5 To fulfill the strategic decision of the CPC Central Committee and the State Council, in August 2001, the CPC Central Committee and the State Council decided to reorganize the national leading group to further consolidate the leadership of China’s informatization construction and the maintenance of national information security. Zhu Rongji, then Premier of the State Council, served as the group leader. 3
Memorabilia of Internet from 1994 to 1996. http://www.cac.gov.cn/2009-04/11/c_126500497. htm. 4 Jiang Zemin: Promoting the rapid and healthy development of information networking. http:// www.chinanews.com/2001-07-11/26/104229.html. 5 Haitao [2].
96
2 40 Years of China’s Regulatory Development in Cybersecurity
The main responsibilities of the group were to review the development strategy of national informatization, macro planning, relevant regulations, drafts and major decisions and comprehensively coordinate informatization and information security work. In comparison with the National Leading Group for Informatization set up in 1999, the newly formed leading group was of higher specifications. The leader was the Premier of the State Council, and the deputy leader included two Politburo Standing Committee members and two Politburo members. As the National Leading Group for Informatization was set up, the State Council Informatization Office was also proclaimed to exist. In August of the same year, the CPC Central Committee and the State Council approved the establishment of the Advisory Committee for State Informatization, which shall be responsible for making recommendations to the National Leading Group for Informatization on major issues in China’s informatization development. Until that time, the pattern of “one body and two supporting institutions” in the National Leading Group for Informatization had been formed. After the change of the term of office of the State Council in 2003, a new National Leading Group for Informatization was set up, with Wen Jiabao, a member of the Standing Committee of the Political Bureau of the Central Committee and then Premier of the State Council as the group leader. To cope with the increasingly severe situation of network and information security, the National Network and Information Security Coordination Group was set up under the National Leading Group for Informatization in the same year, headed by the Standing Committee of the Political Bureau of the Central Committee and the Vice Premier of the State Council, and its members included powerful departments such as the Ministry of Industry and Information Technology, the Ministry of Public Security, the National Administration of State Secrets Protection, the State Encryption Administration Commission and the Ministry of State Security, and the provinces, municipalities and autonomous regions also set up corresponding management institutions. The establishment of the institutions provided favorable conditions for continuing to reinforce the construction of an information security legislation system.6 In the construction of departments and the division of responsibilities, at this stage, network applications expanded from crucial industries to all walks of life and people’s homes, and the degree of integration between the network and people’s production and life was further enhanced. The launch of electronic bulletin columns such as websites and forums gradually sprung up, and the status of the network as the fourth largest media form in China was initially consolidated. Sina, Sohu, Netease and other portals as well as a large number of newly opened websites set out to become involved in news dissemination. Meanwhile, the Internet dissemination of obscene, pornographic and reactionary and other illegal and harmful information has become increasingly prominent. How to ensure the operation security and information security of the Internet aroused enormous concern from national regulatory authorities. In 2000, the Standing Committee of the National People’s Congress promulgated the Decision of the Standing Committee of the National People’s Congress on Safeguarding Internet Security, requiring people’s governments at all levels to enhance 6
Hanhua and Miaohan [1].
2.2 The Emergence of the Multisectoral Participation Model …
97
cybersecurity protection capabilities; relevant competent departments shall consolidate supervision and administration of Internet operation security and information security; people’s courts, people’s procuratorates, public security organs and state security organs shall fulfill their respective duties and cooperate closely to crack down upon all types of cybercrimes in accordance with the law. Furthermore, content security has become a significant object of cybersecurity supervision. In 2000, the State Council promulgated and enforced the Administrative Measures on Internet Information Services clarifying the supervisory duties of the competent departments of the information industry on network information services and prescribing that the relevant competent departments of news, publishing, education, health, drug supervision and administration, industrial and commercial administration, public security, national security, etc. shall supervise and manage network information content in accordance with the law within their respective responsibilities. Thus, news, publishing, health, medicine, industry and commerce and other departments took the first step in network social governance. All departments actively introduced relevant normative documents and extended the supervision function to the network content area. In 2001, the State Drug Administration of the People’s Republic of China released the Provisional Regulations Concerning Drug Information Service on the Internet, determining that the State Drug Administration of the People’s Republic of China shall supervise Internet drug information services. In 2001, the Ministry of Health issued the Measures for the Administration of Internet Medical and Health Information Services, clarifying the supervision responsibilities of the Ministry of Health on Internet medical and health information services. In 2002, the Press and Publication Administration and the Ministry of Industry and Information Technology (including the Ministry of Posts and Telecommunications) released the Interim Provisions on Internet Publication Administration, establishing the General Administration of Press and Publication’s responsibility of approving and supervising Internet publishing activities. In 2003, the Ministry of Culture released the Interim Provisions on the Administration of Internet Culture, making it clear that the Ministry of Culture shall supervise the content of Internet culture. In 2003, the State Administration of Radio, Film, and Television issued the Measures for the Administration of the Publication of Audio-Visual Programs through the Internet or Other Information Network, clarifying the duties of the State Administration of Radio, Film, and Television in charge of launching all types of audiovisual programs on the Internet and other information networks. To meet the needs of development, new regulatory authorities began to emerge as well. In April 2000, the Network News Administration of the State Council Informatization Office was set up, which shall be responsible for coordinating the national Internet news propaganda work. The news offices of all provinces also set up corresponding institutions successively, forming a top-down supervision system. From 2001, public security departments at the provincial level in China established formal public information cybersecurity supervision divisions, bearing responsibility for Internet supervision. At this stage, a variety of government departments introduced relevant Internet norms to clarify their regulatory boundaries, and there were many regulatory crossover zones among departments. In the meantime, there existed a
98
2 40 Years of China’s Regulatory Development in Cybersecurity
degree of cooperation among departments in competition. In November 2004, to crack down upon network chaos and purify the network environment, the Publicity Department of the Communist Party of China, the State Council Information Office, the Ministry of Public Security and other departments formed the National Coordination Group for Centralized Cleaning and Rectification of Internet Websites, carrying out website cleaning work for one and a half years. In 2006, under the leadership of the Publicity Department of the Communist Party of China, 16 departments, including the Ministry of Industry and Information Technology, the State Council Information Office, the Ministry of Education, the Ministry of Public Security, the National Administration of State Secrets Protection and the Communications Department of the General Staff Headquarters of the People’s Liberation Army, formed the National Coordination Group for Internet Site Management. At that time, the Ministry of Industry and Information Technology also introduced the Work Plan for Coordination of Internet Sites. Based on the plan, the Ministry of Industry and Commerce shall be responsible for the registration of Internet enterprises, the Ministry of Industry and Information Technology shall be responsible for the management of the Internet industry, the State Council Information Office shall be responsible for the supervision of network ideology, and the public welfare network shall be supervised on the principle of “who is in charge shall be responsible”. Since then, similar Internet supervision coordination groups have generally been set up in government agencies at or above the county level, with the supervision force chiefly being public security organs, procuratorial organs and people’s courts, aiming to quickly crack down on the spread of pornography, gambling and drug abuse on the Internet. China’s Internet content supervision initially formed a multiaperture cross-management mode with the State Council Information Office as the leader, supplemented by the Publicity Department of the Communist Party of China, General Administration of Press and Publication, the State Administration of Radio, Film, and Television, the Ministry of Culture, the Ministry of Education and the National “Anti-Pornography and Anti-illegal Affairs” Office and the Ministry of Public Security. Apart from content security, in consideration of the rise and development of the telecommunications industry, in order to stimulate the development of the telecommunications industry and assure the security of telecommunications networks and information, the State Council promulgated the Regulations on Telecommunications of the People’s Republic of China (hereinafter referred to as the Regulations on Telecommunications) in 2000, setting up the telecommunications services license system, telecommunications equipment network access license system, etc., and defining the supervision and administration responsibilities of the information industry authorities for the national telecommunications industry. At this stage, Internet industry associations began to appear, making positive contributions to building a benign network development ecology. In 2001, the Internet Society of China was set up, marking the substantial implementation of self-discipline in the Internet industry. Since its establishment, the Internet Society of China has done much industry self-disciplinary work. For instance, the association took the lead in working out industry norms such as Self-discipline Agreement for China
2.2 The Emergence of the Multisectoral Participation Model …
99
Internet Industry. Later, domestic industry organizations such as the Network Copyright Alliance were set up successively. The Internet self-disciplinary organizations in these subsectors met the needs of Internet development and competition and played a significant part in maintaining Internet order. Overall, however, at this stage, the government-led supervision pattern was still maintained, and the participation of other forces in the governance of the Internet was relatively restricted. At this stage, as the Ministry of Industry and Information Technology and other departments were set up, these authorities set out to become involved in the supervision of the Internet domain. The Ministry of Culture, the State Administration for Industry and Commerce, the General Administration of Press and Publication and other departments increasingly intensified the management of Internet-related affairs within the scope of their supervision duties and formed joint forces of supervision through cross-departmental joint special campaigns to jointly push forward the governance of the Internet domain. In terms of telecom market supervision, in November 2005, the Ministry of Public Security, the Ministry of Industry and Information Technology and the China Banking Regulatory Commission decided to launch the control of illegal short messages on mobile phones nationwide, emphasizing cracking down on the behaviors of sending mobile phone text messages illegally, which has many contacts, great influence, and strong reflections.7 In June 2006, the Ministry of Industry and Information Technology carried out a special campaign to govern and standardize the tariffs and charges of mobile information services (SP services) in the whole country in four stages, in a bid to purify the consumption environment of the mobile information service market, reinforce the management of the tariffs and charges of mobile information services, and standardize the mobile information services charging fees from users by basic telecommunications enterprises.8 From September to November of the same year, the communication administrations of all provinces investigated and dealt with at least 245 illegal mobile value-added service providers, and the profits of listed mobile value-added service providers fell sharply in 2006.9 With regard to critical areas, in April 2001, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Culture and the State Administration for Industry and Commerce jointly convened a national video conference to plan and launch the special clean-up and rectification work of Internet cafes, combining clean-up and rectification with reinforcing management and regulating and restricting Internet cafes as the case may be.10 In January 2007, the Ministry of Public Security, the Ministry of Industry and Information Technology, the Ministry of Culture, and 7
China’s three ministries and commissions today crack down on illegal text messages on mobile phones against five acts. http://www.chinanews.com/news/2005/2005-11-01/8/645569.shtml. 8 Special rectification and standardization of mobile information service charges and charging behaviors. http://www.gov.cn/ztzl/315/content_549953.htm. 9 Memorabilia of Internet Development in China in 2006. http://www.cac.gov.cn/2014-02/24/c_1 26182771.htm. 10 Four departments and bureaus jointly clean up the Internet cafes. http://www.lawyers.org.cn/info/ ef0d2d2d75044fc69650c90e194e9753.
100
2 40 Years of China’s Regulatory Development in Cybersecurity
the General Administration of Press and Publication released the Notice on Regulating the Operation Order of Online Games and Prohibiting the Use of Online Game Gambling, indicating that it would take three months from the date of publication to organize and launch nationwide special work to regulate the operation order of online games and prohibit gambling by taking advantage of online games and severely crack down upon gambling activities that take advantage of online games and endanger the healthy development of the online game industry. As far as content security is concerned, in July 2004, the Supreme People’s Court, the Supreme People’s Procuratorate and the Ministry of Public Security jointly released the Notice on Carrying out Special Actions to Combat Obscene and Pornographic Websites in Accordance with the Law, clearly stating that special campaigns to combat obscene and pornographic websites would be carried out nationwide from mid-July to October 1, 2004.
2.3 The Initial Overall Coordination Model (2008–2013) To carry out the requirements of deepening the reform of the administrative system raised by the 17th National Congress of the Communist Party of China, intensify institutional integration, explore the enforcement of a super ministry system with organically unified functions, and perfect the coordination mechanism between departments, in March 2008, the super ministry reform (SMR) was initiated. Under the guiding ideology of integrating IT application with industrialization, the State Council Informatization Office and the Ministry of Industry and Information Technology were abolished, and the Ministry of Industry and Information Technology was set up. The responsibilities of the former Ministry of Industry and Information Technology and the State Council Informatization Office were integrated into the Ministry of Industry and Information Technology. In May 2011, the State Council listed the State Council Press and Publicity Office to set up the State Internet Information Office, chiefly responsible for implementing the principles and policies of network information dissemination and advancing the legal system construction of network information dissemination; guiding, coordinating and urging relevant departments to reinforce the management of network information content; and investigating and dealing with illegal websites in accordance with the law. The opening of the State Internet Information Office announced the establishment of the highest authority in the field of network information management in China. After the State Internet Information Office was set up, it was centrally and uniformly responsible for conducting examination, approval and daily supervision of network news business and other related businesses and guiding relevant departments to make business layout plans in network culture fields such as network games, network audio-visual and network publishing.11 To a certain extent, this 11
The State Internet Information Office was established. http://www.scio.gov.cn/zhzc/8/5/Doc ument/1335496/1335496.htm.
2.3 The Initial Overall Coordination Model (2008–2013)
101
enhanced the situation of unclear division of labor and chaotic ownership caused by over ten ministries and commissions, such as the State Council Information Office, the Ministry of Industry and Information Technology, the Ministry of Culture, the General Administration of Press and Publication, and the State Administration of Radio, Film, and Television responsible for the examination and approval of Internet websites, the management of projects and the management of content. Until this time, the Internet supervision system initially coordinated by the State Internet Information Office, the Ministry of Industry and Information Technology and the Ministry of Public Security basically took shape: the State Internet Information Office was in charge of network information content and responsible for coordinating other departments to manage network information content; the Ministry of Industry and Information Technology was responsible for the management of the Internet industry; and the Ministry of Public Security was responsible for preventing and fighting illegal and criminal activities on the Internet. What calls for special attention is that the Internet supervision system at this stage changed from a parallel structure in the past to a three-dimensional structure. The State Internet Information Office was not merely responsible for coordinating the content management departments but also for coordinating the competent departments of the industry and the public security management departments in the overall leading position in the whole supervision system, with a view to forming joint forces of supervision to the greatest extent.12 At this stage, the establishment of the Ministry of Industry and Information Technology and the State Internet Information Office made China’s cybersecurity supervision system approach perfection. After the two departments were set up, they actively carried out administrative law enforcement or special campaigns to reinforce comprehensive governance in the Internet domain. In January 2009, the State Council Information Office, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Culture, the General Administration for Industry and Commerce, the General Administration of Radio, Film and Television and the General Administration of Press and Publication and seven other ministries and commissions planned a one-month national campaign to rectify the vulgarity of the Internet. Statistically, as of February, 1,575 illegal websites and 148 obscene pornographic blogs had been closed in the special campaign to rectify the vulgarity of the Internet.13 In December 2009, the International Communication Office, CCCPC, the National “Anti-Pornography and Anti-illegal Affairs” Office, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Culture, the State-owned Assets Supervision and Administration Commission of the State Council, the State Administration for Industry and Commerce, the State Administration of Radio, Film, and Television, General Administration of Press and Publication and nine other ministries and commissions jointly launched a nationwide special campaign to thoroughly rectify obscene pornography and vulgar information on the 12
Wang Rong. Twenty years of Internet supervision in China. http://www.tisi.org/4944. The national special campaign devoted greater efforts to rectify the vulgarity of the Internet. http://www.gov.cn/jrzg/2009-02/03/content_1220653.htm.
13
102
2 40 Years of China’s Regulatory Development in Cybersecurity
Internet and mobile media.14 In February 2012, as the State Internet Information Office was established, this special campaign was carried out and promoted in depth throughout the country under the leadership of the State Internet Information Office, with the continuing participation of the National “Anti-Pornography and Anti-illegal Affairs” Office, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Culture, the State-owned Assets Supervision and Administration Commission of the State Council, the State Administration for Industry and Commerce, the State Administration of Radio, Film, and Television and the General Administration of Press and Publication. In July 2013, the State Internet Information Office, in conjunction with the National “Anti-Pornography and Anti-illegal Affairs” Office, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Culture, the State Administration of Press, Publication, Radio, Film and Television, the State Administration for Industry and Commerce, the Youth League Central Committee, the All-China Women’s Federation and other departments, organized a special campaign to clean up the summer network environment, closed 274 illegal websites, 181 website columns and channels, and imposed penalties on over 300 websites.
2.4 The Strengthened Overall Coordination Model in the New Period (2014–2021) Although the State Internet Information Office alleviated the situation of multiaperture cross-management of China’s network supervision to a certain extent, facing the vigorous development of Internet technology and application, China’s network management system was still confronted with serious problems of overlapping management, cross-functions, different powers and responsibilities and low efficiency. Moreover, as the attributes of Internet media grew stronger, online media management and industrial management were far behind the development and changes of the situation. Especially in the face of the vigorous growth of users of social networks and instant messaging tools, such as Weike and WeChat, which are characterized by fast dissemination, enormous influence, extensive coverage and strong social mobilization capability, how to reinforce the legal construction of the network and public opinion guidance to ensure the order of network information dissemination, national security and social stability became a realistic outstanding problem facing China. In 2013, the Third Plenary Session of the Eighteenth Central Committee decided to point out that network and information security involve national security and social stability and are new comprehensive challenges facing China. The Plenary Session proposed following the guidelines of positive use, scientific development, legal management and security guarantees, reinforcing the management of the network in accordance with the law, perfecting the leadership 14
Memorabilia of Internet Development in China in 2009. http://www.cac.gov.cn/2014-02/24/c_1 26182794.htm.
2.4 The Strengthened Overall Coordination Model in the New Period …
103
system of Internet management, integrating the functions of relevant institutions, and forming a joint effort of Internet management from technology to content and from daily security to crime prevention to ensure the correct use and security of the network. To carry out the spirit of the Third Plenary Session of the 18th CPC Central Committee, in 2014, the Central Committee set up a Leading Group for Cybersecurity and Informatization, under which the State Internet Information Office was responsible for the overall coordination of cybersecurity and informatization and formally confirmed the content security supervision and law enforcement functions of the State Internet Information Office. This is the third superinstitution newly established by the central government beyond the existing structure since the Third Plenary Session of the 18th CPC Central Committee, following the Central Leading Group for Comprehensively Deepening Reform and the Council of State Security of the Peoples Republic of China. The Central Leading Group for Cybersecurity and Informatization is headed by China’s top leaders, and the Premier of the State Council and the Politburo Standing Committee in charge of ideological work were deputy heads. The Leading Group possesses high specifications, enormous strength and far-sighted vision and could take into account the three security strategic plans of national defense and military, the State Council system and ideology. It guides China’s development strategy toward a cyber superpower in a more powerful and authoritative way, embodying the will of China’s highest level to comprehensively deepen reform and consolidate top-level design, and expressing the determination of guaranteeing cybersecurity, safeguarding national interests and boosting information development. Along with the establishment of the Office of the Central Cyberspace Affairs Commission, the leading system of informatization and cybersecurity in China has been upgraded from the direct responsibility of the State Council to the central level in the early days and has been raised to an unprecedented new height after adjustment and weakening.15 The overlapping management system of Internet governance for many years has been integrated to a considerable extent. ➀ The Cybersecurity Law, which was officially enforced in 2017, further confirmed a network supervision mechanism combining unified management and cooperative labor division. There is not merely a unified authority structure for overall planning, coordination and supervision, that is, the national network information department takes charge of the overall planning and coordination of cybersecurity and related supervision and management, but a specific management structure based on the needs of rational division of labor, existing power allocation and stratification, that is, the competent telecommunications department of the State Council, the public security department and other relevant organs take charge of cybersecurity protection and supervision and management within their respective responsibilities in accordance with the provisions of this law, relevant laws and administrative regulations.16
15 16
Wang Rong. Twenty years of Internet supervision in China. http://www.tisi.org/4944. Weiqiu [3].
104
2 40 Years of China’s Regulatory Development in Cybersecurity
After the Office of the Central Cyberspace Affairs Commission was established, the division of responsibilities among departments was further adjusted. In 2015, the Notice of the State Commission Office for Public Sector Reform on the Adjustment of Responsibilities and Institutions of the Ministry of Industry and Information Technology adjusted the division of responsibilities of the Ministry of Industry and Information Technology and assigned the responsibilities of informatization promotion and network information security coordination to the Office of the Central Leading Group for Cybersecurity and Informatization. In the same year, the General Office of the State Council released the Notice on Printing and Distributing the Promotion Plan of Three-network Integration (Guo Ban Fa [2015] No. 65), which classified the cybersecurity responsibilities of various departments in the form of three-network integration. The Notice required: (1) the Publicity Department of the Communist Party of China, the Cyberspace Administration of China, the State Administration of Press, Publication, Radio, Film and Television and the Ministry of Public Security shall be responsible for improving the network information security and cultural security management system, emphatically reinforcing the management of current political news information, strictly regulating the interview-editing-broadcastingpublishing management of network information contents, and ultimately building a clear cyberspace; (2) the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Security, the State-owned Assets Supervision and Administration Commission, the State Administration of Press, Publication, Radio, Film and Television, the Cyberspace Administration of China shall optimize the coordination mechanism for network information security and cultural security in accordance with the principles of territorial management and the ideas of “who is in charge shall be responsible, who conducts operation shall assume liability, who approves shall supervise, and who runs the network shall manage”; (3) the Development and Reform Commission, the Ministry of Science and Technology, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Security, the Ministry of Finance, the State Administration of Press, Publication, Radio, Film and Television and the Cyberspace Administration of China shall be responsible for perfecting the national network information security infrastructure and enhancing the capability to discover potential dangers, monitor, warn and deal with emergencies; (4) The Publicity Department of the Communist Party of China, the Ministry of Science and Technology, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Security, the State Administration of Press, Publication, Radio, Film and Television and the Cyberspace Administration of China shall be responsible for reinforcing daily monitoring, guaranteeing prompt discovery of new situations and new problems in security, taking measures to properly deal with these problems, and reporting major cybersecurity incidents in a timely, objective and accurate manner. The cooperation and coordination mechanism between departments was improved to a further extent. In June 2015, to effectively form a joint force against new crimes on the Internet, the State Council approved the establishment of an interministerial joint conference mechanism for fighting new crimes on telecommunications networks led by the Ministry of Public Security and attended by 22 departments,
2.4 The Strengthened Overall Coordination Model in the New Period …
105
including the Ministry of Industry and Information Technology, the People’s Bank of China, the Supreme People’s Court and the Supreme People’s Procuratorate. The interministerial joint conference mechanism brought pseudobase stations into the special governance scope. All member units worked together to crack down upon and govern telecommunications crimes, forming a working mechanism of multisectoral cooperation and linkage, and the work efficiency continued to improve.17 In 2017, the report of the 19th National Congress of the Communist Party of China once again mentioned the strategy of building China into a national power in cyberspace and proposed firmly grasping the leadership of ideological work, reinforcing the construction of Internet content and establishing a comprehensive network governance system. Meanwhile, it was made clear to deepen the reform of institutions and administrative systems. On this basis, in 2018, the National People’s Congress approved the institutional reform plan of the State Council and made numerous adjustments in terms of network supervision institutions and division of responsibilities: (1) the Central Leading Group for Cybersecurity and Informatization was changed into the Office of the Central Cyberspace Affairs Commission. The management of the National Computer Network and Information Security Management Center shifted from the Ministry of Industry and Information Technology to the Office of the Central Cyberspace Affairs Commission. (2) In terms of network content supervision, first, the National Radio and Television Administration as a direct agency of the State Council was set up on the basis of radio and television management responsibilities of the State Administration of Press, Publication, Radio, Film and Television, and the State Administration of Press, Publication, Radio, Film and Television would no longer be retained. After the reform, the main responsibilities of the newly built National Radio and Television Administration were to carry out the Party’s publicity principles and policies, draw up and supervise the enforcement of policies and measures for radio and television management, make overall plans, guide and coordinate the development of radio and television undertakings and industries, facilitate the reform of institutional mechanisms in the field of radio and television, supervise and examine the content and quality of radio and television and network audio-visual programs, be responsible for the import, recording and management of radio and television programs, coordinate and facilitate the work of going global in the field of radio and television, integrate the responsibilities of the Publicity Department of the Communist Party of China and the State Administration of Press, Publication, Radio, Film and Television. After adjustment, the Publicity Department of the Communist Party of China managed the press and publication work in a unified way. The Publicity Department of the Communist Party of China was listed as the National Press and Publication Administration (National Copyright Administration). The Publicity Department of the Communist Party of China shall manage the film work in a unified way, transfer the film management responsibilities of the State Administration of Press, Publication, Radio, Film and Television to the 17
The Ministry of Industry and Information Technology took multiple measures to comprehensively control telecommunication network frauds. http://www.cac.gov.cn/2018-09/12/c_1123418 987.htm.
106
2 40 Years of China’s Regulatory Development in Cybersecurity
Publicity Department of the Communist Party of China. The Publicity Department of the Communist Party of China was listed as the China Film Administration to the outside world. At this stage, guided by the overall national security concept, special campaigns in the field of comprehensive governance of China’s network society were in full swing. In regard to the supervision of the telecom network market, in November 2016, the Ministry of Industry and Information Technology released the Notice on Launching the Special Action of Basic Internet Management, clearly stating that from the date of issuance to July 31, 2017, the special campaign of basic Internet management would be launched throughout the country, and the basic management of the Internet, such as website filing, IP addresses and domain names, would continue to be intensified. In January 2017, the Ministry of Industry and Information Technology released the Notice on Clearing and Regulating the Internet Network Access Service Market, clearly stating that from that date until March 31, 2018, the Internet network access service market would be cleaned and regulated nationwide. The cleaning and regulation work aimed to investigate and deal with illegal activities such as unlicensed operation, out-of-scope operation, subletting layer by layer in Internet data center (IDC) business, Internet access service (ISP) business and content distribution network (CDN) business market in accordance with the law, and reinforce the management of business license and access resources. In May 2017, the State Administration for Industry and Commerce, the National Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security and other departments released the 2017 Special Action Plan for Internet Market Supervision and decided to jointly launch the 2017 special action for internet market supervision from May to November. In this special campaign, infringement and counterfeiting, false propaganda, false and illegal advertising, and false shopping and speculation were taken as the work priorities to be cracked down. With respect to ecological governance of network information content, in 2016, the Cyberspace Administration of China took the lead in cooperating with relevant ministries and commissions to launch the “Qinglang” series of special campaigns. The governance scope covered all platforms and all links, such as portals, search engines, website navigation, Weibo and WeChat, mobile clients, cloud disks, recruitment websites, and travel websites. The governance contents included all types of illegal words, pictures, audio, and video information.18 In February 2016, the Cyberspace Administration of China and relevant departments launched the special rectification work of recruiting websites for serious violations and dishonesty nationwide; in May, special treatment of website navigation websites was carried out throughout the country. In January 2017, the State Internet Information Office issued a notice requesting the Internet information offices of all provinces, autonomous regions and municipalities directly under the Central Government to officially start 18
In 2016, the Cyberspace Administration of China took the lead in launching the “Qinglang” series of special campaigns, pointing to the network ills and forming continuous shock. http://www.cac. gov.cn/2016-11/25/c_1119991081.htm.
2.4 The Strengthened Overall Coordination Model in the New Period …
107
the filing of Internet application stores from January 16; in the same month, the Cyberspace Administration of China and relevant departments launched a onemonth special rectification campaign for the click baits; in March, the National “Anti-Pornography and Anti-illegal Affairs” Office made arrangements, and from March to November, special campaigns such as “Jingwang 2017”, “Humiao 2017” and “Qiufeng 2017” were organized nationwide. Specifically, the “Jingwang 2017” special campaign focused on four areas: live webcast platforms, Weibo, WeChat and news clients, pop-up advertisements and online literature works, severely cracking down on the production and dissemination of obscene pornographic information and urging Internet enterprises to fulfill their primary responsibilities.19 In the fight against cybercrimes, in November 2015, to carry out the spirit of the first meeting of the Inter-Ministerial Joint Conference of the State Council on Combating and Governing New Types of Telecommunication Network Crimes, the Inter-Ministerial Joint Conference decided to launch a nationwide special campaign to crack down on new-type telecommunication network crimes for half a year from November 1, 2015, and the special campaign against new-type telecommunication network crimes entered a new stage. In May 2016, the Ministry of Public Security convened a video conference on law enforcement inspection of public security organs for network security in 2016 and planned nationwide to launch a three-month law enforcement inspection for network security.20 In July 2016, the Ministry of Public Security and the State Internet Information Office initiated the working mechanism for joint handling of online fraud reports; guided by the strategy of cybersecurity “big data” of public security organs and connecting the online fraud-related reports found and received by all member units to the working mechanism, the police promptly conducted investigation of suspected online fraud crime clues, shut down fraudulent websites aw well as accounts, and cleaned up online fraud information.21 In 2016 and 2017, the Ministry of Public Security continuously planned special campaigns to crack down upon the crime of infringing citizens’ personal information on the Internet. In the special campaign of 2016, national public security organs investigated 1886 cases of infringing citizens’ personal information and arrested 4261 criminal suspects, including 391 insiders and 98 hackers in banking, education, industry and commerce, telecommunications, express delivery, securities, e-commerce websites and other industries; a total of 828 hacker crimes such as denial of service attacks and illegal intrusion into control websites were investigated, and 1747 criminal suspects were arrested.22 19
The National “Anti-Pornography and Anti-illegal” Office planned the special campaigns of “Jingwang 2017”, “Humiao 2017” and “Qiufeng 2017”. http://www.cac.gov.cn/2017-03/22/c_1120672 221.htm?407333g6uu. 20 The Ministry of Public Security convened a video teleconference on cybersecurity law enforcement inspection in 2016. http://www.jsdjbh.gov.cn/zuixin/658.htm. 21 The Ministry of Public Security and the State Internet Information Office initiated the joint disposal working mechanism of online fraud reports. http://www.cac.gov.cn/2016-07/08/c_1119 189864.htm. 22 The Ministry of Public Security convened a planning meeting on special campaign to crack down upon the crimes of hacker attack, destruction and infringement of citizens’ personal information on
108
2 40 Years of China’s Regulatory Development in Cybersecurity
In the financial sector, in April 2016, the General Office of the State Council released the Implementation Plan for the Special Rectification of Internet Financial Risks and decided to build a long-term supervision mechanism, concentrate on rectifying the main risk areas of Internet finance, and effectively rectify various types of illegal activities. In the same month, the China Insurance Regulatory Commission, the Office of the Central Leading Group for Maintenance and Stability Work, the Ministry of Public Security, the Cyberspace Administration of China and other departments jointly released the Implementation Plan for Special Rectification of Internet Insurance Risks. Based on the special rectification work of Internet financial risks, the requirements for the rectification work of Internet insurance were further clarified. On June 1, 2017, the Cybersecurity Law was officially enforced. The Cybersecurity Law has established a cybersecurity supervision system where the Cyberspace Administration of China is responsible for coordinating, and multiple government authorities are responsible for cybersecurity supervision and management within their respective remits, making the subsequent administrative law enforcement and special campaigns more comprehensive and targeted. In the meantime, the Cybersecurity Law has confirmed a series of security obligations for network operators and gives certain legal responsibilities to individual citizens in terms of information content and personal information protection so that regulatory authorities may dispose of the illegal acts of citizens and network operators through the administrative responsibilities prescribed in the Cybersecurity Law and curb the illegal and criminal actions of the network from the source and purify the cyberspace as a result. Since July 2017, China’s regulatory authorities have planned a number of special campaigns relating to personal information protection, the governance of information contents, map information management, etc. In July, to ensure the effective enforcement of the relevant requirements of personal information protection in the Cybersecurity Law, the Office of the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security and the National Standards jointly convened the Personal Information Protection Promotion Action and the Meeting for the Formation of the Expert Working Group and initiated special work on privacy clauses, giving top priority to reviewing the privacy clauses of ten online products and services such as WeChat and Taobao.23 In the same month, the Cyberspace Administration of China issued a notice requesting national Internet live broadcast service enterprises to register with local Internet information offices on July 15th. In August, the National “Anti-Pornography and Anti-illegal Affairs” Office, in conjunction with the departments of publicity, network information, industrial information and public security, launched a nationwide campaign to rectify
the Internet, Chen Zhimin delivered a speech and Li Wei presided over it. https://www.mps.gov.cn/ n2253534/n2253535/c5657414/content.html. 23 The Office of the Central Cyberspace Affairs Commission and other four ministries jointly launch special work on privacy clauses. http://www.cac.gov.cn/2017-08/02/c_1121421829.htm.
2.4 The Strengthened Overall Coordination Model in the New Period …
109
vulgar pornographic information on the Internet.24 In the same month, the Ministry of Land and Resources and the National Surveying and Mapping Geographic Information Bureau, in conjunction with the Office of the Central Leading Group for Cybersecurity and Informatization, the Ministry of Public Security, the Government Information and Government Affairs Open Office of the General Office of the State Council and other departments, planned a nationwide special campaign to investigate and rectify defective maps.25 Dynamic and static maps posted on Internet websites, Weibo, maps posted on WeChat public accounts and maps posted on government websites became one of the key objects to be inspected. Moreover, on August 25th, the Standing Committee of the National People’s Congress initiated the law enforcement inspection of the Cybersecurity Law and the decision to consolidate the protection of network information, intended to understand the enforcement of the Cybersecurity Law and the Decision of the Standing Committee of the NPC on Strengthening the Protection of Network Information (one law and one decision).26 With respect to the supervision of the telecom network market, from May to November 2016, the State Administration for Industry and Commerce launched the special campaign of network market supervision in 2016. In December 2016, the interministerial joint conference system for Internet market supervision was set up. The joint conference, led by the State Administration for Industry and Commerce, was made up of 10 departments, including the State Administration for Industry and Commerce, the Development and Reform Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Commerce and the Cyberspace Administration of China, aiming to further reinforce the supervision of the online market. Since 2017, all member units of the interministerial joint conference system for Internet market supervision have carried out special campaigns for online market supervision for three consecutive years, emphasizing standardizing the qualifications of e-commerce subjects, cracking down on outstanding problems in the online market, and fulfilling the responsibilities of e-commerce operators. Since 2018, the special campaign for online market supervision has been further named the “net sword action”. In February 2018, the State Administration for Industry and Commerce released the Notice on Special Rectification of Internet Advertising and decided to launch the special rectification of Internet advertising for 10 months, emphasizing Internet media such as portals, search engines, e-commerce platforms, mobile clients and new media accounts with enormous social influence and extensive coverage.
24
The special rectification campaign for vulgar pornographic information on the Internet achieved marked results, with over 20 million pieces of harmful information disposed of and deleted. http:// www.cac.gov.cn/2017-09/28/c_1121740474.htm. 25 The special campaign of “defective maps” for full coverage investigation and rectification was initiated, and a video conference was held. http://www.gov.cn/xinwen/2017-08/30/content_5221 467.htm. 26 The Standing Committee of the National People’s Congress initiated the Cybersecurity Law and intensified the law enforcement inspection of network information protection decisions. http://www. npc.gov.cn/npc/c184/201708/09b63a5b067f4311aab1ba881bdb7ea7.shtml.
110
2 40 Years of China’s Regulatory Development in Cybersecurity
Apart from that, in December 2017, the Publicity Department of the Communist Party of China, the Office of the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, the Ministry of Education, the Ministry of Public Security, the Ministry of Culture, the State Administration for Industry and Commerce and the State Administration of Press, Publication, Radio, Film and Television jointly released the Opinions on Strictly Regulating the Administration of Online Game Market and planned centralized rectification actions against illegal activities and undesirable contents of online games.27 In 2018 and 2019, the Ministry of Industry and Information Technology organized and carried out cybersecurity (administrative) inspections in the telecommunications and Internet industries for two consecutive years, chiefly inspecting the enforcement of laws and regulations such as the Cybersecurity Law, the Measures for the Administration of Communication Network Security Protection, and the Telecommunications and Internet Personal User Data Protection Regulations. In July 2018, the Ministry of Industry and Information Technology, the Supreme People’s Court, the Supreme People’s Procuratorate and other departments released the Comprehensive Rectification of Harassment Calls Special Action Plan and decided to organize a one-and-a-half-year special campaign for comprehensive rectification of harassing calls nationwide. In March 2019, the State Administration for Market Regulation released the Notice of the State Administration for Market Regulation on Deepening the Rectification of Internet Advertisements and decided to continue to deepen the rectification of Internet advertisements and maintain the high-pressure situation of rectifying false and illegal Internet advertisements. In May 2019, the Ministry of Industry and Information Technology and the State-owned Assets Supervision and Administration Commission decided to launch the 2019 special campaign28 to further increase speed and reduce fees of broadband networks and support high-quality economic growth ➀, in a bid to further enhance the supply capacity of broadband networks. In June 2019, the Office of the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation decided to jointly launch nationwide special rectification work on Internet website security, clean up websites not filed or whose filing information was inaccurate, severely crack down upon illegal and criminal acts against websites, and punish and publicly expose illegal websites.29 In June 2019, the Ministry of Industry and Information Technology released the Special Action Plan for Improving Network 27
The Publicity Department of the Communist Party of China and other ministries and commissions jointly issued opinions to strictly regulate the online game market management. http://www.scio. gov.cn/37236/37377/Document/1614431/1614431.htm. 28 Notice of the Ministry of Industry and Information Technology and the State-owned Assets Supervision and Administration Commission on Launching the 2019 Special Action of Deepening the Speed-up and Cost-reduction of Broadband Networks to Support High-quality Economic Development. http://www.miit.gov.cn/n1146285/n1146352/n3054355/n3057674/n4704636/c6871121/con tent.html. 29 The Office of the Central Cyberspace Affairs Commission and other four ministries and commissions jointly launched special rectification of Internet website security, which would punish and expose illegal websites. http://www.cac.gov.cn/2019-06/11/c_1124609262.htm.
2.4 The Strengthened Overall Coordination Model in the New Period …
111
Data Security Protection Ability in Telecom and the Internet Industry and decided to launch a one-year special campaign for enhancing network data security protection capability in the industry to expedite the construction of a comprehensive network data security assurance system in the industry. In March 2020, the General Office of the Ministry of Industry and Information Technology released the Special Action Plan for Digital Empowerment of Small and Medium-sized Enterprises, proposing 13 crucial tasks and 4 promotion measures to help small and medium-sized enterprises prevent and control the epidemic situation, resume work and resume production and sustainable development. In the same month, the Ministry of Industry and Information Technology issued a notice, deciding to launch a special campaign to improve the end-to-end connectivity of IPv6 in 2020. In July 2020, the Ministry of Industry and Information Technology issued a notice, deciding to further launch a special rectification campaign against the infringement of users’ rights and interests by APP. The national APP technology testing platform management system would be put into operation before the end of August 2020, and testing work covering 400,000 mainstream apps would be accomplished prior to December 10. The ecological governance of network information content was chiefly led by the State Internet Information Office. In February 2018, the State Internet Information Office, in conjunction with the Ministry of Public Security and the Ministry of Culture, conducted a comprehensive investigation and clean-up of all sorts of actors keen on speculation and suspected of violating laws and regulations, and comprehensively rectified them in accordance with the law, to curb the vulgarity of some platforms, institutions and individuals hyping celebrity gossip privacy and entertainment gossips; in October, the Cyberspace Administration of China, together with relevant departments, launched a special campaign for centralized clean-up and rectification of we media accounts; in December, the Cyberspace Administration of China, in conjunction with relevant departments, conducted a special campaign to clean up and rectify illegal and vulgar mobile applications (APPs). In January 2019, the Cyberspace Administration of China launched a six-month special campaign on network ecological governance to rectify 12 sorts of negative harmful information in key links such as all types of websites, mobile clients, forum posts, instant messaging tools and live broadcast platforms30 ; in April, the special rectification work of instant messaging tools was launched against disseminating illegal information, anonymous registration, fraud and deception, and providing platform services for offline illegal activities; in June, a special rectification campaign against network audio was launched in conjunction with relevant departments. The outbreak of the COVID-19 epidemic in 2020 rendered the ecological governance of information content more urgent. To crack down upon illegal activities such as rumor spreading and malicious marketing during the epidemic, in April, the Cyberspace Administration of China organized a two-month special rectification action for malicious online marketing accounts across the country; in May, the Cyberspace Administration of China launched an eight-month 2020 “Qinglang” 30
12 kinds of harmful network information, such as pornography, violence, rumors and spoofing, were “blocked”. http://m.xinhuanet.com/culture/2019-01/04/c_1123945305.htm.
112
2 40 Years of China’s Regulatory Development in Cybersecurity
special campaign nationwide; in June, the Cyberspace Administration of China and the National “Anti-Pornography and Anti-illegal Affairs” Office, in conjunction with the Supreme People’s Court, the Ministry of Industry and Information Technology, the Ministry of Public Security, the Ministry of Culture and Tourism, the State Administration for Market Regulation, the State Administration of Radio, Film, and Television and other departments, launched a six-month special rectification and standardized management action for the Webcast industry; in July, the National “Anti-Pornography and Anti-illegal Affairs” Office indicated that it would focus on rectifying illegal activities such as false news and paid news in we media in the near future. In the same month, the Cyberspace Administration of China decided to launch centralized rectification nationwide on July 24, 2020, in view of the prominent problem that the commercial website platform and we media disturbed the order of network communication. During the rectification, a number of websites and platforms with serious problems would be severely investigated and punished in accordance with the laws and regulations, and a number of accounts with strong violations would be banned. Online courses and distance education sprung up during the epidemic and became the main methods of school education. However, some online course platforms spread illegal and harmful information, such as pornography and online gambling, or carried out malicious marketing, which seriously influenced the normal teaching order and the physical and mental health of users, including minors. In this respect, in July, the Cyberspace Administration of China decided to launch a two-month “Qinglang” special rectification of the summer network environment for minors, emphatically rectifying the ecological problems of the online learning sections of the learning and education websites and other websites. In August, the Office of the Central Cyberspace Affairs Commission and the Ministry of Education decided to launch a two-month special rectification of the online course platform for minors. In the same month, the public security unit decided to plan and develop a four-month special rectification of the network environment of online classes in primary and secondary schools. Simultaneously, the Ministry of Education, National Press and Publication Administration, the Office of the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation jointly released the Notice of the Ministry of Education and Other Six Departments on Jointly Launching the Special Governance Action for Minors’ Network Environment, emphatically rectifying bad online social behaviors, vulgar and harmful information and indulging in online games that influence the healthy growth of minors. As far as personal information protection is concerned, in January 2019, the Office of the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation jointly released the Announcement on Special Governance of the Illegal Collection and Use of Personal Information by Apps, and decided to organize the special governance of Apps’ illegal collection and use of personal information nationwide; in April, the General Office of the State Administration for Market Regulation decided to plan nationwide special law enforcement actions to protect
2.4 The Strengthened Overall Coordination Model in the New Period …
113
consumption and crack down upon violations of consumers’ personal information, laying emphasis on cracking down on violations of consumers’ personal information31 ; in November, the Ministry of Industry and Information Technology launched a special rectification campaign against infringing upon users’ rights and interests in the field of information and communication, emphatically rectifying problems such as illegal collection of users’ personal information, illegal use of users’ personal information, and unreasonable request for users’ rights. In April 2020, the Ministry of Public Security and the Office of the Central Cyberspace Affairs Commission took the lead in establishing a long-term mechanism to crack down upon crimes against citizens’ personal information and data security. Members of the mechanism include the Ministry of Public Security, the Office of the Central Cyberspace Affairs Commission, the Supreme People’s Court, the Supreme People’s Procuratorate, the Ministry of Industry and Information Technology and the State Administration for Market Regulation. In July, the Office of the Central Cyberspace Affairs Commission, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation decided to jointly launch the governance of apps’ illegal collection and use of personal information in 2020. At this stage, all provinces and cities set out to launch special rectification actions at the local level based on their own information technology capabilities and economic growth level. In December 2019, the Tianjin Municipal Committee of Cybersecurity and Information Technology released the Tianjin Special Action Plan for Improving Data Security Assurance Capability and decided to launch a two-year special campaign for enhancing data security assurance capability in Tianjin. In March 2020, the Tianjin Municipal Party Committee Cyberspace Administration released the Notice on Special Rectification against Apps’ Illegal Collection and Use of Personal Information Related to Epidemic Prevention and Control and decided to launch special rectification against apps’ illegal collection and use of personal information associated with epidemic prevention and control in the whole city from then on. For cracking down on network crimes, since the formal enforcement of the Cybersecurity Law, the public security organs of China have increasingly entered a new stage of law enforcement, which severely cracks down upon all types of network crimes and purifies cyberspace focused on cleaning and protecting the net. Since the launch of the special campaign, marked results have been achieved in cracking down on cybercrimes such as infringing citizens’ personal information, hacking, online gambling, and online obscenity and pornography; through the double-investigation mechanism for one case, the double-investigation of network illegal and criminal cases were carried out, and the supervision and inspection of the performance of the legal cybersecurity obligations of network operators involved were initiated simultaneously, in a bid to consolidate the security obligations of network operators and curb the occurrence of illegal and criminal network acts from the source. In addition, in 31
The State Administration for Market Regulation launched the action of “protecting consumption” to crack down upon the illegal acts of infringing consumers’ personal information. http://www.samr. gov.cn/zfjcj/sjdt/gzdt/201904/t20190410_292709.html.
114
2 40 Years of China’s Regulatory Development in Cybersecurity
June 2019, the Ministry of Public Security laid out public security organs across the country to launch the “Operation Cloud Sword” campaign to crack down upon new cybercrimes such as telecommunication fraud, fraud of unfreezing national assets, and routine loans. In April 2020, the Ministry of Public Security once again arranged the “Cloud Sword-2020” operation with the main contents of cracking down on telecommunication network fraud crimes, fraud crimes of unfreezing national assets and tackling the accumulated murder cases.32 In August 2020, publicity and education activities on fighting cross-border gambling jointly organized by the Propaganda and Education Bureau of the Publicity Department of the Communist Party of China, the Communication Bureau of the Office of the Central Cyberspace Affairs Commission and the Press and Publicity Bureau of the Ministry of Public Security were officially launched, and theme posters and short videos of fighting cross-border gambling were collected simultaneously. The action aimed to integrate social publicity and education on fighting cross-border gambling into all sorts of legal publicity positions and energetically create a strong atmosphere for fighting cross-border gambling in the whole society. Generally, at this stage, new technologies such as the Internet of Things, cloud computing, big data, artificial intelligence, and machine deep learning drove the evolution of cyberspace from the Internet of Everyone to the Internet of Everything. The real world and the digital world are increasingly converging and merging, and the global governance system is confronted with profound changes. Some new features are also presented in China’s network supervision: First, in the innovation of ways of supervision, along with the deepening integration of information technology such as “Internet+” and government governance, smart governance, as a new model of government governance, is boosting a new round of government transformation. New technologies, such as big data, cloud computing and artificial intelligence, are playing an increasingly prominent role in enhancing the government’s governance capacity, constantly facilitating the modernization of national governance capacity. With respect to law enforcement, with a view to further enhance supervision and guidance to Internet enterprises and build a platform for rapid communication and disposal between public security organs and Internet enterprises, in August 2015, the Ministry of Public Security laid out the national public security network Cybersecurity Department to launch in-depth construction of cybersecurity police rooms of websites, and set up cybersecurity police rooms on key websites and Internet enterprises, in a bid to grasp the suspected illegal crimes on the Internet at the first time, and serve and guide websites to improve their security management and prevention capabilities.33 On the judicial side, with a view to deepen the comprehensive supporting reform of the judicial system, Internet courts in Hangzhou, Beijing and Guangzhou have been set up successively, constantly raising 32
The Ministry of Public Security laid out public security organs across the country to launch the “Operation Cloud Sword—2020” campaign. http://www.gov.cn/xinwen/2020-04/15/content_5502 475.htm. 33 Public security reform: the capability of social governance of networks continues to improve. http://www.sohu.com/a/126178710_114731.
2.4 The Strengthened Overall Coordination Model in the New Period …
115
the level of judicial work in the Internet era, rendering powerful judicial services and guarantees for maintaining cybersecurity, resolving network-related disputes, protecting people’s rights and interests, and boosting the deep integration of the Internet and the economy and society.34 Moreover, with respect to changing the regulatory philosophy, for a long time, the government has taken an absolutely dominant position in the field of network supervision in China; however, since the establishment of the Internet society of China in 2001, the industry self-discipline mechanism has also begun to develop. However, for quite some time, the participation of industries and individuals is still quite restricted. Fueled by the development of information technology, the problems arising from government leads have become increasingly prominent, and China has begun to probe new ideas of network regulation. In 2016, in the collective study of the Political Bureau of the Central Committee with the theme of “a cyber superpower”, General Secretary Xi Jinping stated that “thanks to the development of the Internet, particularly the mobile Internet, the social governance model is changing from one-way management to two-way interaction, from offline to online and offline integration, from pure government supervision to attaching more importance to social collaborative governance”. The report of the 19th National Congress of the Communist Party of China once again stressed that it is essential to reinforce the construction of a social governance system, perfect the social governance system of party committee leadership, government responsibility, social coordination, public participation and legal guarantees, and shape a social governance pattern of coconstruction, cogovernance and sharing in the new era. In the new context, China has increasingly moved from “network supervision” to “network governance”, and the participation of enterprises, industries and individual citizens in the field of network governance has been further enhanced. The governance mechanism with a network operator as the first person in charge of cybersecurity established by the Cybersecurity Law and the emergence of many industry organizations, such as the China Internet Development Foundation, Cybersecurity Association of China and China Federation of Network Social Organizations after the establishment of the Office of the Central Cyberspace Affairs Commission, all reflect the gradual establishment of a social governance mechanism in the domain of cybersecurity in China.
References 1. Z. Hanhua, S. Miaohan, Sixty years of construction of informatization laws and regulations in China. E-government (10) (2009) 2. C. Haitao, From Supervision to Governance: Research on Internet Content Governance in China. (Wuhan University, Wuhan, 2013)
34
Hangzhou Internet Court is listed for operation. https://www.chinacourt.org/article/detail/2017/ 08/id/2969215.shtm.
116
2 40 Years of China’s Regulatory Development in Cybersecurity
3. L. Weiqiu, The foundation, framework and limitation of China’s cybersecurity control—additionally, on the justification basis and application limits of China’s Cybersecurity Law. J. Jinan (Philosophy and Social Sciences) (5) (2017)
Chapter 3
40 Years of China’s Judicial Reforms in Cybersecurity
Since accessing the Internet in 1994, China has fulfilled the vigorous development of information technology and the increasing expansion of cyberspace by making full use of late-mover advantages. As of June 30, 2019, the number of cyber citizens in China increased from 620,000 in 1997 to 854 million, and the number of mobile cyber citizens was as high as 847 million, ranking first throughout the world. Specifically, there were 824 million online instant messaging users, 759 million online video users, 639 million online shopping users, and 509 million online government service users. The traffic consumption of mobile Internet access was up to 55.39 billion GB.1 Moreover, China is provided with the most extensive Internet infrastructure across the region, a group of Internet enterprises with world-class influence, and the latest network patterns and technical practices keeping pace with the world. The network can be said to have become one of China’s proud core assets in the information age.2 Furthermore, real society and cyberspace are increasingly correlated and integrated. Civil, administrative and criminal issues in real society are expanding to cyberspace, and new legal issues continuously appear. In the civil field, traditional civil torts such as privacy and reputation gradually extend to cyberspace, and the protection of personal information, data rights and virtual property rights and interests has become a new issue in the civil field. In the administrative field, as network law enforcement is promoted, particularly the enforcement of the Cybersecurity Law and related supporting norms, administrative litigation around cybersecurity law enforcement has appeared successively. In the criminal field, cybercrimes are increasing gradually, traditional criminal crimes are stepping up their migration to the Internet, and new illegal and criminal activities carried out by or against the Internet are constantly breeding and spreading. In this context, China has pushed forward the legalization of cyberspace security governance by constantly perfecting civil, administrative and criminal laws and regulations such as the General Principles of Civil Law, the Tort Liability Law of the People’s Republic of China (hereinafter 1 2
The data comes from the report of Internet Justice in Chinese Courts. Zhigang [1].
© Huazhong University of Science and Technology Press 2022 D. Huang, Research on the Rule of Law of China’s Cybersecurity, https://doi.org/10.1007/978-981-16-8356-5_3
117
118
3 40 Years of China’s Judicial Reforms in Cybersecurity
referred to as the Tort Liability Law), the Law on Penalties for Administration of Public Security, Cybersecurity Law and Criminal Law. Thanks to the continuous development of the cybersecurity situation and related legislation, China’s Internet justice is constantly being explored and perfected. The courts and procuratorates at all levels in China have interpreted and carried out the requirements of cybersecurity legislation through judicial practice, responded to the practical needs of cybersecurity governance, and constantly pushed forward the development and maturity of the cybersecurity legislation system, adjudication rules and theoretical research. Especially since the 18th National Congress of the Communist Party of China, China has continuously driven the reform of civil and administrative litigation systems and advanced the reform of the trial-centered criminal procedure system. Meanwhile, relying on the scale advantages, application advantages and industrial advantages of Internet development, it has brought the development of Internet justice into the overall planning of deepening the reform of judicial systems and pushed forward it in different areas, step by step and at different levels. Taking the opportunity to set up Internet courts, by trying new types of Internet cases and continuously refining and summarizing the judicial rules, the judicial trial mechanism and judicial rules in the domain of cybersecurity have been increasingly perfected, and the judicial governance capacity of the Internet has been comprehensively enhanced.
3.1 Criminalization and Punishment of Cybercrimes Before the 1990s, there were only a few computer crimes in China, such as attacking computers on the Internet and forging documents by means of computers. After China’s access to the Internet, the number of cybercrimes has increased in a rapid manner. In 1998, only over 100 cases of computer crimes were filed for investigation, which increased to over 400 cases in 1999, surged to over 2700 cases in 2000, and rose to over 4500 cases in 2001.3 Based on the Special Report on Judicial Big Data: Characteristics and Trends of Cybercrime issued by the Supreme People’s Court in 2019, from 2016 to 2018, more than 48,000 cybercrime cases concluded in the first instance of courts at all levels in China, and the number of cases increased at an annual rate of more than 30%. It is not difficult to determine from this series of data that with the rapid development of networks and information technology in China, the trend of a high incidence of cybercrimes has become increasingly prominent. Viewing the development of cybercrimes in China, the evolution of cybercrime is highly compatible with the intergenerational differences of the network, and it also constantly advances the development of criminal legislation in China. At the beginning of China’s access to the Internet, the Internet chiefly served as an information medium, which was a useful substitute and supplement for the traditional means of information dissemination, and its instrumental attributes were highlighted. Large 3
In recent years, China’s computer crimes have increased sharply, and five new trends deserve attention. http://news.sohu.com/49/14/news148471449.shtml.
3.1 Criminalization and Punishment of Cybercrimes
119
portal websites and computer information systems not only carried the main interests of the network but were the direct targets of crimes.4 At this stage, the behaviors of invading computer information systems and undermining system security appeared successively, such as the Jiangmin Bomb Incident5 in 1997 and the CIH Virus Incident6 in 1998. To protect the security of computer information systems, Articles 285 and 286 of the Criminal Law of 1997 specify the crime of illegally invading computer information systems and the crime of destroying computer information systems, respectively. The former punishes illegal intrusion into computer information systems in three crucial areas, while the latter combats the sabotage of computer information systems. In the Internet 2.0 era, individuals are no longer passive recipients of information but direct participants in all types of network activities. The social attributes of the Internet are constantly highlighted. The trend of traditional crime networking is accumulative, and all sorts of crimes committed by using the network emerge. In this context, the Decision of the Standing Committee of the National People’s Congress on Guarding Internet Security was introduced in 2000, explicitly including the acts of spreading obscene information, spreading rumors, slandering, 4
Zhigang [1]. Review of the incident: on June 24, 1997, Mr. Wang Jiangmin published KV300 L++ version on his homepage, which contained logical bombs. The hard disk data of users who executed KV300 L++ on the simulation disk (pirated disk) made by MK300V4 were destroyed, the hard disk was locked, and the soft hard disk could not be initiated. On July 23, five domestic anti-virus software companies jointly condemned the KV300 L++ version of anti-virus software released by Jiangmin Company for containing “logical bombs”, “destroying computers under certain conditions, the result of which was similar to the destructive effect of some computer viruses …”. Jiangmin Company explained that Jiangmin Company did not place any destructive programs in KV300. The “logical bomb” mentioned by the five manufacturers was essentially the “logic lock” compiled by Jiangmin Company in the software to combat the increasingly rampant acts of pirated software. First, this “logic lock” cannot cause any influence and loss to any users who buy genuine products, and besides, it can only temporarily lock the machine for some pirated users. Jiangmin Company specially stressed that the “logic lock” in KV300 has nothing to do with viruses, because viruses are destructive programs characterized by self-replication and infectivity, while the “logic lock” will not do any harm to user data. On September 8, 1997, the public security department determined that the KV300 L++ incident violated Article 23 of the Computer Security Protection Regulations, which is an act of intentionally inputting harmful data and endangering the security of computer information systems and imposed a fine of 3000 yuan on it. For details, please refer to https://baike.baidu.com/item/Jia ngminBomb/10083352?fr=aladdin, last visit on April 19th, 2020. 6 CIH virus is a file virus, which is extremely lethal. The main manifestation is that after the virus attacks, all the data of hard disk will be lost, and even the original contents of BIOS on the motherboard will be completely destroyed, and the host cannot be initiated. Only by replacing the BIOS or rewriting the original version of the program into the BIOS fixed on the motherboard can the problem be solved. On June 2, 1998, the first CIH virus was discovered in Taiwan Province, China; on June 6, 1998, V1.2 of CIH virus was discovered; on June 12, 1998, V1.3 of CIH virus was discovered; on June 30, 1998, V1.4 of CIH virus was discovered; on July 26, 1998, CIH virus spread extensively in the United States; on August 26, 1998, the CIH virus spread globally, and the Ministry of Public Security issued an urgent notice, and Xinhua News Agency and XINWEN LIANBO followed up the report; on April 26, 1999, V1.2 of CIH virus broke out on a large scale for the first time, and over 60 million computers throughout the world were damaged to varying degrees. For details, please refer to: https://baike.baidu.com/item/CIHvirus/221488?fr=aladdin, last visit on April 19th, 2020. 5
120
3 40 Years of China’s Judicial Reforms in Cybersecurity
stealing, swindling and stealing state secrets through the Internet into the regulation scope of Criminal Law. Resulting from the further development of networks and information technology, cybercrimes are becoming increasingly frequent and industrialized, criminal behaviors are becoming increasingly diverse and concealed, and new cases such as telecommunication network fraud and infringement of citizens’ personal information are emerging successively. China’s criminal regulation concept is also developing constantly, and the scope and intensity of the crackdown upon cybercrimes are constantly intensified. The Amendment (VII) to the Criminal Law of the People’s Republic of China in 2009 adds the crime of illegally accessing data stored on a computer information system, the crime of illegally controlling computer information systems, and the crime of selling and illegally offering citizens’ personal information. In addition, the crime of providing computer programs or tools to intrude into or illegally control a computer system is criminalized as a principal offender and added as an independent crime. After that, faced with the new situations of cybercrime means, types, hazards and frequency and the new problems in fighting cybercrime, the Amendment (IX) to the Criminal Law of the People’s Republic of China in 2015 took cybercrime legislation as its significant content and made many supplements and improvements to the contents associated with Internet security in Criminal Law. The crime of failing to fulfil the security management obligations for an information network, the crime of illegally using an information network, the crime of aiding information network criminal activities, the crime of fabricating and deliberately spreading false information were added, and the crime of selling and illegally providing citizens’ personal information was integrated and revised into the crime of infringing citizens’ personal information. In the context of continuous development of cybercrime situation-relevant legislation, the criminal justice system for cybercrime is constantly being explored and perfected. Especially in the face of the vigorous development and alienation of cybercrimes, criminal justice is more active and adaptable. Some of these breakthroughs play a significant part in making up for the shortcomings of criminal legislation and responding to the practical needs of fighting cybercrimes. Upon promulgation of the Criminal Law in 1997, China successively issued 14 judicial interpretations directly associated with cybercrimes, including provisions specifically aimed at cybercrimes and provisions associated with cybercrimes. The content covers fabricating and deliberately spreading false terrorist information through the Internet, cyber-attacks, cyber viruses, cyber pornography, cyber gambling, cyber slander, cyber fraud, and infringement of citizens’ personal information. Specific provisions for cybercrimes include the Interpretation (I) of the Supreme People’s Court and the Supreme People’s Procuratorate of Several Issues on the Specific Application of Law in the Handling of Criminal Cases about Producing, Reproducing, Publishing, Selling and Disseminating Pornographic Electronic Information via the Internet, Mobile Communication Terminals and Sound Message Stations (Fa Shi [2004] No. 11) issued in 2004, the Interpretation (II) of the Supreme People’s Court and the Supreme People’s Procuratorate of Several Issues on the Specific Application of Law in the Handling of Criminal Cases about Producing,
3.1 Criminalization and Punishment of Cybercrimes
121
Reproducing, Publishing, Selling and Disseminating Pornographic Electronic Information via the Internet, Mobile Communication Terminals and Sound Message Stations (Fa Shi [2010] No. 3) issued in 2010, the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate concerning Applicable Law in handling Criminal Cases of Endangering Computer Information System Security (Fa Shi [2011] No. 19) issued in 2011, the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues Concerning the Application of Laws in the Trial of Criminal Cases of Fabricating and Deliberately Disseminating False Terrorist Information (Fa Shi [2013] No. 24) issued in 2013, the Interpretation of Several Issues Concerning the Application of Laws in Handling Criminal Cases such as Defamation through Information Network (Fa Shi [2013] No. 21) issued in 2013, the Provisions of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues Concerning the Collection, Extraction, Examination and Judgment of Electronic Data in Handling Criminal Cases (Fa Fa [2016] No. 22), the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues Concerning the Application of Laws in Handling Criminal Cases of Infringing Citizens’ Personal Information (Fa Shi [2017] No. 10) issued in 2017, and the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues Concerning the Application of Law in Handling Criminal Cases Involving Crimes of Illegally Using an Information Network or Providing Aid for Criminal Activities in Relation to Information Network (Fa Shi [2019] No. 15) issued in 2019; the regulations concerning cybercrimes include the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate about Some Issues Concerning the Application of Law in Gambling Criminal Cases (Fa Shi [2005] No. 3) issued in 2005, the Regulations of the Supreme People’s Procuratorate on the Filing Standards for Cases of Malpractice Infringement Crimes (Gao Jian Fa Shi Zi [2006] No. 2) issued in 2006, the Interpretation of the Supreme People’s Court on Several Issues Concerning the Specific Application of Laws in the Trial of Criminal Cases Endangering Military Communications (Fa Shi [2007] No. 13) issued in 2007, the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues Concerning the Specific Application of Laws in Handling Criminal Cases of Fraud (Fa Shi [2011] No. 7) issued in 2011, the Interpretation of the Supreme People’s Court on Several Issues Concerning the Specific Application of Laws in the Trial of Criminal Cases of Damaging Radio and Television Facilities (Fa Shi [2011] No. 13) issued in 2011, and the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues Concerning the Application of Laws in Handling Criminal Cases of Environmental Pollution (Fa Shi [2016] No. 29) issued in 2016. The above judicial interpretations respond to the problems in judicial practice and clearly refine the judicial rules under the framework of Criminal Law. Taking the Interpretation concerning Applicable Law in handling Criminal Cases of Endangering Computer Information System Security issued in 2011 as an example, this judicial interpretation was worked out in the context of the rapid rise of cybercrimes in China and the fact that China has become one of the main victims of hacker
122
3 40 Years of China’s Judicial Reforms in Cybersecurity
attacks throughout the world.7 Viewing from judicial practice, the crimes of making and spreading computer viruses and invading and attacking computer information systems are growing in a rapid manner, the crimes of illegally accessing the data of computer information systems and illegally controlling computer information systems are increasing daily, and the phenomena of making and selling hacker tools and reselling the data of computer information systems and control rights are highly prominent. These illegal and criminal acts cause serious social harm, which not only undermines the operational security and information security of computer information systems but also endangers national security and social public interests and infringes on the legitimate rights and interests of citizens, legal persons and other institutions. It admits no delay to crack down upon crimes endangering the security of computer information systems and consolidates the protection of information cybersecurity. However, in the course of handling cases endangering the security of computer information systems, there exist some problems in the application of the relevant provisions of the Criminal Law, which await further clarification. I. The related terms prescribed in Articles 285 and 286 of the Criminal Law, such as “programs and tools specially used to invade and illegally control computer information systems” and “destructive programs such as computer viruses”, await further definition. II. There is a lack of specific identification standards for the provisions on the “serious circumstances”, “particularly serious circumstances”, “serious consequences” and “particularly serious consequences” involved in Articles 285 and 286 of the Criminal Law, and the handling departments hold different understandings, rendering it difficult to operate. III. Judicial practice departments have highlighted such difficult problems as how to define the exact nature of reselling the data of computer information systems and control rights, how to handle the crimes of endangering the security of computer information systems in the name or form of units, and how to deal with the joint crimes of endangering the security of computer information systems. For instance, in 2007, a case of “Nimaya” occurred. In October 2006, Li Jun, a 25-year-old native Xinzhou District in Wuhan, Hubei Province, wrote a virus with the capability of automatic transmission, automatic infection of hard disks and powerful destructive ability. It can not only infect exe, com, pif, src, html, asp and other files in the system but also suspend a large number of antivirus software processes and delete files with the expanded name gho. All executable.exe files in the infected user systems were changed to look like pandas burning three joss sticks. At the beginning of January 2007, it ravaged the network and infected millions of computers almost 7
The white paper entitled “the State of Internet in China” released in 2010 suggests that in 2009, there are over 1 million IP addresses of computers controlled overseas in China; the number of websites tampered with by hackers is up to 42,000; 18 million computers are infected by the “Conficker” worm network virus every month, making up approximately 30% of the infected hosts throughout the world. Based on the information furnished by the Ministry of Public Security, in the past five years, the number of viruses spread on the Internet in China has increased by over 80% every year on average, 8 out of every 10 computers on the Internet have been controlled by hackers, and the number of cases associated with hacker attacks and sabotage accepted by public security organs has increased by 110% every year on average.
3.1 Criminalization and Punishment of Cybercrimes
123
overnight. In mid-January, Li Jun, the producer of the virus, was arrested by Hubei police, which became the first major case of computer virus production in China.8 The emergence of the case of “Nimaya” is a significant manifestation that China is facing an increasing number of cybersecurity threats, which exert a wider influence. It also exposes the legislative deficiencies of China in dealing with such cases. At that time, there were only a few provisions on computer crimes in our laws. For instance, Article 286 of the Criminal Law stipulates: whosoever, in violation of state regulations, deletes, modifies, adds to, or interferes with the functions of computer information systems and thereby makes it impossible for computer information systems to operate normally, is to be sentenced to five years or less of imprisonment or detention where the consequences are grave and to more than five years of imprisonment when the consequences are especially grave; whosoever, in violation of state regulations, conducts operations that delete, modify, or add to the data stored, processed, or transmitted by computer information systems and by their application programs where the consequences are serious is to be levied fines in accordance with the provisions of the preceding paragraph; whosoever deliberately devises and spreads computer viruses and other destructive programs that affect the normal operations of computer information systems where the consequences are serious is to be levied fines in accordance with the provisions in the first graph paragraph. In addition, it is stipulated in Article 29 of the Law on Penalties for Administration of Public Security. There are no clear and quantitative provisions for “serious consequences” and “particularly serious consequences” in Article 286 of the Criminal Law, which results in that in practice, the punishment for those committing network violations is often only detained for less than five days in accordance with the relevant provisions of the Law on Penalties for Administration of Public Security; if the circumstances are serious, they shall be detained for more than five days and less than ten days. The punishment is distinctly too light to serve as a warning or exert a deterrent effect. To conform to the needs of judicial practice and clarify the legal application of crimes endangering the security of computer information systems, with respect to the judicial interpretation, I. it clarifies the standards of conviction and sentencing for crimes of illegally accessing the data of computer information systems, illegally controlling computer information systems, providing computer programs or tools to intrude into or illegally control a computer system and damaging a computer information system; II. It stipulates that criminal responsibility shall be investigated for the crime of concealing or concealing the proceeds of crime for the acts of transferring, purchasing, selling on behalf, or concealing or concealing the data or the control rights of computer information systems by other means, while knowing that they are the data gained by the crime of illegally accessing the data of computer information systems or the control rights of computer information systems gained by the crime of illegally controlling computer information systems; III. It clarifies that the criminal responsibility of the directly responsible person in charge and other directly responsible personnel shall be investigated for the crime of endangering the security 8
“Nimaya” burned out legal loopholes. http://news.sina.com.cn/o/2007-03-01/033411309767s. shtml.
124
3 40 Years of China’s Judicial Reforms in Cybersecurity
of computer information systems in the name or form of the unit; IV. It prescribes the specific circumstances and handling principles of joint crimes endangering the security of computer information systems; V. it makes clear the specific scope, identification procedures and other questions of “computer information systems in the areas of state affairs, national defense construction and cutting-edge science and technology”, “programs and tools specially used to invade and illegally control computer information systems” and “destructive programs such as computer viruses”; VI. It defines the connotation and extension of related terms such as “computer information system”, “computer system”, “identity authentication information” and “economic loss”. To address the difficult problems in judicial practice, some judicial interpretations make an extensive interpretation of the existing legislation and expand the applicability of relevant provisions of Criminal Law in the information age, providing preliminary experience for the perfection of subsequent legislation. For instance, Article 7 of the Interpretation concerning Applicable Law in handling Criminal Cases of Endangering Computer Information System Security goes beyond the scope of “criminal proceeds” in the traditional sense and interprets illegally acquired data and illegally acquired control rights as “criminal proceeds”. This judicial interpretation embodies the actual situation of society in the information age, which not only addresses new issues in judicial practice under the framework of legal systems but also pushes forward the development of theories of Criminal Law over time, offering a judicial basis for the innovation and development of related theories of criminal objects.9 Apart from that, triggered by the fast spread of traditional crimes by virtue of network factors, the network sets out to present itself in the image of crime “tools”.10 Property-related cybercrimes such as selling pornographic articles, telecommunication fraud, online gambling and stealing online game equipment gain explosive growth. In this context, numerous applicable problems of traditional criminal legislation are increasingly highlighted. To address the above problems, the Interpretation (I) of the Supreme People’s Court and the Supreme People’s Procuratorate of Several Issues on the Specific Application of Law in the Handling of Criminal Cases about Producing, Reproducing, Publishing, Selling and Disseminating Pornographic Electronic Information via the Internet, Mobile Communication Terminals and Sound Message Stations was promulgated in 2004, making clear decisions on the application of the “crime of making, copying, publishing, selling and spreading pornographic articles for profit” and the “crime of spreading pornographic articles in cyberspace”. In 2005, the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate about Some Issues Concerning the Application of Law in Gambling Criminal Cases extended the identification of “casino” in “gambling crime” to “gambling sites”. To cope with the new situation in which cybercrime is increasingly moving toward industrialization and to respond to the realistic demand of fighting the interest chain of cybercrime, the Interpretation (II) of the Supreme People’s Court and the Supreme 9
Zhigang and Shangcong [2]. Yong [3].
10
3.1 Criminalization and Punishment of Cybercrimes
125
People’s Procuratorate of Several Issues on the Specific Application of Law in the Handling of Criminal Cases about Producing, Reproducing, Publishing, Selling and Disseminating Pornographic Electronic Information via the Internet, Mobile Communication Terminals and Sound Message Stations issued by “the Supreme People’s Court and the Supreme People’s Procuratorate” in 2010 made a breakthrough exploration. Article 3 of the Interpretation stipulates: “if a group established principally for spreading pornographic electronic information through the Internet has more than 30 members or causes serious consequences, the founder, manager and main disseminator shall be convicted and punished for the crime of spreading obscene articles in accordance with the provisions of the first paragraph of Article 364 of the Criminal Law”. Article 4 stipulates: “if, for the purpose of making profits, the website creator and the directly responsible manager allow or let others publish on the websites or webpages owned and managed by themselves while knowing that they produce, copy, publish, sell and disseminate pornographic electronic information, in any of the following circumstances, in accordance with the provisions of the first paragraph of Article 363 of the Criminal Law, they shall be convicted and punished for the crime of spreading pornographic articles for profit: (I) The quantity or amount reaches more than five times the standards specified in Items (I) to (VI) of Paragraph 2 of Article 1; (II) the quantity or amount reaches more than two times of the two or more standards in Item (I) to Item (VI) of Paragraph 2 of Article 1, respectively; (III) causing serious consequences”. Article 5 stipulates: “if the website creator and the manager directly in charge allow or let others publish on the websites or webpages owned and managed by themselves while knowing that they produce, copy, publish, sell and disseminate obscene electronic information, in any of the following circumstances, in accordance with the provisions of the first paragraph of Article 364 of the Criminal Law, they shall be convicted and punished for the crime of spreading pornographic articles”; in this judicial interpretation, the specific provider of network technical support for spreading pornographic articles is directly evaluated and sanctioned as the perpetrator of the crime of spreading pornographic articles and the crime of spreading pornographic articles for profit, no longer considering whether the perpetrator who actually spreads obscene articles in the network constitutes a crime or not, and no longer qualitatively evaluating the related technical assistance behaviors accomplish. That is, in the crime of spreading pornographic articles and the crime of spreading pornographic articles for profit, the principal offenderization of helping behavior has been achieved.11 The Interpretation (II) of the Supreme People’s Court and the Supreme People’s Procuratorate of Several Issues on the Specific Application of Law in the Handling of Criminal Cases about Producing, Reproducing, Publishing, Selling and Disseminating Pornographic Electronic Information via the Internet, Mobile Communication Terminals and Sound Message Stations has solved the problem of punishment for aiding act of cybercrimes in China by means of interpretive theory, opened up a regulatory model for “ helping behavior criminalization”, and gathered judicial experience for the subsequent legislation of making helping behavior offenders for 11
Zhigang [1].
126
3 40 Years of China’s Judicial Reforms in Cybersecurity
cybercrimes. The crime of helping information network crime added in Article 29 of the Amendment (IX) to the Criminal Law of the People’s Republic of China in 2015 is the legislative response to this judicial exploration. Apart from judicial interpretation, in the course of the development of network criminal justice, China has concluded a series of typical and instructive cybersecurity criminal cases. On the procuratorate’s side, through the case of Ye Yuanxing and Zhang Jianqiu offering programs to invade computer information systems and Tan Fangmei illegally acquiring the data of computer information systems, the judicial authorities have made it clear that programs that have evidence to prove that they are single-purpose and may only be used to invade computer information systems may be legally recognized as programs specially used to invade computer information systems. The telecommunication network fraud cases of Zhang Kaimin and 52 other people offer guiding significance for the identification of overseas evidence and electronic data. In Guiding Case No. 104 of the Supreme People’s Court, “Li Sen, He Limin, Zhang Fengbo, etc. destroyed computer information systems”, the court determined that the environmental quality monitoring system belongs to a computer information system. Blocking environmental quality monitoring and sampling equipment with cotton yarn and other items, interfering with sampling and causing serious distortion of monitoring data, constitutes the crime of destroying computer information systems. In Guiding Case No. 105 of the Supreme People’s Court, in which “Hong Xiaoqiang, Hong Liwo, Hong Qingquan and Li Zhirong opened casinos”, the court determined that for the purpose of making profits, inviting gamblers to join the WeChat group, gambling based on the lottery results of quiz game websites, setting gambling rules, using the WeChat group for control and management, and continuously organizing online gambling activities for a period of time are all considered opening casinos in gambling crimes. In Guiding Case No. 103 of the Supreme People’s Court, in which “Xu Qiang destroyed computer information systems”, the court held that the machinery remote monitoring system of enterprises belongs to a computer information system. Destroying the function of the mechanical remote monitoring system of an enterprise in violation of state regulations, resulting in the computer information system not working normally and causing serious consequences shall constitute the crime of destroying a computer information system. In Guiding Case No. 102 of the Supreme People’s Court, in which “Fu Xuanhao and Huang Zichao destroyed computer information systems”, the court determined that the “DNS hijacking” behavior of forcing network users to visit designated websites by technical means such as modifying router and browser settings, locking the homepage or popping up new windows belongs to the destruction of computer information system, and if causing serious consequences, it shall constitute the crime of destroying a computer information system. For “DNS hijacking”, it shall be determined whether it causes “serious consequences” or “particularly serious consequences” based on the number of computer information systems that cannot operate normally, the time when related computer information systems cannot operate normally, and the losses or impacts caused. With the continuous emergence of new types of crimes, cybercrime has the characteristics of diversified subjects, high concealment of means, fine division of labor
3.1 Criminalization and Punishment of Cybercrimes
127
chain and scattered crime areas. In particular, online fraudsters often commit crimes through network contact between upstream and downstream. Judicial trials have also made positive responses. For instance, in the “case12 of Tan Zhangyu, Zhang Yuan, etc. illegally using information network”, the court judgment refined the relevant standards for the crime of illegally using information network. In this case, the court made it clear that while knowing that the “false-shopping advertisement” of the preceding player is engaged in fraud, the actor still provides advertising promotion assistance for his crime for the purpose of illegal profit, and causing serious circumstances, it shall constitute the crime of illegally using information network. The emergence of some typical and influential judicial cases has also pushed forward the promulgation of relevant judicial interpretations and boosted the development of relevant law enforcement actions. Taking the “Xu Yuyu case” in 2016 as an example, in August 2016, Xu Yuyu, a Shandong girl who was about to enter the university, received a call from the swindler claiming to be a staff member of the Education Bureau asking her to receive a scholarship, and based on the other party’s instructions, she deposited 9900 yuan of cash in her card for paying university tuition fees into the other party’s designated account, which was then taken away by the swindler. After learning that she was cheated, Xu Yuyu was so sad that she died of cardiac arrest. In this case, the criminals bought the list of college entrance examination students in Shandong from the Internet 12
Basic facts of the case: in December 2016, with a view to gain illegal benefits, defendants Tan Zhangyu and Zhang Yuan jointly agreed to use registered companies to conduct business of sending fraudulent information of “false shopping for commissions” to others on the Internet. Tan Zhangyu and Zhang Yuan hired defendants Qin Qiufa to send fraudulent information. Zhang Yuan was chiefly responsible for purchasing “AliWangwang” accounts, software, renting computer servers, etc. Qin Qiufa was chiefly responsible for soliciting and contacting the preceding players who needed to send fraudulent information, receiving the fees paid by the preceding player and leading others to send fraudulent information. The three defendants, knowing that there is no fact of false shopping, and it was a fraudulent behavior of the preceding player, still helped to publish fraudulent information, everyone added the QQ numbers in the above information, and Tan Zhangyu and Zhang Yuan got 30– 70 yuan remuneration from the preceding player. The victims Wang *jia and Hong * were cheated by 31,000 yuan and 30,049 yuan, respectively after agreeing to add the QQ numbers in the fraud information sent by Tan Zhangyu and Zhang Yuan. In this case, the court held that the defendants Tan Zhangyu, Zhang Yuan and Qin Qiufa sent fraudulent information of false shopping through the information network for the purpose of illegal profit, and their behavior essentially belonged to the preparation of fraud crime, which constituted the crime of illegally using information network. Despite that there was no evidence in this case to prove that the fraudsters had been brought to justice and prosecuted criminally, many victims had appeared, which did not influence the establishment of the crime of illegally using information network. Tan Zhangyu, Zhang Yuan and Qin Qiufa jointly committed intentional crime, which is deemed as a joint crime. In the joint crime, Tan Zhangyu and Zhang Yuan played a major role, both of which were principal offenders; Qin Qiufa played a secondary role and was an accessory, so he shall be given a lighter punishment in accordance with the law. The first-instance judgment of Shuyang County People’s Court of Jiangsu Province and the second-instance judgment of Suqian Intermediate People’s Court sentenced the defendant Zhang Yuan to two years and one month in prison for illegally using information networks and fined RMB100,000; the defendant Tan Zhangyu was sentenced to one year and ten months in prison and fined RMB80,000; the defendant Qin Qiufa was sentenced to one year and four months in prison and fined RMB30,000.
128
3 40 Years of China’s Judicial Reforms in Cybersecurity
ahead of time, and then they made fraudulent phone calls based on the information. As they accurately grasped the information of the victims, the victims were firmly convinced. To curb the rampant crime of infringing citizens’ personal information, the public security unit carried out nationwide special rectification activities to crack down upon illegal crimes against citizens’ personal information and simultaneously pushed forward the rapid promulgation of the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues Concerning the Application of Laws in Handling Criminal Cases of Infringing Citizens’ Personal Information.
3.2 Reinforcement of Civil Relief The protection of cybersecurity by civil justice in China is closely associated with the development of the Internet industry. In the early stage of China’s network development, the degree of civilian use of networks was comparatively low, there were few related civil disputes, and the role of civil justice in guaranteeing cybersecurity was not distinct. Owing to the development of networks and information technology, cases of infringing on the civil rights and interests of natural persons and legal persons by using the network continue to rise rapidly, and new civil disputes such as the protection of personal information, data rights and interests and virtual property rights and interests constantly develop. In this context, the role of civil justice in safeguarding cybersecurity has been continuously demonstrated, providing relatively clear and predictable rules and guidelines for safeguarding individual rights and interests, maintaining market competition order and enhancing social innovation vitality, and offering strong support for comprehensively facilitating the construction of a cyber superpower. 1.
Privacy and personal information protection field
From our country’s protection of privacy attached to “reputation right” in the early stage to the adoption of “privacy interest” and then “privacy right”, judicature has played an ineligible role. It can be said that China’s privacy protection system can be finally established and perfected in legislation only when it has been continuously pushed forward under the leadership of judicial decisions. Owing to the legislative limitations of China’s Constitution and General Principles of Civil Law, before the Tort Liability Law was adopted in 2009, the privacy right did not become a legislative right. Thus, the constitutional privacy right and the civil law privacy right did not exist in the sense of positive law, although the privacy right in the sense dogmatics is mentioned in the theory of Constitution and Civil Law.13 At this stage, the protection of privacy rights chiefly emphasized the judicial documents issued by the Supreme People’s Court as well as related judicial practices. In 1988, the Supreme People’s Court’s Opinions on Several Issues Concerning the 13
Yong [3].
3.2 Reinforcement of Civil Relief
129
Implementation of the General Principles of the Civil Law of the People’s Republic of China (Trial) first mentioned the concept of “privacy” and initially set the indirect protection mode of privacy protection by “reputation right”.14 In 1993, the Answers of the Supreme People’s Court on Certain Issues Concerning the Trial of Cases Involving Rights to Reputation reconfirmed the inclusion of privacy in the protection of reputation rights and added privacy infringement cases.15 Along with the prominent invasion of privacy, particularly the privacy protection crisis arising from the vigorous development of networks and informatization, the drawbacks of the original reputation protection mode became more startling. On the one hand, this kind of protection mode attached to the existing rights caused the excessive burden of judicial judgment in the dispute of reputation rights16 ; on the other hand, there were numerous differences in behavior composition between invasion of privacy and invasion of reputation itself, and the protection mode of reputation rights could not cover complex privacy infringement cases. Against this background, the Interpretation of the Supreme People’s Court on Certain Issues concerning Determination of Liability for Compensation for Spiritual Damage Arising from Civil Torts in 2001 made a breakthrough provision on the privacy protection mode. Paragraph 2, Article 1 of this Interpretation specifies that “if the actor violates the public interest and social morality and infringes on the privacy or other personality interests of others, and the victim files a lawsuit to the people’s court for compensation for mental damage on the grounds of infringement, the people’s court shall accept it in accordance with the law”. This regulation has changed the previous protection mode of reputation rights, confirmed privacy as an independent personality interest to protect it, and further intensified the legal protection of privacy. Since then, judicial practice has even protected privacy rights as an independent personality right. For instance, in 2008, in the “case of Wang * v. L Company’s on the dispute of privacy and reputation”,17 the court held that “citizens’ personal emotional life problems, including the relationship between men and women, belong to a part of their personal privacy. In normal social life, similar problems are generally only known to relatively specific people within a relatively small scope, and the parties are generally unwilling and will not widely disseminate such information among unspecified public under normal circumstances. Daqi.com set up a special webpage on its website, made investigations and visits, disclosed the true identity of the parties, and linked the webpage with other websites, which expanded the spread range of the incident on the Internet and made the unspecified public know their information. This behavior distinctly 14
Article 140 of the Opinions specifies that publicizing others’ privacy in written or oral forms, fabricating facts to publicly vilify others’ personality, and damaging others’ reputation by insulting or slandering, which causes certain influence, shall be deemed as an act of infringing citizens’ reputation right. 15 Article 7 of the Answers clearly states that anyone who publishes other people’s privacy materials or publicizes others’ privacy in written or oral form without the consent of others, causing damage to others’ reputation, shall be treated as infringing on others’ reputation right. 16 Jianwen and Yue [4]. 17 For details, please refer to: Chaoyang District People’s Court of Beijing (2008) Chao Min Chu Zi No. 29276.
130
3 40 Years of China’s Judicial Reforms in Cybersecurity
violated Wang’s privacy right”. In 2008, the Supreme People’s Court released the Regulations on the Causes of Civil Action, which for the first time took “dispute over primary right” as a separate cause of action. Along with the continuous advancement of the judiciary, the Tort Liability Law of 2009 formally confirmed the privacy rights in legislation. However, the Tort Liability Law, as a relief law, is not provided with the function of confirmation, and the concept of privacy, the object of protection and the way of infringement have not been clearly defined in legislation. Thus, after the enforcement of the law, the abovementioned matters began to be increasingly clarified in the judiciary. Triggered by the rapid development of science and technology and the rapid dissemination of information, there appear to be many problems with the protection of personal information in real life. Improper diffusion and improper use of personal information has increasingly developed into a social problem that endangers citizens’ civil rights. Especially with the advent of the era of big data, the trend of privacy digitization and data privacy is distinct, and personal information has become a significant content of privacy protection. In comparison with the lag of civil legislation on personal information protection and the debate and hesitation of civil law scholars on whether personal information shall be included in the privacy protection system, China’s judicial circles are increasingly inclined to integrate the information that may point to specific individuals to respond to the needs of privacy and personal information protection in the era of big data. For instance, in the case of a “dispute between Pang * and Beijing Q Information Technology Co., Ltd” and other privacy disputes,18 the court stated that different countries hold different views on the idea of protecting personal information, thus forming different instances of legislation. Some people attribute personal information to the right of privacy for protection (USA), while others attribute personal information to general personality rights or directly protect them as personal information rights (Germany). Like the differences in foreign countries, China’s legal profession is faced with similar contentions on the protection of personal information; however, professional contention is intended to better serve the practice of rights protection. If we give up the protection of civil rights and interests because professional contention fails to reach a consensus, is it not putting the cart before the horse? Thus, no matter how different the ideas of protecting personal information are, it shall not hinder the specific protection of personal information in individual cases. The court also held that along with the emphasis on the protection of personal information, privacy has been considered to include the content of personal information autonomy; that is, individuals enjoy the right to decide independently whether and how to disclose their whole personal information. This fully embodies that in the era of big data, the cognition and positioning of privacy rights in judicial practice is no longer confined to passive defense functions but modern privacy rights with active utilization of powers and functions. This judgment thought is embodied in the case of “Sun * v. Shanghai Branch of China United Network Communications Corporation Limited
18
For details, please refer to Beijing No. 1 Intermediate People’s Court (2017) Jing 01 Min Zhong No. 509.
3.2 Reinforcement of Civil Relief
131
for infringing his privacy right” as well as other cases.19 Furthermore, China’s judiciary has also made active explorations on the distribution of the burden of proof. In the case of “privacy disputes between Pang * and Beijing Q Information Technology Co., Ltd.” as well as other cases, the court held that from the point of view of the cost of collecting evidence such as capital and technology, Pang *, as an ordinary person, simply did not have the capability to prove whether there were vulnerabilities in the internal data information management of China Eastern Airlines and Q Company. Thus, objectively, the law cannot and shall not require Pang * to prove that China Eastern Airlines or Q Company must have leaked his private information. Neither China Eastern Airlines nor Q Company proved that the information leakage involved is attributed to others, hacker attacks, or Pang * himself. On the premise of excluding other possibilities of revealing private information, the court determined that the above two companies were at fault in combination with the evidence in this case. This case pioneered the application of the principle of presumption of fault in privacy infringement, which is extremely exemplary for alleviating the difficulty of proof of privacy infringement in the era of big data. Apart from continuously stimulating the development of the privacy rights system to respond to the needs of privacy protection in different stages, judicial practice is also actively responding to people’s demands for new rights in the vigorous development of information technology. After the European Union initiated the data protection reform in 2012, global privacy and personal data protection developed in leaps and bounds. New rights demands, such as the “right to be forgotten” and the “right to carry data”, have emerged, which has aroused global heated discussion. In 2015, the first judicial precedent of the “right to be forgotten” appeared in China.20 In the case that the concept of the “right to be forgotten” was first introduced into China, 19
For details, please refer to Shanghai Pudong New Area People’s Court (2009) Pu Min Yi (Min) Chu Zi No. 9737. 20 Basic facts of the case: the plaintiff Ren Jiayu sued Baidu Company for deleting the specific personal information associated with his work experience in “Taoshi Education” in the recommended keyword links of Baidu’s “Related Searches”, and thought that the personality interests involved in the personal information were harmful to his good reputation in the industry, which in turn would do damage to his economic interests such as enrollment and employment, and that Baidu Company infringed his name and reputation rights, and advocated that he enjoyed the “right to be forgotten”. The court ruled that there was no right type named the “right to be forgotten” in the current law of China, and the protection of tort liability of civil rights and interests shall be premised on the plaintiff’s legal civil rights or interests to the subject matter of litigation. If the “right to be forgotten” advocated by the plaintiff was to be the object of legal protection, it must meet both the legitimacy of interests and the necessity of protection. In view of the fact that the work experience information involved in the lawsuit was the recent situation of the plaintiff, who was still working in the enterprise management education industry, this information was precisely an integral part of his industry experience and was characterized by direct relevance and timeliness with his current personal industry credit; it was objectively necessary for the public, including the plaintiff’s so-called potential customers or students, to know about Ren Jiayu. The interests of being forgotten advocated by the plaintiff were not legitimate and necessary to be protected by law, and shall not become legitimate legal interests of infringement protection, and the plaintiff’s claim was ultimately rejected. For details, please refer to: Beijing No. 1 Intermediate People’s Court (2015) Yi Zhong Min Zhong Zi No. 09558 Civil Judgment.
132
3 40 Years of China’s Judicial Reforms in Cybersecurity
the precedent was insufficient and the theoretical accumulation was not enough, the judgment conformed the path of protecting “atypical personality interests” and established the corresponding judgment criteria, providing refereeing experience for the new disputes over personal information protection rights under the background of big data. 2.
Anti-unfair competition field
Fueled by the continuous development of Internet technology, the market in the network environment has become increasingly competitive, and traffic and data have therefore been regarded as significant competition targets of business entities in the Internet space. In this context, disputes over improper acquisition and utilization of data and traffic also tend to occur frequently. The full use of the Anti-unfair Competition Law in judicial practice has played a significant role in boosting technological innovation and maintaining competition order. Traffic hijacking. To compete for network traffic, behaviors such as changing or inducing users to change their browser homepage without authorization through false pop-up windows and threatening pop-up windows appeared, and taking advantage of traffic flow unjustly in the name of ensuring the security of the computer system. In the appeal case21 of unfair competition dispute of Beijing Cheetah Network Science and Technology Co., Ltd., Beijing Cheetah Mobile Technology Co., Ltd., Beijing Jinshan Security Software Co., Ltd. and Shanghai 2345 Network Technology Co., Ltd., Kingsoft Antivirus jointly operated by the first three companies changed the homepage of 2345 website navigation set by the end user into an antivirus website encyclopedia sponsored by Beijing Cheetah Mobile Technology Co., Ltd. through functions such as “garbage cleaning”, “version upgrading” and “browser protection”. 2345 Company sued for unfair competition such as tampering with homepage and hijacking traffic. In the end, the court ascertained that Beijing Cheetah Network Science and Technoloyg Co., Ltd., Beijing Cheetah Mobile Technology Co., Ltd. and Beijing Jinshan Security Software Co., Ltd. did not take essential and reasonable measures to play the normal functions of security software, which exceeded the reasonable limits and intervened in the operation of other software, which not merely violated the principle of good faith and recognized business ethics but violated the principle of equal competition and shall assume legal liability. Web crawler. The earliest case relating to data competition in the industry in China is the series of cases in which “Dianping.com v. Aibang.com” was heard by the Haidian District People’s Court in 2010. In this case, Dianping.com accused Aibang.com of copying a large number of its website contents (merchant introduction and user comment contents) and successively sued for copyright and unfair competition. Its copyright lawsuit was supported by Haidian District People’s Court and later rejected by the court of second instance, but its cause of action of unfair competition was finally supported by the court. Following the series of cases of Dianping.com v. Aibang, com, cases of unfair competition of data have appeared constantly: Baidu v. 21
For details, please refer to: (2018) Hu 73 Min Zhong No. 5 Civil Judgment of Shanghai Intellectual Property Court.
3.2 Reinforcement of Civil Relief
133
360 for violating robots agreement in Beijing No. 1 Intermediate People’s Court in 2013, Sina v. Maimai for illegally grabbing Weibo user data in Beijing Intellectual Property Court in 2015, and Dianping.com v. Baidu for grabbing user comment information in Shanghai Pudong New Area People’s Court in 2016, Coomix v. Chelaile for breaking encryption measures and improperly crawling APP data in the People’s Court of Nanshan District, Shenzhen in 2017, bbs.icnkr.com v. “58 Tongcheng” for improperly acquiring classified information in the People’s Court of Haidian District, Beijing in 2017, and Taobao v. Meijing heard in Hangzhou Internet Court in 2018.22 Through this series of cases, China’s judicature has confirmed corresponding adjudication rules. For instance, in the case of disputes over unfair competition such as Goome Technology v. Yuanguang Technology, the court ruled that the operator’s behavior of collecting, analyzing, editing and integrating big data resources with commercial value shall be protected by the Anti-unfair Competition Law, and it shall constitute unfair competition if others use the crawler technology to steal big data resources without permission, and use them to operate similar applications, which pushes forward the establishment of fair competition rules in the big data industry.
3.3 Standardization of Actual Administrative Behavior Since the promulgation of the Regulations of the People’s Republic of China for Security Protection of Computer Information Systems (hereinafter referred to as the Regulations on the Protection of the Security of Computer Information Systems) in 1994, relevant law enforcement around computer security and cybersecurity has been carried out in China. In recent years, thanks to the establishment and perfection of the Cybersecurity Law and related supporting systems, the relevant law enforcement actions have become more centralized and comprehensive, law enforcement endeavors have been continuously intensified, and administrative litigation around cybersecurity law enforcement has emerged in succession. Searching related administrative litigation cases with the keyword “Cybersecurity Law” in China Judgments Online, the results suggest that the earliest related documents were published in February 2018. As of May 8, 2020, there were 22 relevant legal documents, excluding the remaining 13 with little relevance. The main reasons for prosecution include the following. 1.
On whether public security organs have network security law enforcement powers: a case study of the “case of Fuyang “Bujianbusan” Internet Cafe v. Yingdong Branch of Fuyang Public Security Bureau”23
Basic facts of the case: on October 11, 2017, the police of Xiangyang Road Police Station of Fuyang Public Security Bureau inspected the “Bujianbusan” Internet cafe 22 23
Xiaojun et al. [5]. For details, please refer to: (2018) Wan 12 Xing Zhong No. 140.
134
3 40 Years of China’s Judicial Reforms in Cybersecurity
situated in Fuyang City, East Beijing Road, Yingdong District, Fuyang City and found that the Internet cafe failed to verify the identity information of cyber citizens on computer No. 89 in accordance with the regulations. On November 10, 2017, pursuant to Article 32 (III) of the Regulations on the Administration of Business Sites of Internet Access Services, Fuyang “Bujianbusan” Internet Cafe was given a warning and fined 6000 yuan. The plaintiff, Fuyang “Bujianbusan” Internet Cafe, did not accept the decision and filed an administrative lawsuit, demanding that the penalty decision of Yingdong Branch of Fuyang Public Security Bureau be revoked. A significant reason for the lawsuit filed by the Internet cafe in this case lies in its belief that “the duty scope of public security organs prescribed in the Regulations on the Administration of Business Sites of Internet Access Services is information cybersecurity, public security and fire control, while checking and registering the identity information of Internet consumers belongs to the business activities of Internet cafes, which can only be supervised and administered by the competent department of the industry, that is, the cultural department, completely excluding the supervision and punishment power of public security organs”. In this regard, the Yingdong Division of the Fuyang Public Security Bureau argued that checking and registering identity information is a specific requirement of information network security supervision, an effective means for public security departments to emphatically combat and prevent cybercrimes, and an obligation of Internet cafe operators. In accordance with the laws, regulations and reality, public security departments focus on fighting and preventing cybercrimes, while cultural departments concentrate on preventing minors from entering Internet cafes and protecting their physical and mental health. Yingdong Division also quoted Article 8 of the Cybersecurity Law, Article 4 of the Regulations on the Administration of Business Sites of Internet Access Services, Article 7 of the People’s Police Law, and Requirements of the General Office of the State Council for Forwarding Opinions of the Ministry of Culture and Other Departments on Special Remediation of Internet Service Business Places such as Internet Cafes, Article 3 of the Notice of the Ministry of Culture, the State Administration for Industry and Commerce, the Ministry of Public Security, the Ministry of Industry and Information Technology, the Ministry of Education and Finance, the State Council Rule of Law Office, the Central Civilization Office and the Youth League Central Committee on Further Deepening the Management of Internet Cafes, to its suitability as the subject of Law Office, the Central Civilization Office. The court held that Article 4 of the Regulations on the Administration of Business Sites of Internet Access Services specifies that public security organspublic security units shall be responsible for supervising and managing the information cybersecurity, public security and fire security of the business units of Internet service business sites. Article 23 stipulates that business units of Internet service business sites shall check and register ID cards and other valid certificates of Internet consumers and record relevant Internet access information. The registration content and record backup shall be kept for no less than 60 days and shall be furnished when the administrative department of culture and public security organs inquire in accordance with the law. Paragraph (III) of Article 32 specifies that public security organs shall have
3.3 Standardization of Actual Administrative Behavior
135
the authority to punish business units of Internet service business premises that fail to check or register the valid identity documents of Internet consumers or record relevant information on the Internet as required. Accordingly, the Yingdong Division shall have relevant supervision and punishment powers. 2.
On whether there is administrative omission in public security organs: a “case of Qiu Ping v. Sipailou Police Station of Jingkou Division of Zhenjiang Public Security Bureau”24
Viewing from the current judicial cases, there were few cases of filing administrative lawsuits on the grounds of administrative omission of public security organs. In the “case of Qiu Ping v. Sipailou Police Station of Jingkou Division of Zhenjiang Public Security Bureau”, the plaintiff Qiu Ping filed a lawsuit on the grounds that the defendant Sipailou Police Station failed to determine the true identity information of netizens who spread their private information on the Internet and administrative omission existed. Basic facts of the case: on November 26, 2017, a person named “Xingxing Wang Yueliang” falsely slandered the plaintiff on the my0511 website, spreading Qiu Ping’s privacy. On December 29th, Qiu Ping reported the case to Sipailou Police Station on the grounds of “spreading others’ privacy”. Later, Qiu Ping filed an administrative lawsuit with the people’s court on the grounds that Sipailou Police Station failed to determine the identity information of “Xingxing Wang Yueliang” and made no decision to deal with it, and there was omission in the investigation of this case. It is ascertained by the court that the defendant Sipailou Police Station investigated and acquired evidence of the case upon receipt of the report and found that the account number of posting the information on my0511 is “Xingxing Wang Yueliang” and investigated and questioned relevant witnesses. On January 18, 2018, the defendant petitioned the Cybersecurity Brigade of Jingkou Public Security to inquire about the account “Xingxing Wang Yueliang” on the my0511 website and verified the true identity of the account. On February 6, 2018, the defendant issued a Notice of Obtaining Evidence to Mengxi Forum (i.e., my0511 website), requesting to gain the identity information of the account “Xingxing Wang Yueliang” on Mengxi Forum. On the same day, Chaosu Company issued a presentation of condition to the defendant, stating that “the identity information associated with this account is not found through our inquiry”. On February 27, 2018, the defendant contacted the plaintiff several times without success and then informed the plaintiff’s husband of the investigation and told him that the investigation would be continued. On March 14, 2018, the Cybersecurity Brigade of Jingkou Public Security conducted a remote investigation and evidence collection on the dissemination of the plaintiff’s personal privacy embodied by the plaintiff and issued a presentation of condition to the plaintiff on May 3, 2018, stating that “upon receipt of the application from Sipailou Police Station, our brigade has inquired about the real identity and address of the poster, and through online investigation and inquiry, up to now, the case cannot be implemented for technical reasons”. Furthermore, it was found that on January 28, 2018, 24
For details, please refer to: (2019) Su 11 Xing Zhong No. 1.
136
3 40 Years of China’s Judicial Reforms in Cybersecurity
the defendant applied to Jingkou Branch of Zhenjiang Public Security Bureau to extend the processing period by 30 days on the grounds of complicated case, which was approved finally. The court held that, in accordance with the Regulations of Public Security Unit on Procedures for Handling Administrative Cases, the time limit for public security units in handling public security cases shall not be more than 60 days at the longest. If there are objective reasons for failing to make an administrative decision within the statutory time limit, it is necessary to explain the situation to the infringed person, continue to investigate and collect evidence and make a decision in a prompt manner in accordance with the law. In this case, after the defendant accepted the plaintiff’s report, owing to the complexity of the case, it went through the approval procedures with the higher public security unit for extending the processing period by 30 days. By inquiring the plaintiff and related witnesses, applying to the Cybersecurity Brigade of Jingkou Public Security for inquiring the real identity and address of the poster, and acquiring the identity information of the poster from Chaosu Company, the defendant failed to figure out the situation of the poster. In the case that the administrative decision could not be made within the statutory time limit, the defendant informed the plaintiff of the investigation of the case through the plaintiff’s husband and said that it would continue to investigate the case. Subsequently, the defendant continued to question the relevant witnesses, investigated and verified the relevant facts, and fulfilled the statutory duty of continuing the investigation; there was no distinct illegality or impropriety in handling cases. The plaintiff’s claim that the defendant did not act in performing its duties lacked evidence and was not supported. The final judgment rejected the plaintiff’s claim. 3.
On whether there is mistake in the characterization of behavior or the application of law in the punishment of public security organs
The current judicial cases chiefly relate to specific administrative actions such as network real-name registration systems, illegal and harmful information on the network, cybersecurity classified protection, and real-name registration of admission to Internet service sites. Courts at all levels have fully played the judicial trial and supervision functions through a series of administrative litigation cases, such as whether the regulatory authorities possess the relevant network security supervision authority, whether the identification of legal facts and characterization of legal behavior in specific administrative actions are accurate, and whether there is administrative omission, which has played a positive part in enhancing and guaranteeing the legality and standardization of law enforcement actions associated with cybersecurity.
3.4 Innovation of Trial Mechanism In June 2017, the 36th meeting of the Central Leading Group for Comprehensively Deepening Reform reviewed and approved the Plan for Setting up the Hangzhou
3.4 Innovation of Trial Mechanism
137
Internet Court. On August 8th of the same year, the Supreme People’s Court explicitly set up the Hangzhou Internet Court specializing in Internet-related cases by relying on the Hangzhou Railway Transport Court. On August 18th, the Hangzhou Internet Court was listed and set up in Hangzhou, Zhejiang Province, becoming the first Internet court in China and even throughout the world. While summarizing the pilot experience of the Hangzhou Internet Court, in August 2018, the Supreme People’s Court issued a notice on the Scheme of Adding the Beijing Internet Court and Guangzhou Internet Court and decided to set up the Beijing Internet Court and Guangzhou Internet Court. In September 2018, the Beijing Internet Court and Guangzhou Internet Court were set up successively. Currently, the three Internet courts are running smoothly, which has made an enormous contribution in the glorious course of China’s judicial reform and network governance innovation. Following the basic idea of “online trials of online cases”, Internet courts, on the one hand, push forward the digitalization of the whole litigation process and probe into the establishment of trial modes and procedural rules suitable for the Internet era; on the other hand, based on the actual needs, they innovate and perfect the judicial rules of Internet-related cases, take advantage of centralized trials, summarize and refine the new characteristics, new laws and new rules of Internet-related disputes, and stimulate the perfection of the legal system of cyberspace governance. As a grassroots people’s court for centralized jurisdiction over Internet cases, Internet courts have centralized jurisdiction over eleven types of Internet cases, such as online shopping contract disputes, online service contract disputes, online financial loan contract disputes, petty loan contract disputes, network infringement disputes, network copyright disputes, and administrative disputes arising from administrative actions such as Internet information service management, Internet commodity trading and related service management in their own municipal districts, and they have formed a batch of experiences that can be replicated and promoted in case trials, platform construction, litigation rule-making, technology application and network governance. The establishment of Internet courts in Hangzhou, Guangzhou and Beijing has scored numerous achievements in judicial governance in the Internet domain: (1) realizing the innovative development of the Internet trial system. Based on the pilot situation of the Hangzhou Internet Court, centralized jurisdiction over Internet cases and the perfection of supporting mechanisms are favorable to raising the level of specialized trials and stimulating the development of the local Internet industry; (2) enhancing the standardized governance of Internet spatial order. Through the fair trial of more new Internet cases, it is beneficial to sum up and study new situations and new problems in the development of Internet industry in a prompt manner, guide and standardize the network behaviors with fair judgment, consolidate the protection of network virtual property, intellectual property rights, business secrets of enterprises and citizens’ personal information, facilitate the construction of cyberspace security system, enhance the comprehensive management capacity of cyberspace, promote the comprehensive enhancement of vital data resources and personal information security protection capability, and create a fair and honest network environment with users’ confidence; (3) promoting the Chinese experience of global governance of
138
3 40 Years of China’s Judicial Reforms in Cybersecurity
Internet space. The addition and perfection of Internet courts is a significant attempt for China to actively engage in global cyberspace governance and rulemaking. In recent years, the achievements of people’s courts in the construction of smart courts have been extensively recognized by the international community. By setting up additional Internet courts in Beijing and Guangzhou, it will be more beneficial to further exploit new models and experiences of Internet justice, sum up China’s experience in forming network governance, actively launch international judicial cooperation and exchanges with an open and inclusive approach, and fully carry out the “four principles” raised by General Secretary Xijin Ping to push forward the reform of the global Internet governance system and the “five-point proposition” of jointly building a community of network destiny.25
References 1. Y. Zhigang, Intergenerational evolution of cybercrime in China, samples of criminal law and theoretical contribution. Legal Forum (2) (2019) 2. Y. Zhigang, W. Shangcong, A historical review of the development of cybercrime in China as well as its legislative, judicial and theoretical responses. Polit. Sci. Law 1 (2018) 3. P. Yong, Some problems in China’s new cybercrime legislation. Criminal. Sci. 12 (2012) 4. Z. Jianwen, G. Yue, On the comprehensive way of new rights protection from the point of view of legislation and judicial practice of privacy right. Qiushi Xuekan (6) (2019) 5. T. Xiaojun, C. Jianfeng, Z. Kaixin, Research on data competition rules among enterprises. Competition Policy Res. (4) (2019)
25
The head of the Office of the Leading Group for Judicial System Reform of the Supreme People’s Court answered a reporter’s question on the judicial interpretation of cases heard by Internet courts. https://www.chinacourt.org/article/detail/2018/09/id/3489190.shtml.
Chapter 4
40 Years of China’s International Governance in Cyberspace
In the past four decades, China’s attitudes and measures toward international cyberspace governance rules have also changed, and cyberspace has become the focus of attention of all countries owing to the disputes and signing of bilateral and multilateral agreements concerning cybersecurity. Taking the secret contest and game between the Sino-American and EU-China network relationships as the representative, the outside world’s scrutiny of China’s cybersecurity legislation and the influence of Chinese legislative ideas on the legislation of countries around the world have become another important point of view in the past 40 years.
4.1 Evolution and Development of China’s International Governance in Cyberspace Fueled by the top-speed development and “corner overtaking” of China’s economy, China’s national strength has been continuously enhanced, and its discourse power has been promoted continuously. In the past four decades, China has persisted in safeguarding national sovereignty and cyber sovereignty, actively worked on international cyberspace governance, and endeavored to build a peaceful, safe, cooperative and open cyberspace, playing a significant and constructive part in Asia–Pacific Economic Cooperation, Shanghai Cooperation Organization and BRICS.
4.1.1 Holding High the Banner of Cybersecurity Sovereignty Based on the official statement of the United Nations, since the Russian Federation first proposed a draft resolution in the First Committee of the United Nations General Assembly in 1998, the issue of information security has been on the agenda of the United Nations all the time. Especially since 2005, as a result of compromise © Huazhong University of Science and Technology Press 2022 D. Huang, Research on the Rule of Law of China’s Cybersecurity, https://doi.org/10.1007/978-981-16-8356-5_4
139
140
4 40 Years of China’s International Governance in Cyberspace
between all parties, the United Nations has set up the Internet Governance Forum (IGF), aiming to promote discussion and dialog among stakeholders on Internetrelated public policies, but the relevant decision-making is not binding. To date, it has been convened for 14 sessions. Apart from that, early endeavors also included the resolution on global cybersecurity culture adopted at the United Nations General Assembly in January 2005. The content of this resolution was enriched to some extent, including the protection of vital information infrastructure and the refinement of key points in the annexes. In September 2011, the Permanent Representatives of China, Russia, Tajikistan and Uzbekistan jointly sent a letter to the Secretary General of the United Nations, requesting that the draft of the International Code of Conduct for Information Security jointly drafted by the above countries be circulated as an official document of this session of the UN General Assembly. The guidelines call for the establishment of a multilateral, transparent and democratic Internet governance mechanism and fully respect the rights and freedoms of information and cyberspace while observing the laws of all countries. This is a beneficial attempt to promote the global cyberspace security framework at the level of the United Nations after China advocated in the 2010 White Paper on Internet Policy that the United Nations shall exert an all-round effect on Internet management. In 2012, the draft International Telecommunication Regulations submitted by the United Arab Emirates at the World Conference on International Telecommunications integrated the contents of the Russian proposal, demanding that the government’s role in the development and management of the Internet be embodied and the allocation of Internet resources by governments of all countries be enhanced. The proposal was supported by Russia, China, Saudi Arabia and other countries but opposed by the United States, Canada, Britain, Australia and other countries. Since the rules require that the International Telecommunications Regulations shall be signed by over 160 countries before taking effect, the rules were not legally binding, and the 1988 Regulations continued to be valid. In June 2014, China and the United Nations jointly convened an international conference on the Internet for the first time. China systematically expounded its position and practice on the issue of cybersecurity. Information and communication technology comes up with brand-new digital opportunities for human society and poses unprecedented challenges simultaneously. China advocates that the international community enhance cooperation and jointly safeguard the security, stability and prosperity of cyberspace. Thus, four significant principles shall be well grasped: I. The principle of peace. All countries shall abandon “zero-sum” thinking and ideology during the Cold War and set up a new security concept of mutual trust, mutual benefit, equality and cooperation. II. The principle of sovereignty. All countries enjoy jurisdiction over the information and communication infrastructure and information and communication activities within their territories and shall be entitled to draw up Internet public policies in line with their national conditions. No country may interfere with other countries’ internal affairs or harm other countries’ interests by taking advantage of the Internet. III. The principle of cogovernance. All countries shall follow the principles
4.1 Evolution and Development of China’s International …
141
of multilateralism, democracy and transparency and endeavor to achieve resource sharing, responsibility sharing and cooperation and cogovernance. IV. The principle of shared benefits. All countries shall advocate the concept of mutual benefit and win–win results, launch international cooperation and cross the “digital divide”. In 2016, cybersecurity became a global challenge, influencing world peace, security, trade and sustainable development. China and the United Nations jointly convened a seminar on cyber issues for the second time, carrying the theme of “building cyberspace guidelines, rules or principles: improving an open, safe, stable, accessible and peaceful ICT environment”. China clearly stated that the international community shall insist on dialog and cooperation, manage and resolve differences through dialog, and seek common security in cooperation; insist on the universal participation of all parties as well as multilateralism, with equal participation and joint decision-making by all countries, and encourage all stakeholders to bring into full play their due roles; stick to the role of the United Nations as the main channel. China has been a significant member since the formation of the governmental expert group in 2004. The Deputy Secretary-General of the United Nations wishes that the members of the governmental expert group of the United Nations on information security, including China, will make joint endeavors to build an open, reliable, safe, stable and inclusive cyberspace. In November 2017, at the meeting of the First Committee responsible for disarmament and international security affairs of the 72nd UN General Assembly (First Committee of the UN General Assembly), two security resolutions were adopted, namely, Further Practical Measures for the Prevention of an Arms Race in Outer Space and No First Placement of Weapons in Outer Space. The concept of “building a community of human destiny” was once again included in these two UN resolutions, and this concept was included in the UN security resolution for the first time (the first time it was written into the UN resolution was the resolution of the 55th session of the UN Commission for Social Development in February 2018). Under other multilateral mechanisms, the topic of “management rights of Internet domain name systems” is the most typical. In April 2014, the Global Internet Governance Conference was convened in Brazil and adopted the NETmundial Multistakeholder Statement of Sao Paulo, chiefly including the governance principles of the multiparty model and the road map of future Internet governance. The Statement stressed that Internet governance must ensure that all stakeholders, including governments, the private sector, civil society, technical communities, academic communities and users, can take a responsible attitude and participate beneficially based on a democratic multistakeholder process. At the conference, countries paid special attention to the transfer of IANA supervision power from the United States and how multiple stakeholders participate. After a long and complicated game, in October 2016, NTIA officially handed over the management right of the Internet domain name system to ICANN, marking that the global governance of cyberspace is expected to fulfill the pattern of multistakeholder participation. Overall, the cybersecurity issues of the United Nations chiefly concentrate on two main lines: politics—military and economic—development. The former includes the endeavors of the United Nations Human Rights Council and the Conference of
142
4 40 Years of China’s International Governance in Cyberspace
the Convention on Certain Conventional Weapons to regulate AI; the latter, such as the command plan of Asia–Pacific information superhighway in which China participated, reported in 2016 that “74% of fixed broadband users in Asia–Pacific economic and social region are situated in East Asia and Northeast Asia, and over half of the fixed broadband users in this region are supported by China alone”.
4.1.2 Making Endeavors to Maintain Peace in Cyberspace In 2007, Estonia was confronted with a thorny problem after suffering a cyber-attack, that is, how to define this new type of cyber-attack in law and whether it can be defined as war or armed attack, which could not be answered in international laws at that time. One view held that the early representative of cyber warfare “in a real sense” was the “Stuxnet” virus attack, which broke out in 2010 and gradually began to be disclosed from 2011 to 2014. Several subsequent cases were also considered a “figurative” of cyber warfare, including the cyber-attack on power systems in at least three regions of Ukraine on December 23, 2015, and the destruction of some substation control systems in Ivano-Frankivsk, resulting in a large-scale power outage, which lasted for 3–6 h and influenced approximately 1.4 million people. It was later confirmed that the malicious software that infected the Ukrainian power system is called Black Energy. This software cannot merely shut down crucial systems in power facilities but allows hackers to remotely control target systems. This is the first confirmed attack on power facilities throughout the world in history. Unlike the definition of cyber warfare in the United States, which attaches importance to material destruction, economic loss and deterrence in the whole area, the definition of cyber warfare by the SCO includes the dissemination of information that harms the spirit, morality and culture of other countries. These differences in the scope, field and applicability of cyber warfare require standardization of the concept in the United Nations and other multilateral channels to lower the risk of cyber warfare outbreaks and the threat to nonmilitary systems, networks and facilities. The Tallinn Manual came against this complicated background. China has always been dedicated to preserving the peace of cyberspace. General Secretary Xi Jinping, the top leader of China, stressed the crucial significance of cyberspace peace in numerous speeches and resolutely maintained it. On December 16, 2015, at the opening ceremony of the Second World Internet Conference, General Secretary Xi Jinping delivered a significant speech, saying that “there shall be no double standards in maintaining cybersecurity, it is not possible that one country is safe while other countries are unsafe or that some countries are safe while others are unsafe and that it is not allowed to seek country’s so-called absolute security at the expense of other countries’ security”. At this conference, General Secretary Xi Jinping put forward four principles to promote the reform of the global Internet governance system, namely, respecting network sovereignty, maintaining peace and security, promoting open cooperation and building a good order. The World Internet Conference is the largest and highest-level Internet conference hosted by China, and
4.1 Evolution and Development of China’s International …
143
it is also an unprecedented summit meeting in the world Internet domain. The four principles proposed by General Secretary Xi Jinping at the meeting fully demonstrate China’s determination and efforts to preserve peace and security in cyberspace. In 2009, the CCDCOE organized 20 experts from different countries to begin compiling the Tallinn Manual on the International Law Applicable to Cyber Warfare, namely, Tallinn Manual 1.0. The manual was published in 2013 and contains 95 articles. In 2017, the Tallinn Manual was upgraded to Version 2.0, which was originally only applicable to dealing with cyber warfare and expanded to cyber operations in peacetime, achieving full coverage of international rules of cyberspace in wartime and peacetime, and its name was also changed to the Tallinn Manual on the International Law Applicable to Cyber Operations. In the course of compiling Version 2.0, international expert groups including China and over 50 experts from other countries conducted anonymous reviews on the contents of each chapter, suggesting that the internationalization degree of Version 2.0 of the Tallinn Manual has been enhanced to some extent. This calls for the need for all countries, including China, to participate in the formulation of international rules for cyberspace, which reflects “limited internationalization”. For example, in the content of cyber sovereignty, Chinese experts have expressed different voices on whether to take data sovereignty into consideration. The long-standing existence of such differences also laid the foundation for the subsequent promulgation of the Cloud Act in the United States.
4.1.3 Shaping the Asia–Pacific Cybersecurity Concept From November 5 to 7, 1989, the first ministerial meeting of the Asia–Pacific Economic Cooperation Conference was held, marking the establishment of the Asia– Pacific Economic Cooperation (APEC). In November 1991, China, as a sovereign state, and Chinese Taipei and Hong Kong (changed to “Hong Kong, China” on July 1, 1997), in the name of the regional economy, formally joined APEC. APEC is a vital economic cooperation forum in the Asia–Pacific region and the highest-level intergovernmental economic cooperation mechanism in the Asia–Pacific region. At the beginning of its establishment, it only held a ministerial meeting every year to study the cooperation among its members. With the deepening and widening of economic cooperation in the Asia–Pacific region, ministerial meetings had difficulty meeting the needs of the new situation. In July 1993, the United States proposed holding a summit meeting after the fifth APEC ministerial meeting. Since it was not approved by all members, the summit meeting was named the “Informal Leaders’ Meeting”. In November of the same year, the first informal leaders’ APEC meeting was held in Seattle, USA, with leaders or representatives of all members attending. After the Seattle Ministerial Conference, the form of “Informal Leaders’ Meeting” continued and became a fixed mechanism. Since then, the “Informal Leaders’ Meeting” has been held once a year to conduct in-depth discussions on issues of common concern of all members, reach a broad consensus on key issues, and adopt a series
144
4 40 Years of China’s International Governance in Cyberspace
of outcome documents as guiding documents to guide cooperation and development among members in the next period. The President of the People’s Republic of China attended the “Informal Leaders’ Meeting” of Asia–Pacific Economic Cooperation and expounded his views and opinions on a series of major issues, such as the global and regional situation and the cooperation direction of Asia–Pacific Economic Cooperation, playing a positive and constructive role in the success of the meetings. China also successfully hosted the “Informal Leaders’ Meeting” of Asia–Pacific Economic Cooperation in Shanghai and Beijing in 2001 and 2014, respectively. Thanks to the continuous promotion of the Telecom Working Group and Telecom Ministers Meeting, information and cybersecurity has become a major issue of Asia–Pacific Economic Cooperation. In 2005, Asia–Pacific Economic Cooperation adopted the strategy of “Trusted Safe and Sustainable Online Environment” (TSSOE). This strategy attempted to follow the commitment made by Asia–Pacific Economic Cooperation in LosCabos, Mexico, in 2002 in the domain of cybersecurity, promulgate domestic cybersecurity laws, develop computer security incident response teams, facilitate international cooperation, enhance cybersecurity and combat cybercrimes. APEC member economies are encouraged to take actions on some projects, including drawing up strategies to solve the abuse of the network environment, building partnerships, developing observation and early warning capabilities, and supporting cooperation efforts. In 2002, the APEC Cybersecurity Strategy was issued, and in 2005, the APEC Strategy to Ensure a Trusted, Secure and Sustainable Online Environment was released. From August 7 to 8, 2012, the 9th Telecommunications Ministerial Meeting of the Telecommunications Working Group of the Asia–Pacific Economic Cooperation was convened in St. Petersburg, Russia. The meeting was themed by “building confidence and security on the strength of information and communication technology to facilitate economic growth and prosperity”. The meeting determined the development goals and work priorities of the Telecommunications Working Group of the Asia–Pacific Economic Cooperation in the next few years and adopted the St. Petersburg Declaration. In his speech, Vice Minister of the Ministry of Industry and Information Technology introduced the development policies of China’s information and communication industry and the measures taken to rise to the challenges of network information security and called on all economies of Asia–Pacific Economic Cooperation to further enhance cooperation and exchanges, seize opportunities, meet challenges, make the most of the enormous potential of information and communication technology, and jointly promote the construction of Asia–Pacific information society. In September 2013, Asia–Pacific Economic Cooperation and the Organization for Economic Cooperation and Development (OECD) convened the joint APEC-OECD Symposium on Security Risk Management in the Internet Economy. The meeting had three objectives: to raise the understanding of cybersecurity and increase the security guidance of OECD; offer a platform for discussion among a series of departments (government, industry and technology); make the cooperation between Asia–Pacific Economic Cooperation—Telecommunications and Information Working Group and
4.1 Evolution and Development of China’s International …
145
the Working Party on Information Security and Privacy (WPISP) of the Organization for Economic Cooperation and Development attain a milestone. The Statement of the 14th Ministerial Conference in 2014 continued to emphasize that while allowing the free flow of information, the integrity of Asia–Pacific Economic Cooperation communication and information systems should be protected. To rise to this challenge, the ministers supported the cybersecurity strategy of Asia– Pacific Economic Cooperation drawn up by the Telecommunications Working Group and instructed them to implement the strategy. In November 2017, the 25th “Informal Leaders’ Meeting” of Asia–Pacific Economic Cooperation was convened in Danang Vietnam, and the APEC CrossBorder E-Commerce Facilitation Framework was formed with respect to cybersecurity and the development of the digital economy. From 17 to 18, 2018, the 26th informal leaders’ APEC meeting was held in Port Moresby, Papua New Guinea. The theme of this conference was “Harnessing inclusive opportunities, embracing the digital future”. President Xi Jinping attended the APEC CEO Summit in Port Moresby, Papua New Guinea, and delivered a keynote speech entitled “Working Together to Create a Better Future”.
4.1.4 Raising the Security Consensus of BRICS In 2001, Jim O ‘Neill, chief economist of Goldman Sachs, first proposed the concept of “BRICS” (Brazil, Russia, India, China), specially referring to the emerging markets of the world. In 2009, the BRICS leaders held their first meeting in Yekaterinburg, Russia, and then held it once a year, establishing the meeting mechanism of BRICS leaders. After South Africa joined it in 2010, it was officially renamed BRICS. Over the years, BRICS have jointly expressed their voices on major international and regional issues and actively pushed forward the process of global economic governance reform, tremendously enhancing the representation and voice of emerging market countries and developing countries. In recent years, the BRICS has put a high premium on issues concerned with cybersecurity and information technology. On December 6, 2013, the Fourth Meeting of BRICS Senior Representatives on Security Affairs was held in Cape Town, South Africa. All parties exchanged in-depth views on the current international and regional security situation, anti-terrorism, network information security, transportation security, and regional issues of common concern, such as Syria, Afghanistan, Iran and Africa, and reached a broad consensus. The meeting decided to set up a working group of BRICS on cybersecurity. At the eighth meeting in October 2016, the leaders of the five countries exchanged in-depth views on BRICS cooperation as well as other international and regional issues of common concern around the theme of “Building Responsive, Inclusive and Collective Solutions” and reached broad consensus. The contents of the Goa Declaration adopted at the meeting associated with cybersecurity and information technology were as follows:
146
4 40 Years of China’s International Governance in Cyberspace
(1)
We reiterate that the use and development of ICTs through international and regional cooperation and on the basis of universally accepted norms and principles of international law, including the Charter of the UN; in particular political independence, territorial integrity and sovereign equality of States, the settlement of disputes by peaceful means, noninterference in internal affairs of other States as well as respect for human rights and fundamental freedoms, including the right to privacy; are of paramount importance in order to ensure a peaceful, secure and open and cooperative use of ICTs. We also advocate for an open, nonfragmented and secure Internet and reiterate that the Internet is a global resource and that states should participate on an equal footing in its evolution and functioning, taking into account the need to involve relevant stakeholders in their respective roles and responsibilities. We welcome the outcomes of the fourth BRICS Education Ministers’ meeting held on 30 September 2016 in New Delhi, including the New Delhi Declaration on Education. We stress the importance of education and skills for economic development and reaffirm the need for universal access to highquality education. We are satisfied with the progress of BRICS Network University (BRICSNU) and the BRICS University League (BRICSUL), which will commence their programmes in 2017. These two initiatives will facilitate higher education collaboration and partnerships across BRICS countries. We stress the importance of implementing the BRICS Research and Innovation Initiative. We welcome the hosting of the first BRICS Young Scientists Conclave in India, instituting the BRICS Innovative Idea Prize for Young Scientists. We note the progress of the first call for proposals under the BRICS STI framework program in ten thematic areas, with funding commitment from the five BRICS STI ministries and associated funding bodies. We welcome the establishment of the BRICS Working Group on Research Infrastructure and Mega-Science to reinforce the BRICS Global Research Advanced Infrastructure Network (BRICS-GRAIN).
(2)
(3)
(4)
On January 1, 2017, China officially took over the presidency of BRICS countries. On May 21, experts and scholars from BRICS countries held a Seminar on Network Economy and Network Security in Chongqing to offer intellectual support and policy suggestions for the ninth summit of BRICS leaders. From July 27 to 28, the Seventh BRICS Senior Representatives Meeting on Security Affairs was convened in Beijing to explore and deepen consensus on global governance, antiterrorism, cybersecurity, energy security, major international and regional hotspots, national security and development, etc. On September 4th, the 9th meeting of BRICS leaders was convened at the Xiamen International Conference & Exhibition Center. President Xi Jinping presided over the meeting and delivered a vital speech entitled “Deepening BRICS Partnership and Opening up a Brighter Future”. Focusing on the theme of “deepening the BRICS partnership and opening up a brighter future”, the vision of striving for common development in the future was further advanced on the basis of the progress already made in BRICS cooperation. International and regional issues of common concern were discussed, and the 2017 BRICS Leaders Xiamen
4.1 Evolution and Development of China’s International …
147
Declaration was adopted by consensus. The specific outcome document associated with cybersecurity is the BRICS Roadmap of Practical Cooperation on Ensuring Security in the use of ICTs. The main contents are stated below: We reiterate our commitment to industrial cooperation, including production capacity and industrial policies, new industrial infrastructure and standards, small and medium-sized enterprises, etc. We advocate seizing the opportunities brought by the new industrial revolution and accelerating the industrialization process of BRICS countries. We encourage us to explore the establishment of future network research institutions of BRICS countries. We will promote the joint R&D and innovation of BRICS countries in ICTs such as the Internet of Things, cloud computing, big data, data analysis, nanotechnology, artificial intelligence, 5G and its innovative applications and enhance the infrastructure construction and interconnection of ICTs in the five countries. We advocate the setting of internationally accepted rules in the areas of infrastructure security, data protection and Internet space to build a peaceful and safe cyberspace. We will increase investment in ICTs and confirm that it is essential to further increase investment in the research and development of information and communication technology and release innovation vitality in offering products and services. We encourage research institutions, organizations and enterprises to build partnerships of certification and facilitation in concept demonstration and pilot projects and bring into full play their complementary advantages in ICT hardware, software and skills through next-generation innovative initiatives in smart cities, health care and energy efficiency facilities. We support active cooperation in implementing the BRICS ICT development agenda and action plan. We support the United Nations in playing a central role in developing a universally accepted code of conduct for responsible countries in cyberspace to ensure a peaceful, safe, open, cooperative, stable, orderly, accessible and fair ICT environment. We emphasize that the principles of international laws established in the Charter of the United Nations are of vital importance, especially in view of national sovereignty, political independence, territorial integrity and national sovereign equality, noninterference in other countries’ internal affairs, and respect for human rights and fundamental freedoms. We stress that international cooperation should be intensified to combat terrorism and criminal activities that abuse information and communication technologies and reiterate the recommendations made in the Durban Declaration, Fortaleza Declaration, Ufa Declaration and Goa Declaration. As mentioned in the Ufa Declaration, under the leadership of the United Nations, international legal instruments shall be worked out to combat the criminal acts of exploiting information and communication technologies. We have noted with satisfaction the progress made by the Expert Working Group of BRICS on the security of using information and communication technologies. We decided to push forward cooperation in accordance with the Road Map of BRICS Practical Cooperation to Ensure the Safe Use of Information and Communication Technology or any other consensus-building mechanisms and noted Russia’s initiative that BRICS reach an intergovernmental cooperation agreement to ensure the safe use of information and communication technologies. We are convinced that all countries will engage in the evolution and operation of the Internet and its governance on an equal footing and take into account
148
4 40 Years of China’s International Governance in Cyberspace
the necessity for relevant stakeholders to participate in it based on their respective roles and responsibilities. The control structure of Internet core resources needs to be more representative and inclusive. We note with satisfaction the progress made by the BRICS Working Group on Information and Communication Technology Cooperation and recognize the necessity of strengthening cooperation in this area. To this end, BRICS will continue to make joint endeavors on the strength of existing mechanisms to facilitate the safe, open, peaceful and cooperative use of ICTs on the basis of the international community’s equal participation in Internet management. BRICS countries are all emerging economies, and they are all confronted with common opportunities and challenges in cyberspace. I. They raise similar demands in fighting cybercrimes and cyber terrorism. II. The information infrastructure of these countries is comparatively weak, and it is urgent to bridge the digital divide. Therefore, the cybersecurity cooperation of BRICS boasts a natural strategic foundation and broad prospects.
4.1.5 Consolidating the Consensus on Cybersecurity Between Asia and Europe Originating in 1989, the Shanghai Cooperation Organization is an organization of China, Russia, Kazakhstan, Kyrgyzstan and Tajikistan on reinforcing confidence and disarmament negotiation processes in border areas. In January 2001, Uzbekistan proposed joining the “Shanghai Five” as a full member.1 On June 15, 2001, at the summit held in Shanghai, the heads of state of the six countries formally signed the Declaration on the Establishment of the Shanghai Cooperation Organization, announcing the establishment of a permanent intergovernmental international organization. On June 7, 2002, the Charter of the Shanghai Cooperation Organization was signed at the summit held in St. Petersburg, and the document came into effect on September 19, 2003, stipulating the purposes and principles of the Shanghai Cooperation Organization. The establishment of the Shanghai Cooperation Organization is naturally associated with security, and the issue of security is called the “traditional strong strength” of the SCO. The SCO mentioned that cybercrime and information security are part of the Shanghai Convention on fighting terrorism, separatism and extremism. In the Shanghai Convention on Combating Terrorism, Separatism and Extremism, signed as early as 2001, it was explicitly included in the scope of terrorist activities such as planning and inciting public safety, intimidating people and causing direct material losses through the Internet. On June 15, 2006, the heads of state of the SCO met in Shanghai, the main topic of which was that countries should strengthen contemporary information security and make more efforts to ensure information security through cooperation. The Expert Group on International Information Security of Member States was established and started its work in accordance with the resolutions of the Council. In the meeting, the Statement of the Heads of State 1
https://baike.so.com/doc/5397359-5634660.html. First visit date: March 11, 2020.
4.1 Evolution and Development of China’s International …
149
of Shanghai Cooperation Organization on International Information Security was signed. On August 16, 2007, the Meeting of the Council of SCO Heads of State was held in Bishkek, the capital of Kyrgyzstan. Given the increasingly prominent international information security issues, this summit adopted an action plan for ensuring international information security of SCO member states. The Yekaterinburg Declaration in 2009 stressed the significance of guaranteeing international information security as one of the key elements of the common system of international security. During the summit, SCO member states signed the Agreement among the Governments of the SCO Member States on Cooperation in the Field of Ensuring International Information Security and formed an expert group on the international information security of SCO member states. The Astana Declaration on the 10th Anniversary of Shanghai Cooperation Organization in 2011 stressed that cooperation on cyber counterterrorism shall be strengthened, and common measures for preventing and responding to cyber terrorism shall be drawn up by the network governance organs of member states. In 2012, the 12th executive meeting of the Council of Heads of State of the Shanghai Cooperation Organization (SCO) held in Beijing stated that the SCO shall include the response to international cybercrime in its work to combat terrorism, separatism and extremism. In 2013 and 2015, the SCO submitted “an international code of conduct on information security” to the United Nations General Assembly twice. In particular, in the 2015 edition, the SCO proposed respecting the sovereign independence, territorial integrity and cultural diversity of countries, not interfering with the internal affairs of other countries by virtue of network and communication technologies, and prohibiting the dissemination of information inciting terrorism, extremism, separatism and other racial and religious hatred. It was advocated that a country shall have independent control over network information and services, and all countries shall play an equal role in global network governance. In 2015 and 2016, the SCO successively signed and adopted a series of documents, such as the SCO Member States 2016–2018 Cooperation Program on Combating Terrorism, Separatism and Extremism, the Ufa Declaration and the Tashkent Declaration, all of which involved the issue of cyber counterterrorism. From January 24 to 26, 2018, Wuhan hosted a routine meeting of the expert group on international information security of SCO member states as the lead link of the 18th Qingdao meeting of the Council of Heads of State of the Member States of the Shanghai Cooperation Organization. Based on the outcome of the meeting, security is the cornerstone of the sustainable development of the Shanghai Cooperation Organization. All parties will uphold the common, comprehensive, cooperative and sustainable security concepts and carry out cooperation documents such as the Shanghai Convention on Combating the “Three Evil Forces”, the Anti-Terrorism Convention and the Anti-Extremism Convention to effectively combat drug trafficking, transnational organized crimes and cybercrimes. Overall, although multilateral cybersecurity governance has scored achievements in advancing and boosting the rule of law and practice level of cybersecurity governance in all countries, it is still confronted with many problems. First, like the Convention on Cybercrime of the Council of Europe, there are still differences in
150
4 40 Years of China’s International Governance in Cyberspace
the definition and punishment of cybersecurity threats (especially criminal crimes) in multilateral mechanisms, and no agreement can be reached, which renders it difficult for a country to receive full judicial assistance from other member states. In addition, the judicial cooperation and coordination mechanism is still a weak link, and there are still institutional and mechanical gaps in legal provisions, judicial systems and law enforcement cooperation among member states, including the core extradition mechanism that has not fallen into actual effect and achieved coverage. Furthermore, even if the connection between the systems is realized among the member states, the transnational cooperation of law enforcement forces in investigation, evidence collection and arrest is still required, which puts high demands on the capability of action. Apart from that, there exist enormous differences among countries in national codes of conduct on cyberspace, which is why some member states under multilateral mechanisms are called “Swing States”. In conclusion, China has long been involved in international cyberspace governance and played a significant part, particularly in dealing with cybercrimes, terrorism, and cyber warfare, and fully fulfilled its responsibilities as a cyber superpower. China actively participates in cyberspace affairs and occupies a vital position in the decision-making of regional international organizations such as the OECD, SCO and BRICS. After 40 years of ups and downs, China’s international status can no longer be compared with that of 40 years ago. China holds high the banner of cyber sovereignty and actively promotes bilateral or multilateral governance agreements, becoming a vital force in international cyberspace governance. China’s opportunities and capabilities to intervene in international affairs are changing, and China’s cyberspace governance ideas and actions have exerted a wide and profound impact on countries all over the world. China, which is on the rise, has regarded peaceful development as an established strategic path for a long time to come, thus enabling the international system to achieve transitional transformation in a relatively moderate state.2 In terms of participating in international cyberspace governance, China is facing more obstacles and challenges. Therefore, China needs to continue to develop itself, launch international cooperation extensively, and insist on fulfilling its responsibilities as a great power.
4.2 Game and Cooperation Between China and the United States in Cyberspace Currently, cyberspace, as the fifth space following land, sea, sky and space, is increasingly becoming the new focus and territory of international competition and games. The game around the acquisition of key resources and international rule making is becoming increasingly acute and complex. As important actors in cyberspace, the interaction between China and the United States in cyberspace has become a vital variable influencing the overall situation of Sino-US relations. Viewing the evolution 2
Wu [1].
4.2 Game and Cooperation Between China and the United States …
151
of the relationship between the two countries in the network domain, the conflicts and competitions between China and the United States in this field are more prominent than cooperation in the domain of cybersecurity.
4.2.1 Development Process of the Game The game between China and the United States in cyberspace is closely concerned with numerous factors, such as ICTs and industrial development, and is subjected to the general environment of Sino-US relations. Overall, the game between China and the United States in cyberspace presents different characteristics in different government periods of the United States. Especially during Trump administration, the development of China’s Internet industry became the top concern of the United States, and the game situation between China and the United States in cyberspace became more explicit and open.
4.2.1.1
Clinton and George W. Bush Administration
As early as the 1980s, the Chinese government began its efforts to access the Internet and negotiated with the United States on Internet security issues, but no substantial progress was made. As a result, in the early 1990s, the United States once again unilaterally rejected China’s request to join the Internet on the grounds of national security. The main reason was that the United States believed that there were conflicts in ideology, social system and many other aspects between the two countries, and interconnection was bound to do great harm to each other. However, following the continuous development and progress of the Internet, the United States has undergone tremendous changes in its perception of the development of the Internet in China and believed that the Internet in China was a huge market and should be settled and developed as soon as possible. Against this background, the United States allowed China to access the Internet in 1994 and worked out plans and countermeasures for China’s cybersecurity problems. At the early development stage of China’s access to the Internet, the game situation between China and the United States was not obvious. During this period, the United States and other Western developed countries regarded the Internet as a tool for ideological and cultural infiltration into different ideological countries, especially China. All walks of life in the United States also said explicitly that the Internet would become a vital tool for changing China.
4.2.1.2
During the Obama Administration
After Obama took office, China entered the era of Web 2.0, and information technology, applications and industries developed in full swing. Sino-US cybersecurity
152
4 40 Years of China’s International Governance in Cyberspace
relations began to face new challenges. With respect to supervision, information content became one of the important objects of China’s cybersecurity supervision. Following the vigorous development of the Internet industry, China began to engage in the setting of international cyberspace rules more deeply. In the United States, the threat of terrorism, which was principally dealt with during the Bush administration, gradually decreased, and cybercrimes in multiple fields increased. The United States also changed its judgment on cyber threats, thinking that cybercrimes dominated by intelligence and intellectual property theft are the main threats it faces, while China was considered the main source of the threats. The frictions and conflicts between China and the United States around cyber espionage, cybersecurity reviews, network monitoring and international cyberspace rules have become increasingly prominent. For cyber espionage, the United States strongly advocated the “China threat theory”. Obama delivered a public speech saying that the US government had been attacked by Chinese hackers many times. The US Department of Defense also claimed that hackers from China and Russia were seeking to infiltrate the US power control system, endangering the national security of the United States.3 Guided by “China threat theory”, the United States suppressed China’s entire information technology industry under the pretext of “national security”. In 2012, the Permanent Special Intelligence Committee of the U.S. The House of Representatives issued the Investigation Report on the Threat of China Telecom Equipment Corporations Huawei and ZTE to US National Security, arguing that the equipment provided by Huawei and ZTE to key infrastructure industries in the United States would endanger the core interests of U.S. national security and suggested that the Foreign Investment Committee shall prevent the acquisition and merger transactions initiated by the two companies. The report restricted U.S. government systems, contractors and private enterprises from purchasing the equipment of the two companies and proposed to investigate the unfair trade in China’s telecommunications industry. In March 2013, the United States passed the Consolidated and Further Continuing Appropriations Act, which explicitly prevented the Ministry of Commerce, the Ministry of Justice, the National Aeronautics and Space Administration and the National Science Foundation from purchasing products from China or manufactured under the actual control of Chinese companies. On the one hand, on the one hand, the United States held high the banner of “Internet freedom” and “protection of human rights”, adopting numerous measures at home and abroad to resist and suppress China. In the short four-month period from January to May 2010, a series of landmark events took place, including Google’s “withdrawal” of search services from mainland China, Secretary of State Hillary Clinton’s speech on “Internet freedom” naming and criticizing China’s Internet censorship policy, and the US State Department’s public funding of 1.5 million US dollars from the so-called “Global Internet Freedom Consortium” for research and development of proxy software. ➀ On the other hand, the US conducts extensive
3
https://www.terradaily.com/reports/Chinese_Russian_hackers_probing_US_power_grid_report_ 999.html.
4.2 Game and Cooperation Between China and the United States …
153
surveillance of China through the “Prism Gate” program, which raised the conflict between China and the United States in the domain of cybersecurity to a new height. There were also enormous differences and conflicts between China and the United States in the development of international cyberspace rules. In 2011, China, Russia and other countries submitted a Proposal on International Code of Conduct for Information Security to the United Nations General Assembly, advocating the concept of “cyber sovereignty” and claiming that the United Nations shall play a leading role in Internet governance principles. ➀ 4 However, the US side reacted flatly to the proposal, and even some members of congress submitted a resolution to the International Affairs Committee of the House of Representatives, accusing China and Russia of threatening the free flow of Internet information and damaging the universality of the principle of freedom of speech, and criticizing that the code was beneficial for some governments to strengthen the control of Internet content on the grounds of political stability.5
4.2.1.3
During Trump Administration
In recent years, as China’s information technology has developed in leaps and bounds, particularly the breakthrough of new technologies and applications such as 5G, artificial intelligence and blockchain, China has become the primary focus in the domain of cybersecurity in the United States. After the Trump administration took office, it raised the issue of cybersecurity to the government’s primary concern and increased the rendering of the “competition threats of large countries” in cyberspace. Especially owing to the fast development of new technologies and applications in China, China has been positioned as a strategic competitor by Trump administration. On December 18, 2017, the White House issued a new version of the National Security Strategy, which is also the first national security strategy issued by US President Trump after taking office. The strategy defines China as a revisionist power and regards China as a strategic competitor of the United States. In recent years, the Trump administration regards China as an imaginary enemy, takes “American interests first” as the basic principle, and intensively issues a series of policies and legislation that directly influence China’s economic growth and cybersecurity, including the Clarifying Lawful Overseas Use of Data Act, the Export Control Reform Act of 2018, and the Foreign Investment Risk Review Modernization Act of 2018. In 2018, the Bureau of Industry and Security (BIS) of the US Department of Commerce issued a document to carry out export control on 14 emerging technologies, including artificial intelligence and machine learning technology, advanced computing technology, data analysis technology, quantum information and sensing technology. Under the situation of Sino-US trade friction, many institutions in China, including Huawei, Iflytek, and Meiah Pico, have been listed on the export control list of the US Department of Commerce. Overall, the United States 4 5
Yi [2]. Xia [3].
154
4 40 Years of China’s International Governance in Cyberspace
has tremendously increased the transaction costs and compliance costs of China’s Internet and communication enterprises by issuing many strategic policies and laws, strengthening foreign investment reviews, supply chain security, export control, and setting tariff barriers. It has imposed a huge impact on the introduction of high-tech information technology, the export of information products, and the development of e-commerce in China. On August 1, 2018, a document was published on the website of the US Federal Government Gazette. On the grounds of national security and diplomatic interests, the US Department of Commerce added export control to 44 Chinese enterprises and institutions on the basis of the original Export Administration Regulations, which will impose additional license requirements on listed entities and restrict behaviors other than licenses. The “list of entities” for export control includes the Second Institute of China Aerospace Science and Industry Corporation as well as its subordinate research institutes, the 13th Institute of China Electronics Technology Group Corporation and its affiliated and subordinate units, the 14th Institute of China Electronics Technology Group Corporation and its affiliated and subordinate units, the 38th Institute of China Electronics Technology Group Corporation and its affiliated and subordinate units, and the 55th Institute of China Electronics Technology Group Corporation and its affiliated and subordinate units, China National Technical Imp&Exp. Corporation, China Huateng Industry Co., Ltd. and Hebei Far East Communications, principally involving China Electronics Technology Group Corporation, which currently has set up eight listed platforms, namely, Sun-create Electronics, Glaruntech, Jiesai Technology, Taiji Corporation, Hikvision, East China Computer, Phenix Optical and Westone. In addition, the United States actively develops its allies and expands its influence in international cyberspace. In recent years, cyberspace in the Asia–Pacific region has been the focus of its power penetration, and related measures have been taken frequently. In 2019, the United States and Japan confirmed that the U.S.-Japan Mutual Security Treaty applies to cyber attacks against Japan. The US Congress even pointed out the threat of China and proposed establishing an Indo-Pacific network alliance. In the meantime, the United States also exerted pressure on China in the domain of cybersecurity through international organizations. In 2017, the United States submitted a document to the WTO on the data cross-border security assessment system in Article 37 of China’s Cybersecurity Law, demanding that the WTO urge China to suspend the implementation of this measure on the grounds of hindering the free flow of data. On May 15, 2019, US President Trump officially signed the administrative order Securing the Information and Communications Technology and Services Supply Chain, prohibiting the trading and use of foreign information technologies and services that may pose a special threat to US national security, foreign policy and economy. On the same day, the Bureau of Industry and Security under the US Department of Commerce issued a statement that Huawei and its subsidiaries would be included in the “list of entities”. Enterprises or individuals on the list need to gain relevant licenses to purchase or transfer American technology; however, if the United
4.2 Game and Cooperation Between China and the United States …
155
States believes that the sale or transfer of technology harms its national security or foreign policy interests, it will refuse to issue a license.6 If the initial game between China and the United States is principally embodied in some conflicts and integrated into the overall foreign policy of the United States, the game between China and the United States at this stage is more targeted, confrontational and systematic. The U.S. strategy toward China in cyberspace is solidified institutionally through strategy, policy and legislation, which renders it more normal and universal. Through export control systems, supply chain security management control degrees and foreign investment review systems, China is blocked from information technology and cybersecurity talent. In the meantime, the United States weakens China’s development momentum by actively mobilizing domestic and foreign forces, continuously strengthens the propaganda of “China threat theory”, holds high the banner of Internet freedom, attacks China’s Internet supervision system, and weakens China’s influence and participation in international cyberspace.
4.2.2 Typical Game Incidents The game between China and the United States in cyberspace is seen in related conflicts and some policies and legislation. This section selects ten typical events of the game between China and the United States in cyberspace (as of December 31, 2019). To a certain extent, it shows the focus of the game between China and the United States and the overall tendency of US policy toward China in cyberspace. From the “hacking war between China and the United States” in 2001 to the “Snowden incident” in 2013, to the US Department of Justice suing Huawei in 2019 and the US Department of Justice suing four Chinese soldiers in 2020, the participants in the cybersecurity game between China and the United States have gradually moved from nongovernmental organizations to the government level, and the focus of the game has gradually expanded from traditional cyber-attacks, cyber espionage and network content control to new technologies and new applications such as 5G.
4.2.2.1
The Hacking War Between China and the United States in 2001
On April 1, 2001, an American reconnaissance plane was operating over the South China Sea, and China sent two military aircraft to monitor it. Unexpectedly, the US plane suddenly turned and rushed at the Chinese plane, causing its nose and left wing to collide with a Chinese plane and crash. At that time, Wang Wei, the pilot who flew the plane, was killed on the spot. The plane collision between China and the United States triggered a “hacker war between China and the United States”. In this crisis, netizens and private hackers in 6
http://www.gold678.com/C/201905170101331967.
156
4 40 Years of China’s International Governance in Cyberspace
China and the United States launched retaliatory attacks on each other’s government websites. In China, some websites, such as the Yichun Government in Jiangxi, Xi’an Information Port, Guizhou Fangzhi & Diqing Network China Youth Development Foundation, Fujian Foreign Trade Information Network, Hubei Wuchang District Government Information Network, Guilin Library, Technical Institute of Physics and Chemistry, Institute of Psychology and other websites, were attacked by American hackers. Meanwhile, the official websites of the White House, FBI, NASA, Congress, New York Times, Los Angeles Times and other websites were hacked.
4.2.2.2
Google’s Withdrawal from Chinese Mainland in 2010
In 2010, Google, the overlord of the international search engine, proposed withdrawing from the Chinese mainland market. Google claimed that the Chinese government’s censorship policy was too harsh, and it constantly instructed relevant hackers to attack it. Then, the heads of relevant US departments made speeches, demanding the Chinese government to apologize to Google and the US government and to compensate Google for economic losses. Then, the US State Department claimed that “the United States would give priority to countries with Internet liberalization in its future foreign policy”. In view of some American scholars, the Google incident is a key turning point in the cybersecurity relationship between China and the United States. After that, the United States began to doubt China’s true strategic intentions in the network domain. The Google incident occurred in a period when the United States was gradually concerned about Chinese “cyber espionage”. The United States regarded Google’s cybersecurity system being breached by “Chinese hackers” and its internal data “being stolen” as a serious case. Then, the US Secretary of State Hillary Clinton gave a speech on Internet freedom in January 2010, announcing that the United States would “regard unrestricted Internet access as the top priority of its foreign policy”.
4.2.2.3
Huawei and ZTE Events in 2012
On February 11, 2011, Huawei’s acquisition of 3Leaf was rejected by the Committee on Foreign Investment in the United States. In the same month, Huawei issued an open letter, wishing that the United States would conduct a public investigation to clarify Huawei’s accusation of threatening US national security. On October 8, 2012, the US House Intelligence Committee released a report saying that after nearly a year of investigation, Huawei and ZTE might threaten the national communication security of the United States and cause risks to the national security of the United States. They thought that the equipment of these two companies might be used for espionage against the American people and suggested that the US government departments shall prevent the merger and acquisition of the two companies in the United States and related products from entering the American market. However, the
4.2 Game and Cooperation Between China and the United States …
157
report did not furnish evidence of being used for espionage, which China expressed serious concern and strong opposition.
4.2.2.4
Snowden Incident in 2013
In 2013, the Snowden incident broke out and continued to ferment, which sounded the alarm for cybersecurity in various countries and became the focus of international attention in that year. The Snowden incident unveiled the long-term shady surveillance of cyberspace in the United States, revealing that the United States has the capability of global network monitoring. The networks and information systems of more than a dozen countries and regions such as China and Russia have been monitored by the United States, and a large amount of intelligent information has been stolen. A game between surveillance and anti-surveillance among cyberspace countries has become public and intensified. The Snowden incident has aroused great concern in China, seriously dampened the mutual trust between China and the United States on cybersecurity issues, and has become a vital motivation for China to promote the autonomy of cybersecurity technology.
4.2.2.5
In 2014, the US Department of Justice Charged Five Chinese Soldiers
On May 19, 2014, on the eve of the upcoming second meeting of the U.S.-China Cyber Working Group, the US Department of Justice charged five Chinese military officers for stealing trade secrets and other sensitive business information of six American companies in the nuclear power, metals and solar products industries on the grounds of computer hacking, economic espionage and other offenses and published a wanted order on its official website. The United States stressed that this case represented the first ever charges against a state actor for this type of hacking and demanded an aggressive response by all legal means. China immediately decided to suspend the activities of the U.S.-China Cyber Working Group. On May 19, the US Department of Justice insisted on announcing the prosecution of five Chinese military officers despite China’s strong opposition. On May 20, the Chinese Foreign Ministry made a statement in response to the announcement of the prosecution of five Chinese military officers by the US Department of Justice, saying that the United States fabricated facts out of nothing, which damaged Sino-US cooperation and mutual trust. China protested to the US immediately, urging the US to correct its mistakes and revoke the so-called prosecution. On the same day, CNCERT announced the situation of Trojans and botnets from the United States controlling Chinese servers and hosts from March 19 to May 18 of that year, and the more serious data such as the implantation of backdoors by American IP on websites in China; on May 26th, the State Council Information Office of China released the white paper “The United States’ Global Surveillance Record”, which made the first official confirmation and statement on the problem of surveillance
158
4 40 Years of China’s International Governance in Cyberspace
and stealing secrets involving China. For a time, the cybersecurity problem between China and the United States became tenser.
4.2.2.6
The 2015 Incident of US Class Action Lawsuit Against Lenovo
On April 2, 2015, the Federal Court of San Francisco received a class action lawsuit against Lenovo, accusing Lenovo Group Ltd. of preinstalling software Supersh on computers, secretly monitoring, intercepting and transmitting user messages, and sending more web advertisements to users. Based on the appeal documents, Supersh manipulated legal connections, monitored activities and added unsolicited advertisements to legal web pages. Thus, Lenovo’s practices violated the Computer Fraud and Abuse Act and the Federal Eavesdropping Act, involving both breach of contract and illegal invasion simultaneously. On February 21, the US government issued a warning that Superfish software preinstalled in some models of Lenovo notebooks would impose information security risks and asked Lenovo to delete it. Subsequently, an American law firm announced that it would launch a class action lawsuit against Lenovo. Lenovo then apologized for this and released an automatic deletion tool.
4.2.2.7
The 2019 Incident of the US Department of Justice v. Huawei
In January 2019, the US Department of Justice filed 13 charges against Huawei in New York, including bank fraud, wire fraud and conspiracy to commit wire fraud. The defendants included Huawei and two Huawei subsidiaries—Huawei Device USA Inc. (Huawei USA) and Skycom Tech Co. Ltd. (Skycom)—as well as Huawei’s Chief Financial Officer (CFO) Wanzhou Meng. In addition, the United States submitted the extradition document of Wanzhou Meng to Canada on the same day. The prosecutor accused Wanzhou Meng of fraudulently misleading American banks about Huawei’s business in Iran. The prosecutor also accused Huawei of using shell companies in Hong Kong to export equipment to Iran that did not comply with US sanctions. Subsequently, Huawei filed a lawsuit in the US Federal Court, accusing the US of violating the US Constitution by Section 889 of the National Defense Authorization Act for FY 2019. On February 13, 2020, the US Department of Justice suppressed Huawei’s upgrade and once again filed a new lawsuit against Huawei in the Federal Court in Brooklyn, New York. ➀ The new indictment was based on the accusation of the United States in January 2019, accusing Huawei as well as its affiliates of “racketeering conspiracy and conspiracy to steal trade secrets from six American companies in the past decades in a bid to grow and operate Huawei’s business”. On February 14, Huawei issued a statement on its own official website to refute the accusation of the US Department of Justice. On the same day, Foreign Ministry Spokesperson Geng Shuang responded: “the US has abused state power and unreasonably suppressed certain Chinese enterprises without any evidence for some time, which is neither moral nor glorious, and
4.2 Game and Cooperation Between China and the United States …
159
falls short of the standards of a big country. We urge the US to immediately stop unreasonably suppressing Chinese enterprises”. By analyzing the characteristics and situation of the China-US cybersecurity game from typical incidents, it is clear that America is more “offensive”, while China is still “on the defensive”. Both China and the United States have asymmetric control over network technology and the capability to cope with cybersecurity. ➁ The root cause of these incidents is that China, as an emerging country, has threatened the international status of the old hegemonic country, the United States. Cybersecurity is associated with national security. Without it, there is no national security. In this context, cybersecurity has become a crucial factor in shaping the new global market and plays a significant part in boosting economic growth and international status. The innovation capability of Chinese enterprises in the new technology domain changes with each passing day, particularly Huawei’s leadership capability in 5G technology, which makes the United States seriously distrusted and guarded against China. Therefore, the United States has repeatedly exerted pressure on China’s advanced enterprises such as Huawei and ZTE through the government level and joined its allies to restrict their equipment from occupying the global market. The United States is pressing hard and attacking China’s multinational enterprises with core technologies, while China is on the obvious “defensive”. Although it has never regressed on national sovereignty and security issues, it has not imposed sanctions on the United States. China has always insisted on “building a community of shared destiny in cyberspace”, wishing that China and the United States can peacefully resolve disputes and jointly meet new challenges in network development.
4.2.3 Cooperation Situation Even though the game between China and the United States is becoming increasingly fierce on account of differences in national interests and ideologies, the zero-sum game between them is not the result that both sides are willing to see. China and the United States must interact and cooperate in the game to fulfill the duties of large countries and jointly push forward the development of international cybersecurity space. As cyber superpowers in the international community, China and the United States are indispensable subjects in international cyberspace governance, and they also have a certain sense of cooperation in light of the necessity and importance of rulemaking. Specifically: 1.
2.
➀ The Chinese side refuted the new US lawsuit against Huawei: unreasonable suppression is neither moral nor glorious. http://mil.news.sina.com.cn/China/ 2020-02-15/doc-iimxxstf1616827.shtml, latest visit date: March 6, 2020. ➁ Li Chengbin. International Political Economy Analysis of Sino-US Cybersecurity [D] Foreign Affairs University. June 15, 2014.
Primarily, although the United States constantly improves cyber warfare legislation and enhances the combat effectiveness of cyber armies, it is undeniable that
160
4 40 Years of China’s International Governance in Cyberspace
the United States, like China, still agrees with the principle that information and communication technology shall be used for peaceful purposes established by the United Nations Meeting of Governmental Experts on Information Security and that state behavior shall be restrained by international rules. In addition, since global cyberspace is not a land beyond law, China and the United States agree that international rules are of vital importance to maintain information and data security and to prevent, combat and contain the threats of cyber war, economic espionage, cybercrime and cyber terrorism to national sovereignty, security and development interests. Furthermore, China and the United States agree that international laws and relevant principles and spirits, represented by the principle of national sovereignty established by the Charter of the United Nations, are applicable to cyberspace. This consensus was confirmed and reiterated in the reports of work results of the United Nations Meeting of Governmental Experts on Information Security in 2013 and 2015, respectively. ➀ In practice, China and the United States have launched bilateral cooperation in fighting cybercrime and terrorism on numerous occasions. Since 2015, China and the United States have held three high-level joint dialogs on fighting cybercrime and related matters and have reached rich consensus and cooperation documents, which are still valid today. On December 4, 2013, Chinese President Xi Jinping held talks with Vice President Biden of the United States in the Great Hall of the People. The two sides exchanged in-depth views on Sino-US relations and international and regional issues of common concern and agreed that China and the United States shall promote dialog, exchanges and cooperation and endeavor to push forward the building of a new-type Sino-US relationship. Xi Jinping stated that today’s world is not peaceful. China and the United States shoulder common responsibilities in safeguarding world peace and boosting human development. Strengthening dialog and cooperation is the only correct choice for the two countries. The two sides ought to firmly grasp the correct direction of bilateral relations, respect each other’s core interests and major concerns, actively expand pragmatic cooperation, properly handle sensitive issues and differences, and ensure the sustained, healthy and stable development of Sino-US relations. Xi Jinping stressed that the two sides shall maintain close exchanges and dialogs between the two militaries, enhance cooperation in traditional and nontraditional security fields, and intensify cooperation in counterterrorism, law enforcement and nonproliferation areas. ➀ He Xiaoyue. Sino-US Game in Cyberspace Rule Making: Competition, Cooperation and Institutional Equilibrium [J]. Pacific Journal, 2018, 26(02): 29. In April 2017, when President Xi Jinping and President Trump held their first meeting at Haihu Manor, one of the four dialog mechanisms reached consensus was the US Law Enforcement and Cyber Security Dialog, which is a vital platform for the two governments to promote cooperation between the two sides in the field of law enforcement and cybersecurity. Therefore, in October 2017, Guo Shengkun, Chinese State Councillor and Minister of the Ministry of Public Security, Jeff Sessions, Secretary of Justice of the United States, and Elaine Duke, Acting Secretary of Homeland
4.2 Game and Cooperation Between China and the United States …
161
Security, cochaired the first round of China-US dialog on law enforcement and cybersecurity. Despite differences, both sides made efforts to make tangible progress on the above issues. Regarding cybercrime and cybersecurity, the two sides indicated that they will continue to implement the consensus on Sino-US cybersecurity cooperation reached by the heads of state of China and the United States in 2015, including the following five consensuses: I. They shall respond to a party’s request for information and assistance on malicious network activities in a timely manner; II. The governments of their respective countries shall not engage in or knowingly support the theft of intellectual property through the Internet to make their enterprises or business industry in a better position to compete, including the theft of trade secrets and other confidential business information; III. They promise to jointly formulate and promote the appropriate national codes of conduct in cyberspace in the international community; IV. They will maintain a high-level dialog mechanism against cybercrimes and related matters; V. They will strengthen law enforcement communication on cybersecurity cases and make quick responses to each other. The two sides are willing to improve cooperation with each other in combating cybercrime, which involves sharing clues and information linked with cybercrime in a timely manner and responding to requests for criminal judicial assistance in a timely manner. The scope of criminal judicial assistance includes cyber fraud (email fraud inclusive), hacker crimes, violent terrorist activities carried out via the Internet, and the spread of obscene information about children on the Internet. The two sides will continue to cooperate in network protection, maintain and strengthen the sharing of cybersecurity information, and consider future cooperation in cybersecurity protection of critical infrastructure. Both parties agree to keep and make the best use of the established hotline mechanism and timely communicate at the leadership or working level on urgent cybercrimes and cyber protection matters related to major cyber security incidents, as required. Overall, the United States has exerted an enormous impact on the introduction of high-tech technology, such as information technology, the export of information products and the development of e-commerce in China through strategies, policies and legislation. However, viewing from the continuous dialog mechanism and practice between China and the United States, the zero-sum game is not the result that both sides are willing to see. Considering the continuous growth of China’s international status and the increasing autonomy of core technologies, the United States will take more measures to restrict the innovation and development of Chinese enterprises to maintain its competitive advantage. In December 2013, when President Xi Jinping held talks with Vice President Biden of the United States in the Great Hall of the People in Beijing, the latter said that “the US-China relationship is the most crucial bilateral relationship in the twenty-first century”, and historic transformation has taken place in the international system. In the international background of China’s rapid rise, it has become the focus of attention of the international community on how to get along with China and the United States, as new and big countries. Whether Sino-US relations are moving toward conflict and confrontation or win– win cooperation has become a major issue facing the two countries. ➀ Essentially,
162
4 40 Years of China’s International Governance in Cyberspace
China’s wisdom and solutions are helpful to jointly deal with the challenges and threats existing for the development of international cyberspace security. As the most important national actors, China and the United States shall abandon the differences in ideology, politics or culture, abandon the Cold War mentality, adhere to the principle of nonconflict and nonconfrontation, mutually respect each other, seek win–win cooperation, work together to deal with regional, national and even global security issues, expand common interests in deepening cooperation, and earnestly shoulder the responsibilities of cyberspace governance. ➀ Cheng Fang, Research on the 21st Century Major Power Relations between China America—Toward the Way of Cooperation and Win–Win [D]. Jilin University. 2017.
4.3 Disagreements and Cooperation Between China and the EU in Cyberspace As significant actors in cyberspace, China and the European Union have launched multisectoral and cross-topic dialog and cooperation in cybersecurity and achieved fruitful achievements. In the meantime, due to the influence of geopolitics, the development of the digital economy and the concept of cybersecurity governance, there are numerous differences between China and the EU in the cybersecurity domain. In comparison with the obvious “offensive and defensive” trend of the Sino-US game, the game between China and the EU is relatively peaceful.
4.3.1 Development Process of the Game With the strong rise of China’s network industry and the development of new technologies such as 5G and big data, there are numerous differences of interests between China and Europe in economic area, which naturally extend and map into the realm of cybersecurity.
4.3.1.1
Important Areas of the Game
The game or interest differences between China and Europe in the domain of cybersecurity are principally embodied in the fight against cybercrimes, 5G technology, network arms control, and international cybersecurity governance rights. In the fight against cybercrimes, although China and Europe have reached a high degree of consensus in the relevant international agenda, they essentially belong to the camp of developing countries and the camp of developed countries, respectively,
4.3 Disagreements and Cooperation Between China and the EU …
163
and there is a game between their positions and opinions in the development of cyberspace rules. In November 2001, 27 European countries, the United States, Japan, Canada, and South Africa entered the Cybercrime Convention in Budapest, Hungary. This is the first law issued at the EU level to combat cybercrime, and it is also the first international treaty in the field of the Internet. The EU has put forth great efforts all the time to promote it as a model for countries to draw up cybersecurity regulations and launch international cooperation. China is dedicated to calling for international laws to combat cybercrime on a global scale and advocates building a fair, transparent and authoritative Internet management institution and working out a new international convention under the framework of the United Nations. The European Union considers that the international institutions of the United Nations system are inefficient. For example, the European Union holds that the International Telecommunication Union (ITU) lacks real credibility and transparency, so the EU resists the ITU management of the Internet and intends to replace the role of the United Nations through the Cybercrime Convention. In September 2011, China, Russia and four other countries jointly drafted a proposal on the International Code of Conduct for Information Security, which was submitted to the 66th UN General Assembly for discussion, intended to boost the establishment of an international convention on cybersecurity and work out a network governance system under the UN framework. The proposal was opposed by the United States and EU countries and aborted as a result; in January 2015, China, together with some countries of the Shanghai Cooperation Organization, sent a letter to the Secretary-General of the United Nations asking him to discuss the International Code of Conduct for Information Security as an official document of the 69th UN General Assembly, with a view to facilitate countries to reach a consensus on international norms of cyberspace with the least delay possible. However, European and American countries still reacted coldly. In the multilateral discussions of ITU, European and American countries also showed distrust of the governance framework of the United Nations. At the signing stage of the document on cybersecurity governance discussed at the ITU Conference held at the end of 2012, 89 developing countries, including China and Russia, signed it uniformly, while the Western camp dominated by Europe and the United States refused to sign the conference document. ➀ Liu Feng, American alliance management and its influence on China [J]. Foreign Affairs Review, Issue 6, 2014. In regard to 5G technology, in recent years, the EU has put a high premium on China. On September 28, 2019, China and the EU entered into a vital partnership agreement on the future communication network technology 5G. The EU considers that China is a vital 5G market for European telecom enterprises. Pursuant to the agreement, EU enterprises, especially telecom and information and communication technology enterprises, will have easier access to the Chinese market. By then, European enterprises could enjoy the same conditions that Chinese enterprises currently enjoy in EU 5G research projects when participating in 5G research, development and innovation projects supported by the Chinese government. Following the signing of the EU-China 5G agreement, the corresponding industry associations, the
164
4 40 Years of China’s International Governance in Cyberspace
EU 5G Public–Private Partnership Alliance and China IMT-2020 (5G) Promotion Group have also drafted and will enter into an industry agreement. At the same time, however, the EU holds a highly vigilant attitude toward new technologies and applications such as 5G in China. In 2019, the European Union specially conducted security risk research on China’s information technology products and services, issued a resolution urging the European Commission to formulate strategies to reduce the EU’s dependence on foreign technologies in the domain of cybersecurity, and proposed to implement a certification plan for 5G equipment. With respect to cyberarms control, to consolidate communication and coordination among countries in the domain of cybersecurity rule making, the United Nations set up the “Government Expert Group” on Cybersecurity four times in 2004, 2009, June 2013 and December 2013, offering a platform for countries to exchange views and resolve differences. On the strength of this platform, diplomats from the United States, Russia, the European Union and China have first communicated the definitions of cybersecurity-related terms, gained a consensus understanding of the potential threats of cybersecurity and the principle of cyber sovereignty, and laid a foundation of mutual trust for norm-setting and voluntary initial cooperation in certain areas. However, in high political fields such as cyber armed conflicts, it is difficult for all parties to reach a consensus within the multilateral framework of the United Nations. For example, in the voting of the draft resolution on the Development in the Field of Information and Telecommunications in the Context of International Security involving network arms control in the United Nations in 2006, the only negative vote came from the United States; at the UN General Assembly meeting at the end of 2013, countries such as Europe and the United States advocated the application of existing international law to cyberspace, which deepened the worries of militarization of cyberspace and met with opposition from China and Russia. As far as the power of international cybersecurity governance is concerned, the United States and the European Union have taken a consistent position at multilateral conferences such as the United Nations Telecommunications Conference, joined Western countries to resist the proposal of amending the International Telecommunications Regulations raised by emerging countries such as China and Russia, and opposed the transfer of domain name management and standard-setting power to the United Nations for takeover. At the proposal of the United Nations International Telecommunication Union, the United Nations General Assembly in 2001 adopted a resolution on convening the World Summit on the Information Society (WSIS). Based on the resolution, the WSIS was classified into two stages, namely, the Geneva Summit in 2003 and the Tunis Summit in 2005, and documents such as the Geneva—Declaration of Principles, the Geneva Action Plan, the Tunis Commitment and the Tunis Agenda for the Information Society were adopted. At the Tunis Summit, various countries decided to hold the “Internet Governance Forum (IGF)” on a yearly basis from 2006 to explore ways for developing countries to build a more just and reasonable network governance model. In terms of the EU’s position in WSIS Summit and Internet Governance Forum, on the one hand, it opposes the proposal raised by China and Russia that the United Nations take over the power of international cybersecurity governance and is not
4.3 Disagreements and Cooperation Between China and the EU …
165
active in supporting the network development of developing countries and narrowing the digital divide; on the other hand, it endorses ICANN and the Internet Governance Forum to weaken the cyber hegemony of the United States, supports the reform demands of emerging countries to a certain extent, and actively advocates the multistakeholder model of the European Union and the network values of freedom and democracy.
4.3.1.2
The Main Reasons for the Game
The reasons why there exists a long-term game between China and Europe in the domain of cybersecurity chiefly include the following two aspects: Primarily, there are divergences in cyberspace governance models and concepts between China and Europe. Traditional ICT powers such as the United States and Europe advocate the governance model of “multistakeholder” and consider that cyberspace falls to the category of the “Global Commons” in nature, and governance shall chiefly be conducted by actors other than government departments. Unlike the United States and Europe, China, Russia and other emerging economies advocate the principle of multilateralism, holding that cyberspace is provided with sovereign attributes and that sovereign countries shall be the core actors in the international governance of cyberspace. They give prominence to the importance of government Internet censorship and supervision for creating a good cybersecurity environment and endeavor to achieve sovereign jurisdiction over key resources, thereby balancing and even hedging the hegemonic advantages of the United States.7 A typical case is the work of the United Nations Group of Governmental Experts on Information Security. From 2016 to 2017, the expert group failed to reach a consensus on whether to grant countries the power to independently judge and counter cyber-attacks. China explicitly opposes the militarization of cyberspace and the provision granting countries the legal use of force in cyberspace, which is not only in line with China’s interests but also beneficial to the peace and development of cyberspace. The EU shares the same interests with China to a large extent, but owing to the existence of the US-Europe camp, the EU is tremendously influenced by the United States and has to support the US position.8 In addition, the emphasis of cyberspace security strategies between China and Europe is different to some degree. For a long time, the European Union has led global data protection legislation with high standards of data protection. In 2016, the adoption of the GDPR marked a new stage of EU data protection legislation. In addition to data protection, in recent years, the European Union has also set out to reform its cybersecurity legislation. In 2013, the EU introduced the EU Cyber Security Strategy. As the first policy document in the domain of cybersecurity, it attaches more importance to governance and social security and highlights the protection of
7 8
Ruiping [4]. Chuanying [5].
166
4 40 Years of China’s International Governance in Cyberspace
individual rights and interests simultaneously. In 2017, the EU adopted NIS directive. In 2019, the first comprehensive Cybersecurity Act at the EU level was officially implemented. Overall, EU cybersecurity legislation takes the protection of citizens’ basic rights as the starting point, highlighting the values of respecting personal dignity and basic rights in the course of digital development. In recent years, China’s cybersecurity legislation has also developed in a rapid manner. At the national strategic policy level, the National Cyberspace Security Strategy, the International Strategy of Cooperation on Cyberspace, etc. have been promulgated one after another. In 2017, the first comprehensive law on cybersecurity was officially implemented. The Measures for Cybersecurity Review, the Critical Information Infrastructure Protection Regulations, the Regulations on the Classified Protection of Cyber Security and other related supporting systems are constantly perfected. Furthermore, the highly valued Data Security Law and Personal Information Protection Law have also been officially passed. Generally, China’s current cybersecurity legislation primarily gives priority to political and social stability. It is worth mentioning that with the enforcement of EU GDPR, China’s Cybersecurity Law and the National Intelligence Law of the People’s Republic of China (hereinafter referred to as the National Intelligence Law), the game between China and Europe in some areas is becoming increasingly distinct. The GDPR extends its scope of application to the whole world by virtue of its long arm jurisdiction, which imposes a direct impact on China. The EU side is highly vigilant about China’s data localization policy and the authority of public authorities to acquire private data.
4.3.2 Cooperation Situation Although there is a game between China and Europe, focusing on cooperation has become the biggest consensus of both sides. All things considered, EU-China cybersecurity cooperation has gone through three stages: starting, expansion and deepening, and gradually expanded from early academic research cooperation to the level of the intergovernmental system and strategic cooperation.
4.3.2.1
Starting Stage—Cybersecurity Academic Research Cooperation
Since the 1980s, China and Europe have initiated cooperation in the domain of networks. On September 14, 1987, Professor Wiener Tson of Germany made China connect to the Internet for the first time and sent out the first e-mail in China. China registered China’s international top-level domain name.cn for the first time by using the server set up at the Computer Center (IRA) of Karlsruhe University in Germany. In 1996, China opened the only network connection dedicated line for scientific and technological research between China and Europe, and two years later, the two sides
4.3 Disagreements and Cooperation Between China and the EU …
167
opened CERNET-JANET, an international line with Chinese and British academic networks. In 1984, the European Union began to implement the “Framework Programmes for Research and Technological Development”, which are one of the largest official science and technology programs in the world, placing emphasis on the research of international science and technology frontier topics and competitive science and technology difficulties, as well as the global scientific research and technology development programmes with the largest investment and the richest content in the European Union. To date, seven framework plans have been implemented, and the eighth framework plan—Horizon 2020—is being implemented. In 1998, the Agreement on Science and Technology Cooperation between the Government of the People’s Republic of China and the European Community was signed. Pursuant to the Agreement, the EU’s Framework Programmes for Research and Technological Development would be officially open to China, and China could engage in the Programmes. The National High Technology Research and Development Program of China (863 Program) and the National Crucial Basic Research and Development Program (973 Program) were also open to the EU. The Agreement offered a rare opportunity and a new channel for contributing to scientific and technological cooperation between China and the EU. To carry out the Sino-EU Agreement on Science and Technology Cooperation and help Chinese institutions and scholars participate in the EU science and technology framework plan, the Ministry of Science and Technology of China decided to set up the EU-China Science and Technology Cooperation Promotion Office, which was officially listed for work in June 2001.9
4.3.2.2
Expansion Stage—Multidomain Cybersecurity Technical Cooperation
Along with the fast promotion of informatization, the crucial applications of economic growth and people’s livelihood are increasingly dependent on the Internet. In the course of pushing forward digitalization, China and Europe have met problems such as isolated information islands, waste of information resources, and low interconnection of application systems. To address this problem, in 2005, China’s Ministry of Science and Technology and the European Commission jointly organized the EU-China Grid International Conference (Grid@Asia Workshop), which discussed issues such as reinforcing the sharing of network resources, enhancing the capability of collaborative work and boosting the efficiency of information resource allocation. In 2006, EU-China nextgeneration Internet cooperation was initiated in an all-round way, and the two sides entered into the Joint Statement on Strategic Cooperation of EU-China High-speed Network Infrastructure as Well as Its Major Applications in Beijing, forming a threedimensional and multilevel cooperation pattern between China and Europe in the domain of science and technology. The “7th Framework” Research Program launched 9
http://www.most.gov.cn/zzjg/zzjgzs/zzjgsyjlzx/.
168
4 40 Years of China’s International Governance in Cyberspace
by the European Union in 2007 involves network infrastructure construction, information technology research and cooperation projects, and Chinese enterprises and related institutions also participate in the projects. At this stage, the areas of EU-China Internet cooperation were expanded to the network economy, network technology research, network crime governance and other aspects.
4.3.2.3
Deepening Stage—Cybersecurity Strategic Cooperation
As the leaders of both sides attach more importance to network issues, China and the EU have launched a multilevel dialog mechanism in the network domain, which covers the common interests of both sides in cyberspace and has reaped certain results, and it has become a significant part of EU-China relations. In 2012, the EU-China Cyber Task Force was set up. In 2013, at the 16th EUChina Leaders’ Meeting, the EU-China 2020 Strategic Agenda for Cooperation was published, indicating that China and the EU would support and facilitate the construction of a peaceful, safe, resilient and open cyberspace and promote mutual trust and cooperation in the network domain through the EU-China Cyber Task Force and other platforms. Under the framework of the U.N. Convention Against Transnational Organized Crime and the United Nations Convention against Corruption, China and the EU cooperated on specific projects in combating transnational crimes and cybercrimes and held special consultations on anti-terrorism issues in due course. In 2016, during President Xi Jinping’s visit to Europe, he stressed the significance of reinforcing dialog, consultation and technical exchanges between China and Europe in industrialization informatization. In 2019, the joint statement of the 21st EU-China Leaders’ Meeting pointed out that international law, especially the Charter of the United Nations, is applicable to and crucial to maintaining peace and stability in cyberspace. Both sides will endeavor to promote the formulation and implementation of internationally accepted responsible national codes of conduct in cyberspace within the framework of the United Nations. The two sides will strengthen cooperation in combating malicious activities in cyberspace under the EU-China Cyber Task Force, including cooperation in intellectual property protection. In the field of 5G, the two sides welcome the progress and further exchanges of dialog and cooperation mechanisms based on the 2015 EU-China 5G Joint Statement, including technical cooperation between industries. At this stage, the content of EU-China network cooperation was not confined to technical exchanges but rose to a strategic level, where both sides were dedicated to making joint endeavors to build a reasonable cyberspace order and making continuous progress toward a community of destiny in cyberspace.
4.3 Disagreements and Cooperation Between China and the EU …
169
4.3.3 Cooperation Mechanisms In the field of EU-China network dialog and cooperation, three dialog mechanisms have been established, namely, EU-China Dialog on Information Technology, Telecommunications and Informatization, EU-China Cyber Task Force, and EUChina Expert Group on Cybersecurity and Digital Economy. These three dialog mechanisms are positioned in the fields of Internet technology development and application, international governance of cyberspace and domestic network policy.10
4.3.3.1
EU-China Dialog on Information Technology, Telecommunications and Informatization
In 2009, the first EU-China Dialog on Information Technology, Telecommunications and Informatization was convened in Beijing under the impetus of the Ministry of Industry and Information Technology of China and the European Commission’s Directorate General of Communication Network, Content and Technology. The two sides discussed information and communication infrastructure construction, ecommerce, e-government and digital transformation. Since then, this annual dialog mechanism has been convened alternately in China and Europe and was convened nine times by the end of 2018. The EU-China Dialog on Information Technology, Telecommunications and Informatization includes not merely some long-term issues, such as information and communication technology policy and supervision, digital transformation, communication infrastructure cooperation, but some topics of enormous significance in the times, such as digital economy, 5G R&D, industrial digitalization, etc. Apart from that, the two sides also launched joint research projects under the dialog box, such as the joint research project of “EU-China Internet of Things and 5G” launched in 2016, to conduct in-depth research and analysis and explore cooperation on technologies, industries and policies in the domain of Internet of Things and 5G. In September 2018, at the 9th meeting of the EU-China Dialog on Information Technology, Telecommunications and informatization, China and the EU conducted in-depth exchanges focusing on ICT policies and digital economy, ICT supervision, 5G R&D, industrial digitalization and other issues. It was unanimously agreed to make the best use of the mechanism of EU-China Dialog on Information Technology, Telecommunications and Informatization to actively expand cooperation in fields such as 5G, industrial Internet and artificial intelligence. China can deepen cooperation with the EU and its member states to continue to promote the sustainable development of information society projects on both sides.
10
Chuanying [6].
170
4.3.3.2
4 40 Years of China’s International Governance in Cyberspace
EU-China Cyber Task Force
In the Joint Press Communiqué of the 14th EU-China Summit in 2012, it was announced that the Chinese Ministry of Foreign Affairs and the European External Action Service would jointly set up the EU-China Cyber Task Force, which is an interdepartmental communication and consultation mechanism on international cybersecurity led by the foreign affairs departments of both sides. Shortly after the formation of the EU-China Cyber Task Force, the Snowden incident broke out, and cybersecurity became the most important international political and security topic throughout the world. As a common victim of “large-scale interception” by the United States, China and Europe jointly voiced their condemnation of malicious network behavior of “large-scale interception”, which led the agenda of international governance of cybersecurity to a certain extent. Apart from that, the two sides intensified their cooperation in the domain of international security through the EU-China Cyber Task Force. The diplomatic departments of China and Europe held discussions on the establishment of national codes of conduct in cyberspace, the application of international laws in cyberspace, the adoption of confidence-building measures, the enhanced protection of critical infrastructure, and international cooperation in combating cybercrime. Through dialog, the two sides have increased the transparency of policies and enhanced mutual trust in the network domain, laying a solid foundation for deepening cooperation between the cybersecurity-related institutions of the two sides (such as computer emergency response agencies).11
4.3.3.3
EU-China Expert Group on Cybersecurity and Digital Economy
In 2016, in the context of the deteriorating global cyberspace security situation, China and the EU carried out several new measures in cyberspace, proceeding from the security, development and governance of networks, and exploring the establishment of an all-round strategic system around the strategic planning, policy setting, industrial development and personnel training of cyberspace. How to strengthen the coordination between China and the EU in the domain of cybersecurity and the digital economy plays a crucial part in the execution of both sides’ network strategies and policies. In July 2016, during the 18th EU-China Leaders’ Meeting, the EU-China Expert Group on Cybersecurity and Digital Economy, jointly organized by China’s State Internet Information Office and the European Commission’s Directorate General of Communication Network, Content and Technology, was set up. The main task of this mechanism is to focus on the internal network policies and supervision modes of both sides, discuss how to reinforce policy coordination and communication, increase policy transparency, alleviate the impact of relevant domestic laws and regulations on both sides’ business and digital economy, and come up with suggestions for both 11
Chuanying [6].
4.3 Disagreements and Cooperation Between China and the EU …
171
sides to build mutual trust at the strategic level and strengthen cooperation at the industrial level. By the end of 2018, the EU-China Expert Group on Cybersecurity and Digital Economy had held four meetings and agreed to continue the dialog in the future. The EU-China Expert Group on Cybersecurity and Digital Economy conducts a dialog on the impact of EU-China laws and regulations in the fields of cybersecurity and digital economy on both sides and how to further promote cooperation between China and Europe in industrial development, personnel training and scientific research. For example, in the field of data security, the EU has drawn up GDPR. China has worked out the Measures on Security Assessment for. Outbound Transmission of Personal Information and Critical Data (the Draft). These management policies not only exert an important impact on the operation mode and personal information security of the Internet and related enterprises of both sides but also incur a certain degree of jurisdictional disputes.12
References 1. X. Wu, The Research on Construction of International Discourse Power Against a Background of China’s Peaceful Development. (Fujian Normal University, 3 June 2015) 2. S. Yi, Cybersecurity and nontraditional factors in Sino-US security relations. Int. Forum 12(4) (2010) 3. C. Xia, A Study on American Cyberspace Strategy to China. (China Foreign Affairs University, 2015) 4. W. Ruiping, EU-China cooperation in cyberspace governance: progress, challenges and countermeasures. Contemp. Int. Relat. (6) (2019) 5. L. Chuanying, Security dilemma, wrong perception and path choice of cyberspace relations between major powers: a case study of EU-China network cooperation. Eur. Stud. (2) (2019) L. Chuanying, An analysis of the present situation and future of EU-China network dialog and cooperation. Pacific J. (11) (2019)
12
Lu Chuanying, an analysis of the present situation and future of EU-China network dialog and cooperation [J].
Chapter 5
Future Prospects of China’s Legal Construction in Cybersecurity
Law-based governance is a significant criterion for human society to enter modern civilization, and it is the foundation for the modernization of the national governance system and governance capacity. Over the past 40 years since the reform and opening up, China has seized the historical opportunity brought by the development of informatization to the country and the people, focused on dealing with the national and social security related problems going with the popularization and application of computers, and finally embarked on a road of cybersecurity legal governance that is not only in line with international standards, but carries Chinese characteristics. Meanwhile, China has realized the upgrading of cybersecurity legal systems from nonexistence to pass into existence, from fragmentation to systematization, from response to prevention Since the Cybersecurity Law was officially enforced on June 1, 2017, the process of legal construction in cybersecurity has been expedited, the “data-driven” national innovation governance system has been comprehensively explored, and enormous progress has been made in the legislative construction, law enforcement actions and judicial practice of cybersecurity, and a comprehensive governance pattern of network coconstruction, cogovernance and sharing has basically taken shape. Since 2020, the COVID-19 epidemic and economic crisis sweeping the world have pushed forward the continuous evolution of national order, international situation and world pattern. Under the epidemic, the role of the digital economy has become increasingly prominent, and uncertainties resulting from “deglobalization”, “technology decoupling” and “unilateral trade protectionism” have intensified. Cyberspace governance is confronted with unprecedented conflicts, risks, opportunities and challenges. In the postepidemic era, we must face the major test of national conditions and powers and constantly advance the modernization of the national governance system and governance capacity. A boat that sails against the current will be pushed backward if it does not move forward. Although China’s legal construction in cybersecurity has scored an achievement, there is still a long way to go in building a cyber power ruled by law. It is necessary to comprehensively promote cybersecurity legislation, cybersecurity law enforcement, cybersecurity justice, cybersecurity law-abiding, cybersecurity legal © Huazhong University of Science and Technology Press 2022 D. Huang, Research on the Rule of Law of China’s Cybersecurity, https://doi.org/10.1007/978-981-16-8356-5_5
173
174
5 Future Prospects of China’s Legal Construction in Cybersecurity
supervision, and cybersecurity legal research. The evolution of China’s cybersecurity legislation construction, supervision system and cyberspace international game for more than 40 years offers a reference for looking forward to the future approach of rule of law in cybersecurity and will be projected into future trends in the form of variables with different weights. However, distinctly, the “parameters” based on the past and on the strength of the existing technology, management and policies still cannot be used to accurately predict the future trend of legal cybersecurity construction. On the one hand, the network and code are spontaneous to some degree and are constantly creating and reshaping rules and realizing transformation; on the other hand, the future is also initiative, which depends on the design and construction of cybersecurity rules by law. In view of this, to predict the future of legal cybersecurity construction, it is necessary not only to examine the impacts of disruptive information technology and other industrial technologies on cybersecurity legislation through iteration, redundancy, and trial and error but also to trace the source from the evolution of human society destiny and the existing legal value system. Although it is rather difficult to predict and forecast in the medium and long term owing to the uncertainty of technology, economic and social development and the sudden and perplexing changes of international games, new technologies, new applications, new formats and new rules constantly impact the existing ideas and governance rules of the rule of law, cybersecurity legal construction in China shall still jump out of the present, prejudge and preview the future legislative plan, assume and eliminate some uncertainties, and realize the vision of a cyber power ruled by law with “benign laws and good governance”. In our view, the future development of China’s cybersecurity rule of law shall at least cover the following aspects.
5.1 Serve “Digital Well-Being” as the Fundamental Gist The extensive application of computers, digitalization and informatization of society are inevitable development trends, and a number of security issues arising from computerized and digitalized information systems as well as their networks will be the common, long-term and changing social problems faced by the international community. At the initial stage of the security governance of network tools, the state realized that the use and development of computers and informatization are necessary for national development and people’s interests, and computer security issues (cybersecurity issues) that follow will inevitably become a new social problem, so it is necessary to take basic, fundamental and guaranteed long-term protection measures for computer information systems as well as their cybersecurity. Digital development has been considered a vital measure and evaluation index of national economic and social development, and digital well-being has also turned into the starting point and foothold of China’s informatization development. The evolution track of Zhongguo Wangluo Anquan Fazhi 40 Nian suggests that whether it is the initial stage of the security governance of network tools, the period of the security governance of network society with deepening cognition, or the current stage of cybersecurity governance
5.1 Serve “Digital Well-Being” as the Fundamental Gist
175
of network countries that has been promoted to be a national strategy, it embodies the fundamental purpose of the country to advance informatization and all-round development of social economy and maximize the digital well-being of the country, society and individuals. Currently, with the relentless march of technology, how to establish the rule of law goal focused on technological innovation in industrial technology policy on the strength of effective utilization of legal resources is the basic guarantee for enterprises to gain vitality and the country to pursue long-term development.1 From the user access requirement2 of the Interim Regulations of the People’s Republic of China on the Administration of International Networking of Computer Information Networks in 1996, to the criminal liability assurance of the Decision of the Standing Committee of the National People’s Congress on Guarding Internet Security of 2000 for threatening operational safety and information security, from the protection of citizens’ personal electronic information in the Decision of the Standing Committee of the NPC on Strengthening the Protection of Network Information in 2012, to the guarantee of network use rights for all types of network subjects and the clarification of basic norms for diverse types of behaviors in the Cybersecurity Law of 2016,3 and then to the protection of data and personal information by the Data Security Law and Personal Information Protection Law in 2021,4 it can be seen that the legal purpose of rule of law in cybersecurity is to safeguard national security, social stability and protect the legitimate interests and rights of all parties concerned, which always embodies the purpose of benefiting the digital well-being of the vast majority of people. Undoubtedly, future cybersecurity legislation will unswervingly implement this purpose, guide the handling of the contradiction between stability and flexibility highlighted in cybersecurity laws, and penetrate into the mechanism of laws and regulations, making decisions on the design of legal provisions and the value orientation of resolving different opinions. For instance, under this fundamental purpose, artificial intelligence, the Internet of Things, smart cities, quantum computing, etc. must serve people, enhance people’s capability and fulfill people’s overall development as the ultimate goal. The data value of big data and cloud computing and the virtual value of blockchain and digital currency will be sublimated to the real added value of all communities of shared destiny of cyberspace. 1
Technical Rationality, Social Development and Freedom—Introduction to Science and Technology Law, Peking University Press, December 2005, 1st Edition, P. 66. 2 Article 10 of the Interim Regulations of the People’s Republic of China on the Administration of International Networking of Computer Information Networks: if computers or computer information networks used by individuals, legal persons and other organizations (hereinafter referred to as users) need to be connected to international networks, they must be connected internationally through access networks. 3 Article 12 of the Cybersecurity Law: the State protects the rights of citizens, legal persons and other organizations to use the network in accordance with the law, promotes the popularization of network access, raises the level of network services, renders safe and convenient network services for the society, and guarantees the orderly and free flow of network information in accordance with the law. 4 Article 8 of the Cryptography Law: citizens, legal persons and other organizations may protect network and information security in accordance with the law by means of commercial cryptography.
176
5 Future Prospects of China’s Legal Construction in Cybersecurity
It is worth noting that despite the obvious trend of economic digitization in China, the basic national conditions of China as “a developing country with a large population” have not changed. After the transformation of the main social contradiction, the “data divide” between different subjects resulting from unbalanced and inadequate development will exist for a long time. The legislative purpose of “digital well-being” inevitably contains the inherent demand for inclusive development. On the one hand, efforts shall be made to narrow the “data divide” among different regions, industries and subjects to satisfy the multilevel, differentiated and personalized development and security needs of different subjects in the course of informatization development; on the other hand, it is necessary to guard against the deprivation of legal rights by “digital discrimination”, safeguard the rights of vulnerable groups or special groups to live nondigitally, and truly realize the sense of gain, happiness and security of different subjects.
5.2 Correctly Handle the Relationship Between Technological Development and Legal Initiative The dialectical relationship between technology and law is embodied in the 40year trajectory of China’s cybersecurity law-based governance. Generally, typical and intensive legislation and norms are also at the time when the corresponding information and network technologies tend to mature and be widely used. Several single point “outbreaks” of the rule of law in the middle and late 1990s and the comprehensive legislation since the second decade of this century correspond to the popularization of the public internet and the periodic characteristics of equal attention and response to network operation and network information security. From the past observation of the legal construction of global cybersecurity, “technology going ahead” and “law catching up” were actually universal. The internal drive and external introduction of technology and the guarantee and standardization of law all manifest their instrumental value as the main contradiction-solving mechanism in contemporary society. This kind of problem driving incurred by contradictions is characterized by “self-motivation” and “self-reinforcement”, which is reflected in the fact that in a long period of time in the future, the existing rule interpretation and actual law enforcement supervision around new technologies and new applications will continue to be carried out, and the legislative lag caused by technology will be alleviated. Moreover, when this kind of pragmatism cannot bear the cumulative effect of new technologies and new applications, it will inevitably spawn new legislation, new law enforcement means and new judicial decisions to keep up with the intergenerational pace of technology and avoid the situation in which the laws of the twentieth century regulate the technology of the twenty-first century. Moreover, while adapting to technology, algorithm and code rules, law must also be independent as a mature scientific system. The “robustness” caused by natural delay reflects the checks and balances of technical risks, realizes benign self-value, and becomes a mechanism to
5.2 Correctly Handle the Relationship Between Technological …
177
realize technical neutrality—it is not cost-effective to wait for the self-limitation to weaken the risks due to the absorption and driving of resources and manpower by the virtual scene constructed by information and network technology—to eliminate the abuse impulse of technology itself, and to evaluate before the possible social harmfulness appears. Because the uncertainty of technical risks and legal rules are mutually conductive and mutually compatible, the initiative of law provides a variety of possible paths for future legal construction of cybersecurity.
5.3 Promote the Development of Legislation, Law Enforcement and Judicature in a Scientific and Coordinated Manner China’s legal cybersecurity construction must objectively understand the new normal of network social activities, accurately grasp the inherent laws of cybersecurity, scientifically facilitate cybersecurity legislation, cybersecurity law enforcement, cybersecurity judicature, cybersecurity law-abiding and even rule of law supervision in cybersecurity, etc., and expedite the construction of a rule of law model that unifies formal rule of law and substantive rule of law, thus offering a guarantee of rule of law in cybersecurity for a large cyber country to move toward a strong cyberpower, i.e., “consolidate fundamentals, stabilize expectations, and benefit the long-term”. First, it is important to fully demonstrate and prudently legislate. Guided by the idea of satisfying people’s growing new needs and expectations for a better life in the new era, on the one hand, the cybersecurity legal construction shall maintain a stable route of matching economic and social development planning with legislative planning, and increasingly push forward the progress from information security legislation, cybersecurity legislation to data security legislation along with the deepening of scientific and technological awareness. Moreover, legal cybersecurity construction is supposed to lay the cornerstone position of basic laws such as the Cybersecurity Law, Data Security Law and Personal Information Protection Law and make them stand the impact and test of postlegislative evaluation and the development of IT technology, which can not only prop up the establishment of a supporting system and build a compact and effective implementation system but also be independently applicable as the direct basis for law enforcement and judicial adjudication. On the other hand, it is necessary to recognize the regional and level differences in different development stages and periods and allow some regions to make local legislation by means of the first trial and so on. These local legislations can reflect the development of regional information and network technology, focus on the characteristics of the regional network industry, and furnish materials as well as experience for continuous and higher-level legislation. Meanwhile, legislators should avoid surprise legislation and duplication of legislation that are purely problem-oriented. The considerations include the following: (1) These legislative problems will be transmitted to the law enforcement link, leading
178
5 Future Prospects of China’s Legal Construction in Cybersecurity
to practical problems such as repeated evaluation and inspection. (2) Some technical problems or relevant legal risks have stage and locality and are also deeply linked with the scope and degree of technology development, popularization, and application. If the problems are not fully exposed, legislation will have difficulty summarizing the whole picture of the problems, which will also lead to the deviation of solutions. In addition, some staged problems will also fade with development, thus becoming “false problems”. (3) Cybersecurity legislation is characterized by hierarchical composition from laws, regulations to rules, guidelines and standards. Legislation with uneven granularity and inconsistent characteristics will lead to the disorientation of the subordinate supporting mechanism, resulting in either legislation invoking standards or standards repeat provisions, which is not beneficial to the fundamental solution of the problems. (4) Most importantly, although a large number of legal documents have been worked out in the domain of cybersecurity legislation in the past 40 years, the basic legal supply is actually insufficient, and the limited legislative resources shall be used in these key and basic legal work, such as the clear definition of legal concepts and attributes of information and data, basic work of data staging and classification, ownership arrangement of personal information and data, etc. These underlying issues determine the basic value and path direction of future cybersecurity legal construction. Of particular note is the legislative impact assessment. In recent years, theoretical research on legislative impact assessments in China has been on the rise and has gradually moved toward institutionalization. In 2015, the newly revised Legislative Law of China added the legislative assessment mechanism. Taking the Cybersecurity Law as an example, as an effective and important legislation that can standardize data security, the Cybersecurity Law has been implemented for more than four years. The effectiveness of the Cybersecurity Law and its supporting systems shall be assessed based on over four years of implementation experience to summarize, reflect and adjust whether cybersecurity legislation is scientific and reasonable in a prompt manner. For legislation such as the Data Security Law and the Personal Information Protection Law, we should fully evaluate its expected effects, including operability and legislative impact. Furthermore, China cannot ignore the international impact assessment in the design of the cybersecurity legislative system, including whether it will arouse questions from the international community and influence China’s national image and industrial development, whether it is essential, whether it can be enforced in the future, whether there is a better alternative mechanism, whether there is a flexible response mechanism to the current and future cybersecurity threats, and so on. Moreover, we should standardize law enforcement and consolidate capacity. Law enforcement practice in the past 40 years is not only a preface but also a chapter that brings together the law enforcement experiences of all cybersecurity-related departments. Although numerous problems in the supervision from information security to cybersecurity exist that await urgent improvement and solution, these problems and the paths to try to solve them are all the starting point and source of law enforcement in the future. From the experience and lessons of Cybersecurity Law enforcement in the past 40 years, the Cybersecurity Law enforcement in the future shall be balanced
5.3 Promote the Development of Legislation, Law Enforcement …
179
and laid out in terms of system and personnel, embodying the coordination between static basis and dynamic implementation. Primarily, it is necessary to consolidate the system content of supervision and law enforcement and furnish a sufficient comprehensive basis for the establishment and implementation of the system, which can include all types of disciplines, such as law, economy, society, management, technology and psychology. Specifically, the system building and support include: (1) demonstrate the rationality and compatibility of the top-level design above supervision, especially the top-level design at the central level of information security, cybersecurity and data security, and demonstrate the formalization and embodiment of rights and interests of different legal values in cyberspace such as national security, social public interests, organizational rights and personal interests; (2) clarify self-consistency and mutual relations of all sorts of regulatory measures such as law enforcement inspection, assessment, guidance, assistance and interviews, and illustrate their interoperability and transformation with market-oriented mechanisms such as testing, certification and monitoring; (3) from the height of the construction of cybersecurity information sharing system, integrate and divide the regulatory coordination capacity construction, including planning, drills, monitoring, early warning, notification and so on, reflect the prethinking of cybersecurity risks and incident management, and offer a basis for cybersecurity information sharing and data security sharing in the future 4; (4) complete the effective connection between the existing laws and supporting Security laws and the laws under the Law. This is not only different from the Civil Code, the Personal Information Protection Law and other laws that focus on civil rights and interests in the future but also sets boundaries of criminal laws such as the Criminal Law and legislation to prevent cybercrimes. Second, there is an urgent need for the in-depth construction of law enforcement standardization and the improvement of law enforcement capability of administrative organs and personnel. Cybersecurity violations are often characterized by technicality, diversity and complexity. All administrative penalties imposed by regulators in accordance with the law under the Cybersecurity Law may be subjected to administrative reconsideration and even administrative litigation. The investigation and evidence collection of electronic data has become a key link in administrative law enforcement, and it is also the core evidence of possible administrative reconsideration and administrative litigation. As far as public security organs are concerned, it is one of the significant issues in the legal construction of public security organs on how to strictly follow the Procedure Rules for Public Security Organs on Handling Administrative Cases in consideration of the actual situation, improve the ability of case-handling personnel to collect, gain, fix and use electronic evidence, upgrade the quality of case handling, and standardize law enforcement behaviors. In the administrative law enforcement of cybersecurity, regulators often learn from the comparatively mature rules of electronic evidence collection and extraction, electronic evidence examination and judgment in the domain of criminal justice and carry out evidence collection and identification of electronic data in administrative law enforcement. In fact, there are differences in key evidence points, evidence requirements, quantitative circumstances and other issues between the evidence collection
180
5 Future Prospects of China’s Legal Construction in Cybersecurity
of administrative law enforcement and the evidence collection of criminal cases. It may be one of the future directions to deepen administrative law enforcement of the Cybersecurity Law to achieve differentiation based on the formal requirements of the Criminal Law and refine the requirements for quantitative identification of administrative law enforcement, including the Cybersecurity Law. Furthermore, how to solve problems such as instant batch identification of massive electronic data and insufficient witnesses in administrative law enforcement of cybersecurity is also a direction worthy of study in view of high-quality and efficient law enforcement. From the point of improving the capability of law enforcement personnel and agencies, law enforcement personnel should build corresponding cybersecurity fields and disciplines, match the corresponding technical ability improvement system, and continuously maintain law enforcement ability through continuous relearning. Law enforcement agencies shall be in possession of corresponding technical reserves and even appropriate advanced law enforcement capabilities. It is desirable to provide them with multiple choices and support for scenarios such as password analysis and vulnerability detection via the design and implementation of algorithm computing power. In addition, judicial relief and interest balance. As the ultimate mechanism for evaluating network behavior and embodying legal value, future legal construction should continue to consolidate the independent interpretation and application of laws by judicial institutions, ensure the final adjudication function of rights and interests of various network behaviors and data activities, and realize guidance for law enforcement of individual cases and various network participants. Specifically, the following three points shall be taken into account: (1) deeply study and enforce the functions of Internet courts in the domain of cybersecurity and follow the functional trend of the development of information and network technology in the judicial domain; (2) bring into full play and carry out the decisive role of judicial personnel, particularly judges and other professionals, and while assisting the judiciary through technical means, avoid the restrictions and influences of algorithm deviation, data monopoly and even the future “quantum hegemony” on judicial personnel, and maintain people’s mental capability and discretion; (3) while pushing forward consistent judgments to similar cases and retrieval for similar cases, bring into full play the uniqueness and leading nature of justice in view of the cybersecurity cases with new technologies and new applications, keep the balance between new situations and new interests, “penetrate” the appearance and explain the essence of technology through the application of judicial laws, and gain insight into the impact society. Apart from that, comprehensive management and coordinated application. For the future cybersecurity legal construction, it is also necessary to be aware of the boundaries and limitations of the rule of law, which requires security governance to follow the law of scientific and technological development, and build a comprehensive governance system in which all types of governance models and measures are coordinated and applied, especially to study and judge some trends of scientific and technological development, including (1) in the integration of information technology and biotechnology, predict the normative role of other disciplines besides legal behavior regulation in virtue of the methodology of various disciplines such as law,
5.3 Promote the Development of Legislation, Law Enforcement …
181
ethics, society and psychology; (2) when disruptive technologies such as quantum computing are combined with data economy and business application models, the comprehensive evaluation of law, economy, management and other related disciplines permeates the awe of technology and law in all aspects before, during and after the market-oriented supervision process; (3) admit the imbalance of social, economic and human development in the process of technological acceleration, and the risk of imbalance and inrunaway caused by the technological self-tainment technology” to share the society achievements of social achievements such as economic, economic, economic and human development, and even morality. Meanwhile, it also lowers the uncertainty risk of technology through the socialized risk sharing control mechanism, which is also the socialized risk innovation mechanism, which brings more possibilities for the future of cyberspace.
5.4 Design Security System Around the Core Element of Data Data are playing an increasingly significant role in boosting economic growth, modernizing national governance capacity, and enhancing human well-being. “Data drive” has turned into the basic mode of modern society. Meanwhile, complex data security situations have impacted personal, public and even national security each passing day. For a long time, the protection of data security in China principally depended on the protection of computer information systems, trade secrets, copyrights and other rights and interests. As an independent right, “data security” has not received full attention in legislation. Thanks to the rapid development of information technology and the data economy, data, as a new and independent protection object, have gradually gained legislative recognition. Article 25 of the National Security Law of 2015 clearly proposed to “realize the security and controllability of core network and information technologies, critical infrastructure and information systems and data in important areas”, which directly raises data security to the height of national security. The Cybersecurity Law of 2017 incorporates data security as a significant part of cybersecurity. Cybersecurity classified protection systems, critical information infrastructure protection systems and personal information protection systems offer significant institutional support for the enforcement of data security. In 2018, the Data Security Law and the Personal Information Protection Law were incorporated into the legislative plan of the Standing Committee of the National People’s Congress, and special legislation on data security was put on the agenda. In the context that the Data Security Law and Personal Information Protection Law have not yet been introduced, China’s national level set out to probe into the system from bottom to top. In 2019, the State Internet Information Office successively issued several supporting documents of the Cybersecurity Law, such as the Measures for the Administration of Data Security (Exposure Draft) and the Measures for the Assessment of Personal Information Outbound Security (Exposure Draft). The Civil Code
182
5 Future Prospects of China’s Legal Construction in Cybersecurity
of 2020 also explicitly protects “personal information”, “data” and “virtual property” from the point of view of civil rights and interests, offering the basic legal basis for civil protection of data. The shortcomings of network data security governance exposed since the enforcement of the Cybersecurity Law for over three years, as well as the constantly developing data security situation at home and abroad, also raise higher requirements for China’s data security legislation in the future. On July 3, 2020, the Data Security Law (Draft), which lasted for three years, formally solicited opinions from the public and attracted much attention. On June 10, 2021, the Data Security Law was officially passed, serving as the basic law in the field of data security in China. Against the background of a severe data security situation and imperfect data security law-based governance in China, the Data Security Law assumes the important mission of resolving the internal and external risks of data security in China, constructing the core institutional framework of data security, and then safeguarding the security interests of individuals, the public and the country in the era of big data. Data security is a common problem that all countries are confronted with. From a global perspective, only China has officially promulgated a unified “Data Security Law”, which means that China’s data security legislation and even data governance rely more on local wisdom for theoretical innovation and system exploration. Data security concerns numerous stakeholders, such as individuals, enterprises, society and the country, is associated with numerous areas, such as the economy, politics, military affairs, etc., and relates to both online and offline environments. The corresponding coping strategies should also be systematic strategies through overall consideration. Moreover, in the context that basic legal issues such as data attributes and division of rights have not yet been clarified and data technology and industry are progressing with each passing day, it is difficult and complicated to establish supporting regulations for the Data Security Law and improve the data security governance system., which objectively requires meeting the elastic demands of current technology, industry and even theoretical development for data security system design. Looking into the future, legal system issues in the data field still await continuous exploration, and research on the nature, connotation, extension, object and classification of data rights should be intensified, thus offering underlying support for the protection of data rights. On this basis, complete national legislation shall cover a comprehensive data rights legal system, which includes data sovereignty maintenance, data rights confirmation, life cycle protection, supply chain supervision, review of cross-border transmission, review of overseas factors (capital, technology, products, personnel and services), supervision of data subjects, and data abuse as well as prohibition.
5.5 Conclusion
183
5.5 Conclusion Every year, forty years. Our world today is undergoing profound changes unseen in a century. Following the profound development of global multipolarity, economic globalization, cultural diversification and social informatization, the global governance system has changed profoundly, whoever occupies the commanding heights of informatization, is able to grasp the decisive opportunity, win superiority, win security and win the future. How to face instability and uncertainty in the postepidemic era and safeguard national sovereignty, security and development interests; how to revitalize the basic information industry in the deglobalization dilemma of foreign supply cutoff and technology decoupling; how to rationally arrange legislative planning and industrial reform, narrow regional differences, and fulfill the benign development of cyberspace; how to improve the social governance pattern of coconstruction, common governance and sharing focused on government supervision and with joint endeavors of all parties, make people live and work in peace and contentment and achieve social stability and order….these have become the problems that must be solved in the process of China’s cybersecurity legal construction over the next four decades. To address these issues, for China’s cybersecurity legal construction in the future, it is necessary to find the demand of the rule of law in the conflict between traditional economy and digital economy, to seek security laws in the differences between developed and developed regions, to actively rise to challenges in the combination of social security and economic development, to determine China’s plan from the point of view of the world and the foundation of domestic practice, and to balance security and development, domestic and international as a whole. In the future, legal cybersecurity construction shall not merely attach importance to the new requirements of the “new era” for the national cybersecurity strategy but also guard against the new threats that new technologies may bring to national and social security and carry out the new task of “new contradictions” for cybersecurity protection. It is not only required to fully release the digital economic dividend with “data” as the core and narrow the “data divide” of different subjects as much as possible but also needs to insist on people-oriented principles and inclusive development to avoid digital discrimination against vulnerable development groups. It is not only necessary to perfect and implement cybersecurity legislation, law enforcement and judicature driven by “innovation” but also to consolidate national cybersecurity culture with “technology” as the link in a bid to achieve synergy.
Annex: Research on Global Data Trading Practices, Industry Norms and Legal Issues
Abstract With the convergence of information technology and human production and life, all sorts of data increase by leaps and bounds. Moreover, the issue of data property rights has been regarded as a new legal problem, which has aroused extensive discussion and debate at home and abroad. From a global point of view, the issue of data property rights is still in the stage of theoretical research, and no country has confirmed data property rights in legislation until now. Domestic scholars can be classified into pros and cons. The pros hold that because of the development of big data, the Internet of Things, cloud computing and other technologies, traditional laws can no longer satisfy the needs of adjusting the interests of the current data economy. To encourage enterprises to record, store and share data more frequently, new data property rights should be created to boost the innovation and development of the digital economy. The cons consider that data are naturally characterized by circulation and sharing, which can be collected and acquired through different channels and cannot be monopolized by civil subjects; civil subjects cannot directly control data but control data carriers; the value of data can be realized and protected by the self-control of subjects of data activities. Thus, data should not be regarded as an independent property. In addition, the establishment of new data property rights may jeopardize the competition and freedom of information. However, based on the division of personal data and nonpersonal data, many foreign scholars have conducted profound research on the necessity and legitimacy of introducing the concept of “data ownership”. For instance, based on the research on the “data ownership” dispute published by the Max Planck Institute for Innovation and Competition in Germany in 2017, at present, there is no “data ownership” in the EU, EU member states or any other industrialized countries. The research also stated that to explore the introduction of “data ownership”, it is necessary to distinguish between “personal data ownership” and “nonpersonal data ownership”. With regard to personal data, under the current framework, the General Data Protection Regulations (GDPR) are sufficient to protect individual rights, and there is no need to introduce data ownership. Since the rights linked with personal data need to be © Huazhong University of Science and Technology Press 2022 D. Huang, Research on the Rule of Law of China’s Cybersecurity, https://doi.org/10.1007/978-981-16-8356-5
185
186
Annex: Research on Global Data Trading Practices, Industry Norms …
implemented by many Internet service providers, global social networks and Internet search engines capable of influencing users’ behavior may become stronger based on this new right. Users are in a weak position, and it is rather difficult for them to participate in the distribution of benefits. Therefore, granting personal data ownership cannot achieve the goal of better protecting individuals. For nonpersonal data, the studies conducted by the European Commission reveal that none of them can prove the existence of relevant market failures, which provides legitimacy for introducing the rights of data producers or data ownership. The White Paper on Building Digital Economy in Europe—Data Ownership issued by the European Union in January 2017 also mentioned that owing to the complex data value cycle, many stakeholders may attempt to claim ownership of data. For instance, they create or generate data or because they use, compile, select, structure, reformat, enrich, analyze, purchase, license or increase the value of data. Thus, different stakeholders can only enjoy different rights based on their specific roles, and no single data stakeholder will possess exclusive rights. China puts a high premium on data property rights. In December 2017, General Secretary Xi delivered a speech during the second collective study of the 19th Central Political Bureau, clearly stating that it is requisite “to draw up relevant systems for confirmation of data resource, opening, circulation and transaction, and perfect the protection systems of data property rights”. Many policy documents, such as the Notice of the State Council on Issuing the “13th Five-year” Plan on National Informatization, the Opinions of the CPC Central Committee and the State Council on Accelerating the Perfection of the Socialist Market Economic System in the New Era, have repeatedly mentioned that the definition of data ownership shall be perfected. However, owing to the complexity of the data itself and related stakeholders, the basic theoretical problems linked with data have not yet been solved, enormous differences exist, and the related legislation has progressed slowly. The relevant provisions on personal information and data in the Civil Code promulgated in 2020 embody the caution and hesitation of legislation in data confirmation. For personal information, Article 111 of the Code exhibits the basic position of security protection; Civil Code (right of personality) clearly specifies the related concepts of personal information, the rights of natural persons, the reasons for the exemption of infringing personal information, and the fair use of personal information, but it does not set personal information rights, but only provides a path for personal information to be protected through personality interests. For the rights and interests of data other than personal information, the Code has not made it clear but has left it to be resolved by future legislation. The Data Security Law of 2021 has made it clear that the country shall establish a data exchange management system. However, from the current version, the law regulates data issues more from the point of view of public authority supervision and does not empower data. In recent years, local governments in China have actively explored data legislation. The Shenzhen Special Economic Zone Data Regulations (Exposure Draft) issued by Shenzhen in 2020 initiated the concept of data rights and made numerous creative regulations on the ownership of personal data and public data. However, the Exposure Draft has been questioned because it violates the provisions of the Legislative Law of the People’s Republic of
Annex: Research on Global Data Trading Practices, Industry Norms …
187
China (hereinafter referred to as the Legislative Law) that the basic civil system and the basic economic system can only be regulated by making laws. In other words, it is difficult to clearly create a new type of right of “data rights” through local laws and regulations. Although the final version has not yet formed a unified understanding of the issue of data ownership in China, the Shenzhen Special Economic Zone Data Regulations clarifies that “personal data has the attribute of personality rights” and that “the enterprise has property rights and interests in the data products and services formed by its massive intellectual labor”. It also stipulates that natural persons, legal persons and nonlegal organizations shall enjoy property rights and interests prescribed by laws, administrative regulations and regulations on data products and services formed by their lawful processing of data and may independently use, obtain profits and dispose of data products and services according to law. This report is not intended to address the brand-new legal issues arising from the development of data property rights in this era. In fact, we view that with the fourth industrial revolution marked by big data, cloud computing, unmanned driving, AI, 5G, etc. sweeping across the world, the far-reaching influence of data, a nontraditional element, on social development and changes can never be fully dealt with through the original thinking and methods, particularly as a law that regulates specific social relations. This report attempts to comprehensively summarize and sort out the data trading practices, incidents, industry norms and transaction characteristics at home and abroad from an empirical point of view. Meanwhile, it makes an all-round investigation and judgment on the current situation, dynamics and trends of data exchange legislation in the European Union and the United States. Last but not least, it also concludes the three major practical difficulties of big data exchanges in China, with a view to benefit the research on data property rights.
Domestic and International Data Trading Practices as Well as Industry Norms Current Status of Extraterritorial Data Transactions Concept of Data Broker Internationally, middlemen engaged in data transactions are called data brokers. Based on the definition of Wikipedia, data brokers collect personal data from public records or private sources, such as censuses, materials submitted by users to social networking sites, media and court reports, voter registration lists, and purchase records; then, the data collected will be put into personal files, covering age, race, gender, marital status, occupation, family income, etc. Finally, data brokers will sell these personal files to organizations that push advertisements or conduct marketing for specific groups or to individuals and government agencies for research.
188
Annex: Research on Global Data Trading Practices, Industry Norms …
The European Data Protection Supervisor defines a data broker as an entity that collects personal information about consumers and sells it to other organizations.1 The Federal Trade Commission (FTC)2 defines a data broker as a company that sells information to customers with multiple purposes (including verifying personal identity, distinguishing records, marketing products and preventing commercial fraud) and collects personal information, including consumers, from all types of sources. Vermont Data Broker Regulation (Act 171 of 2018) clearly defines the concept of a data broker in law for the first time, which is of crucial significance to the supervision of the data broker industry in judicial practice.3 The Data Broker Regulation defines a data broker as a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. The identification of data broker activities shall include the entry and exit of data. In addition, the Data Broker Regulation lists two situations in which the relevant organizations or individuals cannot be identified as data brokers: I.
II.
Examples of a direct relationship with a business include if the consumer is a past or present: (i) customer, client, subscriber, user, or registered user of the business’s goods or services; (ii) employee, contractor, or agent of the business; (iii) investor in the business; or (iv) donor to the business. The following activities conducted by a business and the collection and sale or licensing of brokered personal information incidental to conducting these activities do not qualify the business as a data broker: (ii) providing 411 directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier; (iv) Providing publicly available information via real-time or near real-time alert services for health or safety purposes.
The Act also excludes personal brokerage information associated with consumers’ business or occupation available from public channels from the scope of supervision.
Development Course of Data Trading Platform At present, China’s data broker industry is still in its infancy, while this industry has matured in European and American countries.4 Throughout history, the development of foreign data brokers can be classified into two stages: the nonelectronic era and the electronic era. In the nonelectronic era, the European and American data broker industries underwent a long development process. In the 1920s, Berlin 1
https://edps.europa.eu/search/site/Data%2520Broker_en. Access date: 2020-08-11. FTC report of 2012, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers. http://ftc.gov/os/2012/03/120326privacyreport.pdf. Access date: 2018-08-11. 3 Xing and Yujiao [1]. 4 Yao [2]. 2
Annex: Research on Global Data Trading Practices, Industry Norms …
189
Municipal Electric Power Company of Germany conducted individual installment payment evaluations based on users’ electricity payment status, initiating the development of the German data broker industry. In the United States, the first credit bureau appeared in Brooklyn, New York, in the 1860s, marking the budding of the American data brokerage market.5 Equifax Company was founded in the late nineteenth century, and now it has become one of the three major personal credit reporting agencies in the United States. At the beginning of the twentieth century, the Consumer Data Industry Association (CDIA) was established, chiefly aiming at promoting the sharing of consumer credit information across the country and becoming the spokesperson of the consumer credit reporting industry.6 In the midtwentieth century, the credit card industry developed in a rapid manner, the large increase in the number of customers made banks and other financial institutions strongly call for data brokerage, and a large number of credit institutions sprung up, providing customer information to financial institutions and looking for potential lenders. In the 1970s, Claritas introduced a “lifestyle segmentation system”, which furnished marketers with customer preference information by analyzing consumer data. In the 1980s, Fair Isaac Corporation (FICO) was incorporated and built a credit scoring model, which has been used by major banks ever since. In the electronic era, the data broker industry developed in a vigorous manner by virtue of big data analysis technology. For example, founded in 1969 and headquartered in Arkansas, USA, Acxiom renders consumer data and data analysis services for marketing activities and fraud detection. The database contains the information of 700 million consumers on a global scale, and now its branches have spread all over 12 countries around the world.7 Datalogix is a well-known data collection company that provides enterprises with marketing data of American families as well as consumption trading data of over one trillion dollars. In 2012, Facebook cooperated with Datalogix to analyze user data and evaluate the advertising effect on the strength of big data technology. Rapleaf is an American Internet data integrator with more than one data point that can connect more than 80% of American users’ email addresses and more than 30 diversified data points. Moreover, the company also added personal information such as the age, gender and marital status of e-mail users to its list of e-mail addresses.8 Since the twenty-first century, many data broker companies have been incorporated in various countries to collect and analyze data, which is in line with market demand, as shown in the following table (Table 1).
5
Jiguang [3]. Xiangyan and Jinglv[4]. 7 Baidu Encyclopedia. https://baike.baidu.com/item/acxiom/4471252?fr=aladdin. Access date: 2020-08-11. 8 Apocalypse: The American Chapter of Data Exchange Development Model. https://www.sohu. com/a/117889199_353595. Access date: 2020-08-11. 6
190
Annex: Research on Global Data Trading Practices, Industry Norms …
Table 1 No.
Country
Name
Business type
1
The United States
Factual
Location-related data set
2
Iofochimps
Online data mart, the main data focus on geographical location, social and network
3
Microsoft Azure
An open and flexible enterprise-class cloud computing platform, which aims to set up a platform for developers to help develop applications that can run on cloud servers, data centers, the Web and PCs
4
Databroker DAO
Targeted at IoT sensor data
5
Acxiom
Provide consumer data and analysis for marketing activities and fraud detection
Corelogic
Offer data and analysis services to enterprises and governments based on property information and consumer and financial information
7
Datalogix
Provide enterprises with marketing data of almost every American family and more than one trillion US dollars of consumer transactions
8
eBureau
Provide predictive scoring and analysis services for marketers, financial service companies, online retailers, etc
9
ID Analytics
Used to verify the identity of a person or determine whether a transaction may be fraudulent
10
Intelius
Provide background checks and public record information for enterprises and consumers
11
PeekYou
With patented technology, it can analyze the content from more than 60 social media websites, news sources, homepages and blog platforms to furnish customers with detailed consumer information
12
Rapleaf
Data integrator
6
The United States
(continued)
Annex: Research on Global Data Trading Practices, Industry Norms …
191
(continued) No.
Country
13
Name
Business type
Recorded Future
Collect historical data of consumers and companies on the Internet and predict the future behaviors of these consumers and companies with this information
14
The UK
ODI(The Open Data Institute)
The world’s first nonprofit open data research institute
15
France
date.gouv.fr
A disclosed data platform, allowing citizens to freely inquire and download public data, which involves national financial expenditure, air quality, French national library resources and the like
16
Japan
Fujitsu
Provide a full range of technical products, solutions and services
Development Status of Data Brokers The report Data Brokers: A Call for Transparency and Accountability released by FTC in 2014 suggests that the existing data brokers in the United States are classified into three modes based on different business types.
Data Brokers Providing Marketing Services This type is principally used to satisfy business needs or fulfill marketing purposes. Data brokers provide three services: direct marketing, online marketing and marketing analytics. First, direct marketing includes data appends and marketing lists. In the data append, customers of data brokers furnish some information of target consumers and require data brokers to attach and perfect more information to facilitate more targeted marketing activities in subsequent business. For example, customers can furnish the names and addresses of target consumers and ask data brokers to give the telephone number, email address and other information of the aforementioned consumers. In the services of marketing lists, data brokers can furnish customers with consumer information based on the target attribute proposed by customers to push the relevant products and services for these consumers with specific attributes. In addition, online marketing includes three types: (a) registration targeting; (b) collaborative targeting; and (c) onboarding. Registration targeting principally serves registered websites. When registered websites wish to push personalized service contents to users or furnish third-party advertisements more attractive to users, they can furnish the list of registered users to data brokers for analysis, and data brokers can
192
Annex: Research on Global Data Trading Practices, Industry Norms …
give corresponding analysis results. Collaboration targeting principally serves thirdparty advertisers and registered websites. It is used to analyze potential consumers and expected benefits for both parties when advertisers choose to advertise on a website. Moreover, without disclosing their respective consumer information, a data broker, a third-party data service provider, conducts crosstab analysis on the consumer information of both parties, thus offering a reference for subsequent cooperation. The last onboarding service refers to the process in which data brokers add offline data to Cookie (offline data loading process) so that advertisers can target consumers almost anywhere on the Internet. This process permits advertisers to determine the advertisements provided for them on the Internet through the offline activities of consumers. Finally, marketing analytics chiefly furnish customers with postmarketing analysis, which can make them locate consumers more accurately for advertising activities, enhance the information of products and activities, and gain insights and information about consumers’ attitudes and preferences.
Data Brokers Providing Risk Mitigation Services This type is principally used for security purposes, in a bid to guarantee the security of daily transactions or avoid fraud. This service includes identity verification and fraud detection. Among the rest, identity verification is used to help customers identify and confirm the identity of consumers, thereby reducing fraud and other problems in the transaction process. In most cases, the information used in the identity verification service is the content that consumers clearly know but cannot be acquired by identity thieves. In the fraud detection service, data brokers can offer information to help their customers verify the reliability or authenticity of the information submitted by consumers and help companies undergoing data leakage incidents verify whether the leaked data are not properly used.
Data Brokers Providing People Search Services This type of service is principally provided for individuals, but organizations are not ruled out for the use of this type of service. Customers can track other people’s activities, find records, etc. through personnel search services. Most of the information furnished by data brokers is from government or other public sources, such as social media networks. This service also permits customers to provide at least one attribute for searching, such as name, address, telephone number, etc.
Annex: Research on Global Data Trading Practices, Industry Norms …
193
Fig. 1 Income distribution mode of data trading mart of data broker DAO
Investigation of Typical Data Trading Platform Models—Taking Data Broker DAO as an Example As the first IoT sensor data mart that directly links data owners and purchasers, Data broker DAO offers a platform for sensor data transactions. The platform is principally composed of sensor owners, gateway operators, data purchasers and data processors. Specifically: Sensor owners, that is, data sellers, sell their own sensor data through the DAO platform. Data buyers are stakeholders who purchase data from the platform. They are classified into two groups: buyers who acquire the original data for their own use and buyers who acquire the original data, reprocess it, transform and enrich the original data, and then sell it to the DAO platform with new added value. At this time, this type of buyer is called a data processor. Apart from that, in the course of platform transaction, there are also gateway operators who are responsible for publicizing the gateways they operate so that sensor owners can sell their own data on the platform. For the profit model, sensor owners obtain 80% of the revenue, gateway operators obtain 10%, and the DAO platform obtains 10% (please refer to Fig. 1a).9
Current Status of Data Transactions in China In China, there is a huge scale of netizens,10 which results in a strong demand for data value in the mass data environment. Pursuant to the Guiyang Big Data Exchange Guanshanhu Pact, data exchange is the transaction after commercializing data as 9
The picture comes from Data broker DAO’s White Paper entitled Global Market of Local Data. The 41st Statistical Report on Internet Development in China by CNNIC reveals that, as of December 2017, the number of Chinese Internet users was up to 772 million, with the popularizing rate of 55.8%, exceeding the global average (51.7%) by 4.1 percentage points. Exceeding the average level in Asia (46.7%) by 9.1 percentage points. http://cnnic.cn/gywm/xwzx/rdxw/201801/t20180 131_70188.htm. Access date: 2018-08-16.
10
194
Annex: Research on Global Data Trading Practices, Industry Norms …
Fig. 2 Size and growth rate of China’s big data exchange market from 2014 to 202011
an asset. First, data are changed into products through data collection, processing, analysis and conclusion; then, in consideration of commercial application scenarios, the products are reprocessed and reanalyzed to obtain visual results; finally, the data products and visualization results are sold to the data demanders in line with reasonable data exchange rules. In recent years, China’s data exchange market has developed in leaps and bounds, and more than ten data trading platforms have been set up. China’s data tradings can be classified into government industry alliances and businesses based on different departments or structural forms (please refer to Table 2 for some examples). The data supply and demand sides involve multiple subjects, such as government departments, commercial organizations and individuals. Details are as below:
Government Platforms Taking the Global Big Data Exchange as an example, members of the exchange are eligible to carry out big data exchanges on the Global Big Data Exchange. Big data tradings are principally in the form of electronic transactions. Through the online big data exchange system, customers are matched for big data exchanges, and the qualifications of the data supply and demand sides are evaluated and confirmed on a regular basis. In addition to providing big data exchanges, the Global Big Data Exchange also provides data cleaning, modeling and analysis services, helping big data suppliers extract data value and turn it into tradable data assets, while data 11
Figure 2 is from page 53 of 2016 White Paper on China’s Big Data Trading Industry released by Guiyang Big Data Exchange.
Name
Global Big Data Exchange
Wuhan East Lake Trading Center for Big Data
East China Jiangsu Big Data Trading Center
No
1
2
3
Table 2 List of data trading platforms in China Introduction
Nature
It is the first leading cross-regional, standardized and authoritative provincial-level state-owned big data asset trading and circulation platform approved by the state in East China. In November, 2015, it was set up in Yancheng Big Data Industrial Park, Jiangsu Province, a national big data industry base, which assume the heavy responsibility for boosting the value-added and open circulation of state-owned data and the development of big data industry in Jiangsu Province
China’s first service organization to explore and implement the “Solutions to the Operation of Government Data” Government type
Government type
China’s first big data exchange, Global Big Government type Data Exchange, has developed more than 2000 members and accessed to 225 high-quality data sources. After desensitization and decryption, the total amount of tradable data exceeds 150 PB, and there are more than 4000 tradable data products covering more than 30 fields, becoming a comprehensive and all-category data trading platform
http://www.bigdatahd.com/
(continued)
http://www.chinadatatrading.com/
Website
Annex: Research on Global Data Trading Practices, Industry Norms … 195
Name
Shaanxi “Xixian New District Big Data Exchange”
Hebei Big Data Trading Center
Shanghai Data Exchange Corp
No
4
5
6
Table 2 (continued) Nature
Government type
It is a state-controlled mixed-ownership Government type enterprise jointly approved by the Shanghai Municipal People’s Government, the Shanghai Municipal Commission of Economy and Informatization and the Shanghai Municipal Commission of Commerce, responsible for promoting the circulation of commercial data, interregional institutional cooperation and data interconnection, and the integration and application of government data and commercial data
It is not only the first service organization to carry out data asset securitization but also the first data asset trading platform in North China
The first large data trading platform around Government type “Belt ad Road” economic belt
Introduction
(continued)
https://www.chinadep.com/index.html
Website
196 Annex: Research on Global Data Trading Practices, Industry Norms …
Name
Harbin Data Trading Center
Zhongguancun Big Data Industry Alliance
Datatang
No
7
8
9
Table 2 (continued) Introduction
Nature
The first listed new three-board enterprise in China’s artificial intelligence data service industry
Founded in December 2012, it has been devoted to boostting the development of big data industry, and it is the first industrial organization facing data transactions in China as well
Business type
Industry alliance
Harbin Data Trading Center was organized Government type and initiated by the General Office of Heilongjiang Provincial Government, and approved by the Provincial Finance Office, the Provincial Development and Reform Commission, the Provincial Industry and Information Commission and other departments. It is an innovative trading place that provides data trading services for the whole country. In the model of “government guidance and market operation”, it renders complete services such as data trading, settlement, delivery, security, data asset management and financing
Website
(continued)
Annex: Research on Global Data Trading Practices, Industry Norms … 197
Qiantang Big Data
BDG Store
Youedata
13
14
Business type
Launched by the State Information Center, Business type it is the first data platform with national information resources in China
As the world’s first big data industry chain Business type ecological platform, it conducts research and development through international mainstream big data ecological technology, with advanced big data asset operation concepts, bringing together nearly 1000 big data companies around the world
It is an industrial big data application and trading platform
Business type
12
It is China’s first network-wide big data trading platform and the first comprehensive real-time online trading system in China that independently supports both individual and institutional users
Central China Bigdata Exchange
11
Nature
Zhongguancun Shuhai Big Data Trading It is the first data trading platform in China, Business type Platform which promotes the circulation of data, gives full play to the commodity attributes of data, stimulates data exchange and integration, and will drive the prosperity of big data industry
10
Introduction
Name
No
Table 2 (continued)
(continued)
https://www.youedata.cn/companyprofile/
http://www.qtbigdata.com/index.html
Website
198 Annex: Research on Global Data Trading Practices, Industry Norms …
Name
ChinaDataPay.com
Shuliang
Baidu AI Cloud-Cloud Market
JD Wanxiang
No
15
16
17
18
Table 2 (continued) Introduction
Nature
It is a comprehensive data open platform focused on data opening, data sharing and data analysis. The data types principally include finance, credit reporting, e-commerce, quality inspection, customs and operator data
It is a trading and delivery platform for cloud computing software or commodities built by Baidu AI Cloud, provided with over 1000 kinds of several commodity categories, including mirror environment, site promotion, enterprise application, artificial intelligence, data intelligence, blockchain, panrobot, software tools, security services, cloud services, API services, etc
It is a circulation platform in the field of big data, which is used for trading data resources and big data technology applications, and supports transaction modes such as API interface, data packet download and customization
Business type
Business type
Business type
It is the first operation and management Business type platform for big data assets jointly built by the ministerial and provincial level in China, and the first big data innovation and entrepreneurship platform
https://wx.jdcloud.com/
(continued)
https://cloud.baidu.com/market/list/125
https://www.chinadatapay.com/
Website
Annex: Research on Global Data Trading Practices, Industry Norms … 199
Name
Juhe Data
No
19
Table 2 (continued) Introduction
Nature
It principally provides two core services: Business type data services in the form of API data interface; data application services with big data technology
https://www.juhe.cn/
Website
200 Annex: Research on Global Data Trading Practices, Industry Norms …
Annex: Research on Global Data Trading Practices, Industry Norms …
201
demanders can make a request for purchase on the exchange, and the exchange will comprehensively integrate the data sources of data suppliers to satisfy all data demands of buyers. In this process, the exchange cleans, models, analyzes, and operates the trading data itself, which guarantees the security and desensitization degree of the data itself, and the potential legal and compliance risks are comparatively low. In addition, the membership restrictions and the endorsement of the exchange render the data exchange more reliable. Simultaneously, however, the operation of the exchange on the data requires the exchange to have more comprehensive and credible data cleansing, which can avoid the excessive loss of data value while ensuring data security.12
Industry Alliance Nature Trading Platforms Different from the mode in which the Global Big Data Exchange engages in data processing, the platform under the Zhongguancun Big Data Trading Industry Alliance itself does not store and analyze data but engages in the data trading process as a neutral third party, providing only a trading platform for the data supply and demand sides.
Business Platforms Taking Datatang as an example, as a commercial data platform, Datatang principally collects corresponding data by means of web crawler and crowdsourcing in line with the requirements of data demanders, sells it after sorting, proofreading and analysis, or forms data products for sale by integrating, editing, cleaning and desensitizing data in cooperation with other data owners. In this process, only two subjects, namely, Datatang and the data demander, are involved in most cases. In this mode, the two parties directly communicate on data requirements with a lower threshold, and the data collection and trading are more targeted, which renders the data more valuable and efficient. However, owing to the lack of supervision by third-party institutions, there are high requirements for compliance and selfconsciousness of both parties to the transaction, which easily gives rise to illegal behaviors.
12
Jinxin [5].
202
Annex: Research on Global Data Trading Practices, Industry Norms …
Typical Data Transaction Violations at Home and Abroad Illegal Disclosure Case of Torch Concepts, JetBlue Airlines and Acxiom Company In 2003, the American Electronic Privacy Information Center (EPIC)13 complained to FTC that JetBlue Airways Corporation and Acxiom Corporation engaged in deceptive trade practices affecting commerce by disclosing consumer personal information. They engaged in these activities without the knowledge or consent of the affected consumers, and in contravention of public assurances that the personal information it collects would not be disclosed to third parties.14 In the complaint, EPIC stated that prior to September 2002, Torch Concepts was hired by the United States Army “to determine how information from public and private records might be analyzed to help defend military bases from attach by terrorists and other adversaries.“. Hence, in September 2002, Torch Concepts acquired itinerary information of more than 1.5 million passengers from JetBlue with the assistance of the Transportation Security Administration, including the names, addresses and telephone numbers of passengers. In October of the same year, Torch concepts purchased the demographic data of 40% of the aforementioned 1.5 million passengers from Acxiom Company, including gender, economic status (income, etc.), number of children, social security number, etc. On or approximately February 25, 2003, Torch Concepts made a presentation entitled “Homeland Security Airline Passenger Risk Assessment” at a conference, which involved the research results based on the above data. The report disclosed the “abnormal population statistics” of a JetBlue passenger, including address, social security number, birthday and other information, although the passenger could not be identified by name. Moreover, the presentation for the speech was publicly available on the website until September 2003. In this respect, EPIC considered that JetBlue had stated in its privacy policy that “the financial and personal information collected on this site is not shared with any third parties”, while Acxiom had confirmed that it would not offer any information to individuals, whether public or nonpublic. Acxiom also did not allow its customers to make any nonpublic information available to an individual. Simultaneously, there was no evidence that the two companies provided notice to or obtained the consent of any passengers about this data transaction. Hence, EPIC held that JetBlue’s activities constitute deceptive trade practices and Acxiom’s practices constituted unfair and deceptive trade practices, and required FTC to initiate an investigation into the information collection and dissemination practices of JetBlue and Acxiom; order JetBlue and Axciom to notify all individuals affected by the transaction that their personal information was disclosed to Torch Concepts; order JetBlue and Acxiom 13
Established in 1994, electronic Privacy Information Center (EPIC) is a nonprofit public interest research organization, and its main activities include the review of government and private sector policies and practices to determine their possible impacts on individuals’ rights. 14 https://epic.org/privacy/airtravel/jetblue/ftccomplaint.html. Access date: 2018-08-14.
Annex: Research on Global Data Trading Practices, Industry Norms …
203
to obtain the express consent of any consumer whose information is disseminated in this manner in the future; permanently enjoin JetBlue and Acxiom from violating the Federal Trade Commission Act, as alleged herein; order JetBlue and Acxiom to pay such civil penalties as may be appropriate.
Illegal Trading Case of ChoicePoint ChoicePointa15 is one of the largest data brokerage companies in the United States, which sells personal information of consumers, including names, social security numbers, dates of birth, employment information and credit records, to more than 50,000 enterprises. On September 27, 2004, ChoicePoint discovered that some customers of small businesses in Los Angeles were engaged in suspicious activities. Subsequently, the company informed the police of this situation but did not inform the individuals influenced by the data leakage. Until February 2005, the company informed 35,000 Californian consumers of this situation in accordance with the law. Then, under the pressure of public opinion, the company further informed 128,000 American residents involved in the data leakage. Upon investigation, the data leakage resulted in at least 800 cases of identity theft. In 2006, FTC punished the company for this incident. FTC expressed that ChoicePoint sold a large volume of consumer information to criminals for identity theft.16 ChoicePoint did not have reasonable procedures to screen prospective subscribers and turned over consumers’ sensitive personal information to subscribers whose applications raised obvious “red flags.” Apart from that, FTC indicated that ChoicePoint approved as customers individuals who lied about their credentials and used commercial mail drops as business addresses. On this point, FTC considered that ChoicePoint violated the Fair Credit Reporting Act (FCRA) by furnishing consumer reports—credit histories—to subscribers who did not have a permissible purpose to obtain them and by failing to maintain reasonable procedures to verify both their identities and how they intended to use the information. FTC finally required the company to pay a civil fine of 10 million U.S. dollars17 and provided $5 million for consumer redress, which was the largest civil fine in FTC history at that time. Furthermore, FTCs required the company to carry out new procedures to guarantee that they only provided consumer reports to legitimate enterprises for legitimate purposes. FTC also required the company to establish, 15
In February, 2008, Reed Elsevier (parent company of Lexisnexis) acquired the company with USD 4.1 billion, and the company changed its name to LexisNexis Risk Solutions. 16 https://www.ftc.gov/news-events/press-releases/2006/12/ftc-launches-redress-program-choice point-identity-theft-victims. Access date: 2018-08-12. 17 https://www.ftc.gov/news-incidents/press-releases/2006/01/choicepoint-settles-data-securitybreach-charges-pay-10-million. Access date: 2018-08-12.
204
Annex: Research on Global Data Trading Practices, Industry Norms …
implement, and maintain a comprehensive information security program, which will be audited by independent third-party security professionals every other year until 2026.
Illegal Trading Case of Sitesearch Corp, LeapLab LLC and Leads Company LLC In December 2014, FTC filed a lawsuit in the US District Court,18 accusing Sitesearch Corp, LeapLab LLC, and Leads Company LLC of selling the19 application information of consumers’ payday loans to nonlenders without consumers’ knowledge or consent, involving consumers’ financial accounts, social security numbers and other sensitive personal information. Specifically, a defendant’s customer, Ideal Financial Solutions, used sensitive consumer information to debit its financial account without authorization, and the defendant knew or had reason to know the company’s behavior. From 2006 to the end of 2013, the defendant, as a data broker, collected the loan application information of consumers from thousands of payday loan websites and sold it to nonlenders, including fraudsters, spammers and telemarketers. From 2009 to 2013, Ideal Financial Solutions purchased the financial information of at least 2.2 million consumers from data brokers and used it to purchase so-called financial products without consumers’ consent from consumers’ bank accounts. By solely using consumer information offered by defendants, Ideal Financial deducted at least 4.12 million dollars from consumers’ bank accounts. In this regard, FTCs required the court to sign a permanent injunction against the defendant and ordered the defendant to undertake consumer losses, including without limitation, canceling or renewing the contract, restoring to the original state, and refunding paid money.
Industry Norms of Data Transactions Although China’s big data exchange industry has been developing for some time, for the time being, there is still no specific legislative regulation for data exchange. Most data exchanges draw behavioral boundaries for data exchange by means of platform rules and industry conventions. Platform rules include Shanghai Data Exchange Corp. and Harbin Data Trading Center, and industry conventions cover Guiyang Big Data Exchange Guanshanhu Pact of Global Big Data Exchange, Zhongguancun Big 18
https://www.ftc.gov/news-incidents/press-releases/2014/12/ftc-charges-data-broker-facilitat ing-theft-millions-dollars. Access date: 2018-08-14. 19 A payday loan is a generic name for a short-term, high-fee, unsecured loan, which is usually used to fund consumers in anticipation of an upcoming salary. Payday loan websites usually help consumers collect payday loans. To this end, they require consumers to fill out applications, which mostly include name, address, telephone number, employer, social security number and bank account number, etc.
Annex: Research on Global Data Trading Practices, Industry Norms …
205
Data Industry Alliance Self-discipline Pact (Trial) (Trial), etc. After sorting, both platform rules and industry conventions principally involve the following aspects:
Limiting the Scope of Data Circulation At the Industry Standard Level In the US, The Direct Marketing Association (DMA)’s Guidelines for Ethical Business Practice20 require that marketing data shall not be used for the following purposes: ➀ employment qualifications: those that produce unfavorable conditions or cancelling alternative qualifications for individual employment, promotion, redistribution, punishment or retention; ➁ credit rating: those that create unfavorable conditions for personal credit or cancels alternative qualifications; ➂ qualifications of medical care treatment: those that create unfavorable conditions for individuals to receive medical care treatment or cancels alternative qualifications; ➃ insurance qualifications, underwriting and pricing: those that create disadvantages or cancel alternative qualifications for personal insurance, including without limitation, health insurance. Moreover, despite other regulations, credit card number, checking account number and debit account number are all deemed sensitive personal data, so if consumers wish the data to be kept confidential, it is forbidden to use these data for exchange, lease, sale, access permission or transfer marketing. Such financial accounts shall not be publicly displayed in marketing promotion activities or made public in other ways. Last, social security numbers are also considered sensitive personal information, so third parties shall not use the information for transfer, lease, sales or exchange in their own marketing process and shall not publicly display the information in marketing promotion activities or in other ways. Apart from that, it is forbidden to use social security numbers for marketing purposes, except for fraud identification, authentication, data matching, data accuracy and completeness. The data prohibited from circulations and transactions by Guiyang Big Data Exchange Guanshanhu Pact are characterized by: involving state secrets and others protected by law; endangering national security, subverting state power, undermining national unity and disclosure of state secrets; damaging national honor and interests; inciting national hatred and ethnic discrimination to undermine national unity; violating of national religious policy and worshiping the cults and feudalistic superstition; damaging social stability through spreading rumors and disrupting social order; dissemination of obscenity, pornography, gambling, violence, murder, terror or instigation to crime; insult or defamation of others, against the legitimate rights and 20
DMA’s Guidelines for Ethical Business Practice intends to furnish universally accepted codes of conduct for individuals and entities that are involved in data-driven marketing in all media. These guidelines manifest DMA’s long-term policy, that is, keeping the highest ethical level in data management and marketing. DMA holds that, DMA, members of the association as well as all entities involved in data and marketing shall be held responsible for developing reliable consumer relations on the principles of fairness and morality. https://thedma.org/accountability/ethics-andcompliance/dma-ethical-guidelines/. Access date: 2018-08-16.
206
Annex: Research on Global Data Trading Practices, Industry Norms …
interests of others. Data involving other people’s intellectual property, trade secrets, personal information and other rights shall not be traded on the trading platform unless the explicit permission of the obligee is obtained. The Zhongguancun Big Data Industry Alliance is a kind of industrial alliance in nature that manages its members through a self-disciplinary pact. It is specified in the Zhongguancun Big Data Industry Alliance Self-discipline Pact (Trial) signed in December 2017 that members shall not produce, publish or disseminate data information that endangers national security and social stability and violates laws and regulations. No peeking, no transferring, no spreading and no trading of data information in violation of national laws and regulations and without authorization of users.
In Terms of Platform Rules According to the rules21 of the American Factual platform, users must not submit illegal, defamatory, false, fraudulent, obscene or other objectionable contents; users must not submit any content or material that is irrelevant to their intellectual field, inaccurate or unrepresentative; users must not submit any content containing computer virus or other code, which can ruin the platform or other third-party computer system; users must not submit any content with infringement of thirdparty rights or the agreement. Additionally, the platform inhibits users (including but not limited to) from deleting copyright or ownership statements, creating user accounts through automatic means, impersonating others or entities, or intending any illegal purposes with services. The Data Circulation Prohibition List of Shanghai Data Exchange Corp. defines three types of data that are prohibited from production, copy, release and dissemination. Specifically, they contain data endangering national security and social stability, data involving specific individual rights and interests, and data involving the rights and interests of specific enterprises. Among the rest, the data concerning specific personal rights and interests cover identity data, sensitive data and property data that can be directly identified to specific individuals without personal authorization. According to the platform rules of Harbin Data Trading Center, users are required to follow the basic principles of legality, authenticity, accuracy, effectiveness and integrity in releasing information in the trading center and bear full responsibility for the information they release independently, which shall not contain any contents involving violation of national laws and regulations, suspected infringement of other people’s legitimate rights and interests or interference with the operation of trading center. On the other hand, the platform rules prescribe punishment measures for releasing the data commodity information banned by laws and rules. For Central China BigData Exchange, the platform rules prohibit the trading of data involving the following contents: ➀ data involving state secrets, personal information and other information protected by law; ➁ data involving intellectual property of others and 21
https://www.factual.com/terms-of-service/. Access date: 2018-08-03.
Annex: Research on Global Data Trading Practices, Industry Norms …
207
trade secrets are prohibited to trade on the transaction platform, unless it is with the express permission of the obligee; ➂ data containing the following contents: those contradicting the basic principles established by the Constitution; those endangering national security, subverting state power, undermining national unity and disclosure of state secrets; those damaging national honor and interests; those inciting national hatred and ethnic discrimination to undermine national unity; those violating national religious policy and worshiping the cults and feudalistic superstition; those damaging social stability through spreading rumors and disrupting social order; those relating to dissemination of obscenity, pornography, gambling, violence, murder, terror or instigation to crime; those insult or defamation of others, and against the legitimate rights and interests of others; and those referring to the contents banned by laws and administrative regulations.
Strengthen Personal Information Protection In Terms of Industry Standards As stipulated in the Zhongguancun Big Data Industry Alliance Self-Discipline Pact (Trial), members shall consciously safeguard the legitimate rights and interests of consumers and keep users’ data confidential; moreover, they shall not make use of the data provided by users to engage in any activities unrelated to the promises made to users, and nor shall they infringe on the legitimate rights and interests of consumers or users by means of technology or other advantages.
In Terms of Platform Rules As specified in the privacy policy of American Factual, it collects users’ contact information, such as name and e-mail address. Then, according to the Data Circulation Industry Self-Discipline Pact (v2.0) jointly issued by the China Academy of Telecommunication Research of MIIT (CAICT), China Research Institute of Electronic Science and Technology, China Unicom, China Telecom, Alibaba, Jingdong, 360 and other units in July 2016, it is expressly stated that personal information shall be protected for security. that protects. Specifically, the pact definitely stipulated that users have legitimate rights and interests in their personal data. The collection, sharing, transaction and transfer of personal data shall be clearly informed to the users, with the consent of users or other legal authorization. At the same time, enterprises have legitimate rights and interests in the data they collect, obtain and generate in proper and legal ways. Do not intrude, steal or trade the data of other people’s legitimate rights and interests through illegal means or against the will of others and do not utilize the data obtained illegally or from unknown sources. Enterprises shall fully respect the needs and legitimate rights and interests of users and protect their rights of option, acquisition, correction, withdrawal and deletion in the circulation of personal data in accordance with
208
Annex: Research on Global Data Trading Practices, Industry Norms …
the law. In addition, for the purpose of strengthening the risk assessments in all sections of data circulation, enterprises should, if personal privacy is involved, seek the user’s consent or the necessary desensitization. Without legal authorization, data concerning national security and public security shall not be shared. By the Personal Data Protection Principle of Shanghai Data Exchange Corp., which expressly defines the principles of legality, privacy management, identity protection, and the principles of consent, limitation, personal participation, rights protection and responsibility, the specific requirements are that the collection and use of personal data shall observe the principles of legality, legitimacy and necessity, and the purpose, method and scope of data collection and utilization shall be clearly indicated. In addition, the identification that can be used to directly determine a specific individual and other personal data shall be stored and processed separately and aimed at the data to be shared and circulated, identification that can directly identify the individual has been removed for sure. It is forbidden to disclose or provide personal data with identity identification to a third person without authorization under any circumstances. Referring to the Qiantang Big Data Trading Platform Rules, sellers are required to guarantee that the data products do not involve any personal privacy. If this happens, the sellers need to support the work of the platform in taking the data product off the shelves as soon as possible and bear any legal liability arising therefrom. In addition, when carrying out the sales of data products, the merchants shall assume responsibilities for the copyright of their products, promise the data products do not cover the privacy information of users, or they obtain the corresponding permissions, and bear all the responsibilities for the data copyright. The Qiantang big data exchange platform will conduct spot checks from time to time. In the case of any of the above situations, the Qiantang big data exchange platform is entitled to terminate cooperation.
Characteristics of Data Exchange Practice Data Transactions Growing in Size and Scope but Data Types Limited At present, with data transactions expanding in scale, the number of consumer groups concerned is greater, and data types are increasingly rich. According to the A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes released by the Committee on Commerce, Science, and Transportation of US Senate,22 data brokers collected hundreds of millions of demographic statistics, involving consumer name, address, telephone number, email address, gender, age, marital status, the number and age of children in the family, 22
https://www.commerce.senate.gov/public/_cache/files/0d2b3642-6221-4888-a631-08f2f255b 577/AE5D72CBE7F44F5BFC846BECE22C875B.12.18.13-senate-commerce-committee-reporton-data-broker-industry.pdf. Access date: 2018-08-16.
Annex: Research on Global Data Trading Practices, Industry Norms …
209
education background, occupation, income level, political faction, and information about their homes and other properties. In addition, they also collect other types of information about individuals, such as ➀ information on consumer purchase, transactions and purchase frequency, whether the purchase is made through the directory, online or offline; ➁ payment methods available to consumers, including credit card type and card opening date; ➂ information on car purchase, including the car brand and model, or consumers’ preference for new or used cars; ➃ health condition of consumers; and ➄ social media activities, including the number of consumers’ friends and followers and whether they watch YouTube videos or something else. However, data circulation transactions do not contain all types of data. Nor can the contents to be circulated involve information endangering national security, business secrets of enterprises, personal privacy, etc. Taking Guiyang Big Data Exchange Center in China as an example, according to the People’s Republic of China Government Information Disclosure Bill, there are more than 30 types of data available for circulation transactions in Guiyang Big Data Exchange, including two categories: data on government affairs and data on industrial development. Among the rest, government affairs data that can be publicly circulated contain ➀ information about government approval; ➁ financial budgets and final accounts, and the “three official” expenses (spent on official overseas trips, official vehicles and official hospitality): spending on official overseas visits, official vehicles, and official hospitality; ➂ information about indemnificatory apartments; ➃ food and drug safety information; ➄ information about environmental protection; ➅ safety production information; ➆ information about price and charge; ➇ information about land acquisition and demolition; and ➈ information data of public enterprises and institutions centering on education. Publicly available data on industrial development include data on medical development, financial development and the development of e-commerce, social media, education, transportation, logistics, retailing, energy and other industries in various areas. Data prohibited in circulation transactions contain ➀ Data involving state secrets and others protected by law; ➁ Data related to other people ‘s intellectual property rights, business secrets, personal information and other rights are prohibited from trading on the sales platform unless the obligee has given a clear permission; ➂ Data involving the following contents are prohibited from trading on exchanges: endangering national security, subverting state power, undermining national unity and disclosure of state secrets; damaging national honor and interests; inciting national hatred and ethnic discrimination to undermine national unity; violating of national religious policy and worshiping the cults and feudalistic superstition; damaging social stability through spreading rumors and disrupting social order; dissemination of obscenity, pornography, gambling, violence, murder, terror instigation to crime; insult or defamation of others, against the legitimate rights and others of interest.
210
Annex: Research on Global Data Trading Practices, Industry Norms …
Most Data not Obtained Directly from Consumers and Frequent Data Transactions Between Data Brokers Data brokers have given the Trade, Science and Transport Committee of the United States Senate some feedback that they access consumer data principally through the following five channels: government records and other public data; information of purchase or permitted from other data brokers; cooperative agreements with other companies; consumer self-reporting usually obtained through surveys, questionnaires and lotteries; social media. Specifically, data brokers acquire information directly from consumers online or offline by means of warranty cards, lotteries and other types of surveys, which generally involve family demographics, income levels, shopping preferences, health, insurance and other personal information. For example, some surveys may inquire about whether anyone in the family has diabetes or what type of insurance the family currently owns or plans to receive. However, data brokers say they will tell consumers that the information they provide may be shared for marketing purposes in exchange for opportunities to participate in lotteries or obtain other prizes. However, the survey generally does not indicate that they have a bearing on specific data brokers. Moreover, data brokers not only provide data to end users but also share with other data brokers. Among the nine data agents studied by FTC, most of the data are from other data brokers rather than directly obtained from original sources.
Lack of Personal Information Protection Systems and Imperfect Consumer Opt-Out Mechanisms in Data Transactions It is evident in existing cases that data brokers or data service companies are punished for inadequate personal information protection. In the cases of data disclosure fraud committed by Torch ConceptS, JetBlue Airlines, Acxiom and the case of crooked transaction by ChoicePoint, there exists a common misconduct that data brokers trade personal data without notifying consumers or obtaining their authorized consent. This is the same problem as the data cases in China. Therefore, a wider range of collections and analyses of personal information not only provide consumers with more targeted services of personalized customization but also poses some challenges to personal information protection. As far as the existing data exchange is concerned, data brokers or companies do not directly obtain information from individuals, and mutual data tradings are common among most enterprises, which makes it difficult for individuals to determine the initial path of data acquisition and safeguard their own interests. Additionally, the opt-out mechanism is absent from the present platform rules. Surveys show that data brokers typically enter into written contracts with their data sources largely on descriptions of data to be provided, transmission methods, update frequency and use restrictions. Most data brokers shall declare in the contract that the data source ensures the legitimacy of their data acquisition. However, among the nine typical data brokers surveyed, only two require data sources to ensure that
Annex: Research on Global Data Trading Practices, Industry Norms …
211
they or their sources make notifications to consumers in the contracts, informing consumers that information will be shared with third parties, and there is a mechanism for opting out of sharing. For instance, Acxiom makes a policy to permanently delete consumers’ opt-out records, while many other companies surveyed stipulate consumer information not be deleted when consumers choose not to share their information. Another example is when consumers choose to exit Epsilon. Epsilon marks consumer information as “Do Not Share” rather than deleting it based on its policy. In doing so, Epsilon can protect consumer preferences; that is, if consumers’ information is deleted, the company will not be able to know that consumers require their information not to be shared. When consumers are marked with “Do Not Share”, Epsilon will know their unwillingness to be shared to prevent subsequent resubmission of consumer information. Adhering to this policy, Epsilon can ensure greater durability of consumers’ opt-out requests. It is worth noting, however, that consumers do not know their own right to opt out and how to exercise them because more often than not, they are not aware that data brokers hold their information,
Domestic and International Actuality and Difficulty of Data Trading Legislation With data value turning out to be increasingly prominent, data resources are increasingly becoming vital production factors and social wealth. Europe and the United States have enacted a series of policies and laws to promote data use. Overall, with respect to the regulation on data tradings in Europe and the United States, the establishment of data utilization order is indirectly affected through the protection of personality rights (mainly privacy and personal information) on the one hand: then on the other hand, by virtue of legislation they directly establish the rules of data tradings, and do not make clear the data itself, such as the legal character of data, its ownership and other issues.
Status Quo of EU Policies and Laws for Data Exchange With the rapid development of the data economy worldwide, the EU has also deeply realized the great value of data. The EU says data-driven innovation is a key driver of economic growth and employment, making for a wonderful boost for European competitiveness in global markets. Over the past few years, the EU has continuously carried forward the introduction of data-related policies and laws (see Table 3) to promote the development of the data economy. Specifically, enhancing the effective use of data is a major goal for the EU in making policies and regulations of the data economy.
212
Annex: Research on Global Data Trading Practices, Industry Norms …
Table 3 Current Situation and Realistic Dilemma of Data Exchange Policies and Laws Nature of regulation
Chinese name
Policies
2014 年 《关于迈向繁荣的数据驱 COMMUNICATION FROM THE 动型经济的通报》 COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS Toward a thriving data-driven economy
English name
2015 年 《数字单一化市场战略》 Digital single market 2017 年 《关于构建欧洲数字经济 Communication on “Building a 的通报》 European Data Economy” 2018 年 《关于迈向共同的欧洲数 COMMUNICATION FROM THE 据空间的通报》 COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS Toward a common European data space Laws
1996 年 《关于数据库法律保护的 Directive 96/9/EC of the European 指令》 Parliament and of the Council of 11 March 1996 on the legal protection of databases 2016 年 《通用数据保护条例》
General Data Protection Regulation
2018年 《关于获取和保存科学信 息的建议》
Commission Recommendation (EU) 2018/790 of 25 April 2018 on access to and preservation of scientific information
2018年 《非个人数据自由流动框 架条例》
Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of nonpersonal data in the European Union
2019年 《关于开放数据和公共部 门信息再利用的指令(EU) 2019/1024》
Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the reuse of public sector information
Annex: Research on Global Data Trading Practices, Industry Norms …
213
In Terms of Policy (1)
Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions toward a Thriving Data-Driven Economy of 2014
In July 2014, the European Commission issued the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions toward a Thriving Data-Driven Economy. In the document, the EU indicates that there are problems with the development of the data economy, such as a lack of funding for data research and innovation, a complex legal environment and insufficient access to large data sets by enterprises, especially SMEs (small and medium-size enterprises). and the Committee insists that an appropriate policy framework shall be established to provide legal certainty and uphold business operations involving big data. For this goal, the Committee promises to promote data more convenient access and reuse, eliminate unnecessary obstacles and restrictions to data access, and unify the rules of data reuse to reduce transaction costs of enterprises.
Strategy of “Digital Single Market” of 2015 In May 2015, to take the opportunities brought by the digital revolution to Europe, the EU proposed the strategy of “Digital Single Market”, with its aims to establish a regulatory framework to remove barriers to the free flow of data and ensure that European populations and businesses have access to online goods and services in an accessible and equitable manner. The Digital Single Market Strategy also aims at breaking down regulatory barriers and transforming the markets of 28 member countries into a single EU market, ultimately maximizing the growth potential of the European digital economy. Regarding the strategy, the European Commission suggests that there are many challenges in the reuse of corporate nonpersonal data. In view of this, the European Commission announced a plan of ‘free flow of data’ within the framework of the Digital Single Market, which also includes data sharing among enterprises.
Communication on “Building a European Data Economy” of 2017 In January 2017, the European Commission published a Communication on “Building a European Data Economy”, arguing that to achieve the goal of fueling the boom of the data economy, enterprises shall be able to access a large number of different data sets while ensuring full respect for personal data protection. In this document, the EU principally discusses two issues: data localization restrictions
214
Annex: Research on Global Data Trading Practices, Industry Norms …
imposed by member states on enterprises and obstacles to interenterprise data access and transfer. The EU pointed out that the obstacles to data access and interenterprise access include the following: ➀ some data suppliers save their own machine-generated data and do not actively share them; ➁ user-friendly tools for accessing or using data are absent; ➂ it is difficult to evaluate the data, etc. To address these problems, the Committee has formulated a series of policy objectives, such as improving access to anonymous machine-generated data, encouraging data sharing, protecting corporate investment and assets, and safeguarding confidential data in the context of economic competition. To encourage more data sharing and data reuse, the Committee emphasizes the great significance of completing the corresponding data responsibility. (4)
Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions toward a Common European Data Space of 2018
On April 25, 2018, the European Commission released the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions toward a Common European Data Space. This document shows that further actions need to be taken to improve the effective utilization of data. Additionally, in this document, as an important measure to move toward a common European data space, the European Union, on the basis of the existing data protection legislation, puts forward a series of measures, specifically ➀ to promote the acquisition and reuse of public sector information by reviewing the directive on the reuse of public sector information (PSI Directive); ➁ to update the recommendation on access to and preservation of scientific information to advance the sharing of scientific information; and ➂ to provide guidance for data sharing between the private sectors on sharing private sector data. The European Union intends to reduce market entry barriers, particularly for small and medium-sized enterprises, by lowering charges for the reuse of public sector information; minimizing the risk of excessive first-mover advantage, which benefits large companies and thereby limits the number of potential reusers of the data in question by requiring a more transparent process for the establishment of public–private arrangements; and increasing business opportunities by encouraging the publication of dynamic data and the uptake of application programming interfaces (APIs). Regarding data sharing between the private sectors, the European Union believes that private sector data are a key driving force for Europe’s innovation and competitiveness. Promoting the acquisition and reuse of private sector data serves as the major cornerstone of the development of European common data space. It is proposed that principles of data sharing contracts between enterprises shall cover (a) Transparency: The relevant contractual agreements should identify in a transparent and understandable manner (i) the persons or entities that will have access to the data that the product or service generates, the type of such data, and at which level of detail; and
Annex: Research on Global Data Trading Practices, Industry Norms …
215
(ii) the purposes for using such data. (b) Shared value creation: The relevant contractual agreements should recognize that, where data are generated as a byproduct of using a product or service, several parties have contributed to creating the data. (c) Respect for each other’s commercial interests: The relevant contractual agreements should address the need to protect both the commercial interests and secrets of data holders and data users. (d) Ensure undistorted competition: The relevant contractual agreements should address the need to ensure undistorted competition when exchanging commercially sensitive data. (e) Minimized data lock-in: Companies offering a product or service that generates data as a byproduct should allow and enable data portability as much as possible 39. They should also consider, where possible and in line with the characteristics of the market they operate on, offering the same product or service without or with only limited data transfers alongside products or services that include such data transfers.23 2. (1)
In terms of legislation Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the Legal Protection of Databases of 1996
The Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the Legal Protection of Databases (hereinafter referred to as “Database Directive”) issued by the EU in March 1996 grants nonoriginal database producers privileges in their database contents.24 According to the directive, the database refers to any form of compilation of independent works, data and other independent materials that are systematically or orderly arranged and can be independently accessed by electronic or other means. By this definition, the objects protected by the EU’s Database Directive include both original databases and nonoriginal databases. Aimed at nonoriginal database producers, the directive develops the protection model of the exclusive right. Under the provisions of the directive, the author of a nonoriginal database will make substantial investments in the acquisition, verification and marshaling of the database contents to obtain protection. The author of nonoriginal database producers granted the following three special rights in the directive: ➀ the right to extract, namely, the right to forbid others from permanently or temporarily copying the entire contents or substantial contents in quantity or quality of the database without permission. ➁ the right to reuse, i.e., the right to prohibit others from providing to the public the full contents or substantive contents in quantity or quality without permission in the form of release, rental or online transmission; ➂ the right to extract and reuse. That is, it is forbidden for others to 23
https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=COM:2018:0232:FIN#footnote10. From the perspective of legislative examples of various countries, databases can be divided into original databases and nonoriginal databases. As for original databases, all countries have basically reached a consensus on the mode of protection, which means original databases shall be protected through copyright. While for nonoriginal databases, all countries vary in their legislative samples. With reference to America, it is protected primarily through Contract Law and Anti-unfair Competition Law, while the European Union protect it by giving privileges to nonoriginal database producers.
24
216
Annex: Research on Global Data Trading Practices, Industry Norms …
copy and systematically copy and provide the public with nonsubstantive contents of databases that conflicts with the normal use of databases or damage the legitimate interests of database producers without permission.25 Overall, the “exclusive right” set out by the EU Database Directive actually endows nonoriginal database producers with a higher degree of exclusive rights to regulate the obtainment of database content conducted by others.
General Data Protection Regulation of 2016 On April 14, 2016, the European Parliament passed the General Data Protection Regulation (hereinafter referred to as “GDPR”), which came into effect on May 25, 2018. As the most remarkable legislative change in the field of privacy and data protection in the past 20 years after the promulgation in 1995 of Directive 95/46/EC of European Parliament and Council of the European Union on the Protection of Personal Data Processing and Free Flow of Data (hereinafter referred to as “Directive 95”), GDPR is intended to give data subjects control over personal data and establish a high-level, unified data protection framework adapted for the digital age in the EU. The GDPR fully enhances the protection of personal data by strengthening the requirements of informed consent, adding new rights such as the right to be forgotten and portability data and new obligations such as data breach notification, data impact risk assessment and data protection specialists, and increasing penalties for violations.
Commission Recommendation (EU) 2018/790 of 25 April 2018 on Access to and Preservation of Scientific Information In 2018, the EU proposed amending the Recommendation on access to and preservation of scientific information. The new proposal represents the development of data management, text and data mining (TDM) and takes into account that currently the EU has enhanced the data analysis capability and that plays a role in research. It expounds some problems concerning the reward system for researchers to share data and the skills and abilities of researchers and staff in research institutions.
Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a Framework for the Free Flow of Nonpersonal Data in the European Union On September 13, 2017, the European Commission released Proposal for a Regulation on a framework for the free flow of nonpersonal data in the European Union, aiming to establish a framework for cross-border free flow of nonpersonal data in 25
Yinglong [6].
Annex: Research on Global Data Trading Practices, Industry Norms …
217
the EU. On November 14, 2018, the European Parliament and the Council formally issued the “Regulation on a framework for the free flow of nonpersonal data in the EU”, which aims to unify the rules for the free flow of nonpersonal data. In addition, to establish a data economy of Europe, the scope of data localization requirements currently imposed by Member States shall be limited by the regulation. Consequently, there is a competitive market for data storage, processing services and activities. To ensure the free flow of data within the EU, the regulation proposes five measures aimed at abolishing regulations of member states that unreasonably or inappropriately prevent enterprises from choosing where to store or process data. Member States must inform the European Commission of their new or existing requirements for data localization. These five measures are as follows: (1) Data localization requirements shall be prohibited unless they are justified on grounds of public security in compliance with the principle of proportionality. (2) Member States shall immediately communicate to the Commission any draft act which introduces a new data localization requirement or makes changes to an existing data localization requirement in accordance with the procedures set out in Articles 5, 6 and 7 of Directive (EU) 2015/1535. (3) By 30 May 2021, Member States shall ensure that any existing data localization requirement that is laid down in a law, regulation or administrative provision of a general nature and that is not in compliance with paragraph 1 of this Article is repealed. (4) Member States shall make the details of any data localization requirements laid down in a law, regulation or administrative provision of a general nature and applicable in their territory publicly available via a national online single information point which they shall keep upto-date, or provide upto-date details of any such localization requirements to a central information point established under another Union act. (5) Member States shall inform the Commission of the address of their single information point referred to in paragraph 4. The Commission shall publish the link(s) to such point(s) on its website, along with a regularly updated consolidated list of all data localization requirements referred to in paragraph 4, including summarized information on those requirements.
Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on Open Data and the Reuse of Public Sector Information In April 2018, The European Parliament and the Council issued the Proposal for a directive on the reuse of public sector information (recast), which aims to amend Directive 2003/98/EC on the reuse of public sector information. In June 2019, the European Union officially released Directive (EU) 2019/1024 on open data and the reuse of public sector information to stimulate the development of innovative solutions such as mobile applications. In terms of research data, the directive requires that EU countries adopt policies and take action to make publicly funded research data openly available, following the principle of ‘open by default’ and supporting the dissemination of research data that are findable, accessible, interoperable and reusable (the ‘FAIR’ principle). Concerns relating to intellectual property rights, personal data protection and confidentiality,
218
Annex: Research on Global Data Trading Practices, Industry Norms …
security and legitimate commercial interests must be taken into account in accordance with the principle of ‘as open as possible, as closed as necessary’. Publicly funded research data can be reused for commercial or noncommercial purposes in cases where they are already made publicly available via institutional or subject-based repositories.
Characteristics of EU Policies and Laws for Data Exchange Strengthen Personal Data Protection and Restrain Personal Data Exchange As a pioneer of legislation for personal data protection, the EU attaches great importance to the protection of personal data, which is promoted as important as basic human rights for protection. From Directive 95 to the GDPR, the protection of personal data in the EU was further improved. First, in terms of the rights of data subjects, EU places great emphasis on the control power of data subjects over their personal data on the ground that it has set up strict rules of informed consent through GDPR, and set up a comprehensive and high-level right mechanism for data subjects, including not only the traditional right of personal data access, right of correction, but the rights to be forgotten and data of portability, etc. Second, in terms of the obligation setting of data controllers and data processors, the EU has set many obligations and standards for data controllers and data processors through GDPR, including the improved requirements of informed consent, newly added data protection specialist, privacy design, data breach notification, data protection impact assessment and other obligations, which serves as a more well-rounded guarantee for data security and the rights of data subjects. From the perspective of EU current legislation, the EU does not explicitly prohibit personal data tradings in the form of lawmaking. However, with a high level of personal data protection standards, the EU has actually set practical obstacles for the transaction and sharing of personal data. First, informed consent is the primary basis, although it is not the only legal basis for the EU to tackle personal data processing. In the era of big data, especially in the context of data exchange, it is difficult to strictly follow the rule of informed consent. Moreover, the high requirements for the protection of personal data have tremendously increased the costs and compliance risks of personal data trading. In case of any imprudence, there arises a high fine. Therefore, many measures mentioned above have to a large extent inhibited the transactions of personal data in the EU. In addition, the EU has enacted a series of measures to promote data sharing between the public and private sectors but is limited to nonpersonal data, excluding personal data.
Annex: Research on Global Data Trading Practices, Industry Norms …
219
Boost the Effective Use of Nonpersonal Data and Improve the Opening and Sharing of Nonpersonal Data What EU holds as a key principle for promoting the development of the data economy is to improve the effective utilization of data and the reuse of data. Different from personal data better highlighting data protection, nonpersonal data pay more attention to data utilization for the EU. From the Digital Single Market Strategy that puts forward free flow of nonpersonal data in 2015 to the Regulation on Free Flow of Non-Personal Data (proposal) in 2017, and the Amendment to Directive on the Reuse of Public Sector Information and the Recommendation on Obtaining and Preserving Scientific Information of 2018, the EU lowers the flow barriers of nonpersonal data on the one hand by establishing its single market; on the other hand, it aims to promote the use of nonpersonal data in an all-round way by opening public data and promoting data sharing among enterprises.
Concepts of “data Property Right” and “data Ownership” not yet Defined With the development of the data economy, how to regulate the use of data and how to determine the nature of data rights have aroused heated debates in the EU. It is reported in the Study on Data Sharing between Companies in Europe released by the European Union in 2018 that much evidence shows that many companies headquartered in the European economic area have been sharing and reusing data. According to the report, in addition to technical and cost barriers, there are also legal barriers to data sharing, principally including the uncertainty of “data property rights” and the difficulty in defining the boundary of legal use of data. In the same year, the EU published the Bulletin on Advancing toward a Common European Data Space, which disclosed the results of the EU’s research on enterprise data sharing in 2017. The results show that the stakeholders of enterprise data sharing believe that the existing regulatory framework is appropriate at the present stage of EU data economy development, and it is still too early to legislate data sharing among EU enterprises. The EU shall ensure the self-development of the data market on the basis of upholding the principle of contract freedom. Most stakeholders do not approve of introducing a new type of “data property right”; instead, they expect the EU to offer nonbinding guidance and share best practices, such as promoting API utilization that enables easier and more automatic access to data sets and their uses, developing standard contract terms and offering guidance from the EU.26 Considering the survey results, the key issue of data sharing among enterprises lies in how to access the data rather than the matter of ownership. With an overview of EU policies and current legislation, the EU puts forward the concept of “personal data protection rights” in terms of personal data. For enterprise data, the European Union has given enterprises certain rights to specific types of data principally in the modes of copyright, special rights, trade secrets, law of contract, 26
https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=COM:2018:0232:FIN#footnote38
220
Annex: Research on Global Data Trading Practices, Industry Norms …
etc. However, concepts such as “data property rights” and “data ownership” have not been made clear.
The Status Quo of Data Exchange Policies and Laws in the US The United States offers a less demanding environment in regulating data exchange. To improve the circulation and utilization of data, the United States vigorously encourages the opening and sharing of government big data through the government policy of opening data. With regard to personal data exchange, there are no additional restrictions on the market circulation of general personal data, except for some special areas of personal data exchange otherwise stipulated.
U.S. Policies and Laws of Data Exchange Similar to the present legislative framework of personal data protection in the U.S., in the field of personal data exchange, there is no unified federal legislation on the collection and sale of personal data by private sectors in the United States, except for the US’s Privacy Act of 1974, which restricts the disclosure of personal records by federal agencies without the written consent of individuals. At the federal level, it regulates the disclosure and sale of personal data conducted in several special areas or special circumstances or is based on specific purposes by means of departmental lawmaking. At the state level, at the federal level, it principally regulates the disclosure and sale of personal data in several special areas based on specific purposes or special circumstances through departmental legislation. At the state level, all the states in the U.S. vary in the level of personal data protection, with a part of state legislation providing for the transaction of personal data. The laws and regulations of personal data exchange in the U.S. are shown in Table 4.
Fair Credit Reporting Act In 1970, the United States passed the Fair Credit Reporting Act (FCRA), which established many regulations for consumer reporting agencies to collect, disclose and sell consumer credit history. By FCRA, access to and sale of “consumer reports” can only be based on specific purposes that are limited to credit, employment, insurance, court orders or subpoenas and other legitimate commercial purposes. If it is used for other purposes, there arises a need for the resolution of the court or the consent of the consumer. Except for consumer reporting agencies, no agency shall obtain consumer reports for the purpose of resale. In addition, it is not stipulated by FCRA that consumer reporting agencies need to obtain the authorization of the data subject when collecting personal data, but it
Annex: Research on Global Data Trading Practices, Industry Norms …
221
Table 4 Status Quo of U.S. Laws and regulations of personal data tradings Levels of legislation Federal level
Areas of regulation
Chinese name
English name
Credit investigation
公平信用报告法
Fair Credit Reporting Act
Finance
金融服务现代化法
Gramm-Leach-Bliley Act
Medical care
健康保险流通与责任法
Health Insurance Portability and Accountability Act
Children
儿童在线隐私保护法
Children’s Online Privacy Protection Act
Communication
电子通信隐私法
Electronic Communications Privacy Act
电信法 Education
家庭教育权与隐私权法
Telecommunications Act Family Educational Rights and Privacy Act
Other areas
司机隐私保护法
Driver’s Privacy Protection Act
视频隐私保护法 计算机欺诈与滥用法
Video Privacy Protection Act Computer Fraud and Abuse Act
联邦贸易委员会法
Federal Trade Commission Act
数据经纪人问责和透明度法案(草 Data Broker Accountability 案) 数据问责和信托法案(草案)
and Transparency Act Data Accountability and Trust Act
《数字责任和透明度促进隐私法 案》 《隐私权利法案》 《数据经纪商人清单法案》 Levels of legislation State level
Areas of regulation
Digital Accountability and Transparency to Advance Privacy Act Privacy Bill of Rights Act Data Broker List Act of 2019
Chinese name
English name
佛蒙特州 《数据经纪人法案》
Vermont Data Broker Regulation (Act 171)
加利福尼亚 《阳光法》
California’s Shine the Light law
犹他州 《出售非公开个人信息法》 Utah’s Notice of Intent to Sell Nonpublic Personal Information Act (continued)
222
Annex: Research on Global Data Trading Practices, Industry Norms …
Table 4 (continued) Levels of legislation
Areas of regulation
Chinese name 加州 《消费者隐私权法》
English name California Consumer Privacy Act of 2018
states a series of responsibilities for consumer reporting agencies to sell consumer credit data. For example, FCRA requires consumer reporting agencies to ensure the “maximum possible accuracy” of the data they provide, as well as transparency to consumers. Moreover, agencies provide consumers with free copies of consumer reports every year and all the information about consumers they sell. At the same time, consumers are entitled to raise objection to the accuracy of the information and amend it.27 The Fair and Accurate Credit Transactions Act of 2003 passed in 2003 and has made certain amendments to the Fair Credit Reporting Act, adding security requirements to prevent identity theft and assist in identifying identity theft victims.28
Health Insurance Portability & Accountability Act In 1996, the United States implemented the Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) with the purpose of strengthening the supervision of medical insurance and establishing a relevant accountability system. Additionally, it provides provisions for the disclosure and sale of protected health information (PHI). Regarding the disclosure of PHI, rules of privacy by HIPAA give individuals the right of control, clearly stipulating that except for exceptional cases, institutions that master PHI shall use and disclose patients’ health information for marketing purposes on the condition that they obtain the written consent of patients. For the sale of PHI, personal health information shall not be sold under any circumstances without the written consent of the individual under the privacy rules of HIPAA. In addition, insurers are required to take measures to protect PHI from unauthorized use or disclosure of information by HIPAA. It should be noted that the protection of personal health information by HIPAA principally focuses on the supervision of typical institutions holding PHI, such as medical care, insurance and schools, rather than on the data itself. Therefore, institutions other than medical or insurance institutions can disclose or sell personal health information for marketing purposes without the written consent of individuals required by HIPAA.
27
The FCRA: A Double-Edged Sword for Consumer Data Sellers, https://www.americanbar. org/publications/gp_solo/2012/November_December2012privacyandconfidentiality/fcra_double_ edged_sword_consumer_data_sellers.html. 28 GAO.INFORMATION RESELLERS Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace.
Annex: Research on Global Data Trading Practices, Industry Norms …
223
Children’s Online Privacy Protection Act In 1998, the United States passed the Children’s Online Privacy Protection Act of 1998 (COPPA), which makes regulations for website operators and online service providers offering services to children to collect, use and disclose personal information of children under the age of 13. According to the law, unless there are exceptions, website operators and online service providers shall obtain verifiable parental consent before any collection, use, or disclosure of personal information from children. Without the prior consent of parents, website operators and online service providers should inform the parents of the data processing that is necessary for the protection of children’s personal information and provide them with an opt-out mechanism. What calls for special attention is that COPPA does not apply to personal information about children collected from parents or other adults of the child.
Financial Services Modernization Act In 1999, the United States released the Financial Services Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” (GLBA), providing ways of sharing and protecting the private personal information of consumers conducted by financial institutions. Among the rest, “nonpublic personal information” refers to the financial information that can be recognized by individuals: (1) information provided by consumers to financial institutions; (2) information generated by consumers in the process of transaction or service enjoyment; and (3) other information obtained by financial institutions.29 Under the provisions of GLBA, financial institutions shall not disclose nonpublic personal information directly or through any affiliated company to nonaffiliated third parties, unless the following requirements are met at the same time:➀financial institutions explicitly inform consumers of the possible disclosure of the information to the third party in written, electronic or other forms that comply with legal requirements;➁ before the initial disclosure, financial institutions provide consumers with the opt-out mechanism concerning the disclosure of information to the third party; ➂ financial institutions clearly inform consumers of how to use the opt-out mechanism. In accordance with other stipulations in GLBA, normally nonaffiliated third parties receiving nonpublic personal information from financial institutions are not permitted to disclose the information directly to other nonaffiliated third parties. Additionally, it is specified by GLBA that except for consumer reporting agencies, financial institutions shall not disclose the account numbers or passwords of consumer credit cards, deposits and transaction accounts to any nonaffiliated third party for marketing purposes.30 29 30
15 U.S.C. § 6809 (4)(A). 15 U.S.C. § 6802.
224
(5)
Annex: Research on Global Data Trading Practices, Industry Norms …
Electronic Communications Privacy Act
The Electronic Communications Privacy Act (ECPA) passed in 1986 in the U.S. provided that unless otherwise specified by law, third parties shall not intercept or disclose electronic communications. Moreover, the act states that Internet service providers shall not sell consumers’ e-mail and text information to the information reseller for marketing purposes unless agreed upon by consumers.31 (6)
Federal Trade Commission Act
Under the provisions of the Federal Trade Commission Act issued by the U.S. In 1914, unfair or fraudulent acts affecting commerce were prohibited, and FTCs were authorized to supervise and control the abovementioned acts. Although the act does not explicitly stipulate the defined rights of FTCs in privacy protection, it can be applied to fraudulent acts or violations of privacy policy committed by network service providers. For example, if a network service provider states in its privacy policy that consumers’ personal data are not to be sold, later violates the policy to sell the data; in this regard, the FTC can prosecute it based on suspected fraud. Even if there is no privacy policy, the FTC believes that the collection or sale of personal data by Internet service providers will cause great harm to individuals, and it shall also be regulated according to anti-unfair behavior.
Driver’s Privacy Protection Act The Driver’s Privacy Protection Act was promulgated in 1994 with a limit to the use and disclosure of specific personal information in motor vehicle records collected by motor vehicle regulatory authorities. According to the provisions of the Act, motor vehicle regulators, officials and employees or the subject with contractual relationship of motor vehicles shall not intentionally disclose the such personal information of vehicle records as social security No., Driver ‘s identification No. and his/her name, address, telephone No., medical care or disability information, etc., but excluding vehicle accidents, driving violation and driver’s identity information, unless the disclosure of the information is necessary for the court or law enforcement agencies to perform functions, for scientific research or statistics, for the enterprise to verify the accuracy of personal information, or it is with the explicit consent of the data subject. The entity obtaining the personal information of motor vehicle records, with the explicit consent of the data subject, can resell or redistribute the information for the specific purpose specified by law, on the condition that the resale or redisclosure shall be recorded and kept for 5 years, and the records shall be provided to the motor vehicle regulators as required.32 31
GAO.INFORMATION RESELLERS Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace. 32 18 U.S. Code § 2721.
Annex: Research on Global Data Trading Practices, Industry Norms …
225
Family Education and Privacy Rights Act The Family Education and Privacy Rights Act by the United States in 1974 regulates the access and disclosure of students’ educational information. It is stipulated in the Act that federal funds shall not be provided to schools or research institutions that disclose students’ records or students’ identifiable personal information to third parties without the written consent of students’ parents. If a school or research institution discloses the directory information of students without written consent,33 it shall publicly inform the category of the information and provide reasonable time for the parents concerned to oppose the disclosure of the information.
Video Privacy Protection Act The Video Privacy Protection Act promulgated in 1988 makes rules for the disclosure of personal information of consumers by videotape service providers. According to the Act, the videotape service provider shall not, except for the exception, intentionally disclose to a third party personally identifiable information contained in the records of video rentals and sales, including the title or subject matter of any video tape. However, if consumers have the opportunity to ban such disclosure, the service provider can disclose the name and address of the consumer to a third party. In addition, if the information is used only for the purpose of selling goods or services directly to consumers, the service provider may also disclose the contents of the rental materials to a third party.
Computer Fraud and Abuse Act The Computer Fraud and Abuse Act of 1986 by the United States, as an important cornerstone for the federal government to crack down on Internet crimes, establishes a regulation against cyberspace crime. According to the Act, whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ➀ information in the financial records of financial institutions or card issuers, or consumer credit information held by consumer reporting agencies; ➁ information held by government departments; ➂information in other protected computers, the behavior34 therein constitutes a crime and can be sentenced to less than 10 years’ imprisonment at most in accordance with the specific circumstances. 33
Directory information refers to students’ names, addresses, telephone lists, dates and places of birth, main areas of study, participation in officially recognized activities and sports, weight and height as members of the sports team, degrees and awards, etc. See 20 U.S.C. § 1232 g(a)(5)(A). 34 “Protected computer” stated therein refers to the computer specially serving financial institutions or the U.S. government, or the computer used for or related to interstate or foreign business or communication. See 18 U.S. Code § 1030, 18USC§1030(e)(2).
226
Annex: Research on Global Data Trading Practices, Industry Norms …
Additionally, regulations governing the acquisition, holding and transmission of information are also made in the Act, by which those who provide identity documents, identification features or false identity documents intentionally or without legal authorization; or those who continue to transmit identity documents, identification features or false identity documents on the condition that they fully know such information is obtained by theft or without legal authorization; or those who, for the purpose of illegally using or transmitting identity documents, identification features or false identity documents, intentionally hold or transmit such information; or those who hold identity documents, identification features or false identity documents for the purpose of fraud.35 shall be regulated as a criminal act, depending on the circumstances and consequences.
Telecommunications Act The United States promulgated the Telecommunications Act in 1996, which requires telecom operators to protect the confidentiality of consumers’ private network information.36 Under this Act, unless the user agrees or the law provides otherwise, telecom operators shall use, disclose or allow access to identifiable customer proprietary network information only when they provide telecom services. In addition, the data sets with the identity and characteristics of individual consumers deleted can be disclosed by telecom operators on reasonable and nondiscriminatory grounds to other third parties, as stipulated by the Act.
Data Broker Accountability and Transparency Act On September 14, 2017, the United States introduced the Data Broker Accountability and Transparency Act, which calls for an accountability system for data brokers who collect and sell personal and sensitive data about consumers and an increase in the transparency of their related behaviors. The Act defines a “data broker” as a business entity that collects, aggregates, or maintains personal data of someone who is not its consumers or of employees of the entity to sell or provide such personal data to a third party. Consumers are permitted by the act to access and correct their information to ensure the maximum accuracy of the information while given the right to stop data brokers from using, sharing, or selling their personal data for marketing purposes. It is also required by the act that data brokers develop a comprehensive privacy and data security plan, provide a reasonable notice in the case of any violation, and empower the FTC to enforce the law and issue the regulations within one year, including the 35
18 U.S. Code §1028. Customer proprietary network information refers to the quantity, technical configuration, type, destination, location, usage, bill and other information of the telecommunication service subscribed by the consumer. See 47 U.S. Code § 222.
36
Annex: Research on Global Data Trading Practices, Industry Norms …
227
rules followed to establish a centralized website for consumers to view the list of data brokers and information about consumers’ rights.
Data Accountability and Trust Act In March 2018, the United States proposed the Data Accountability and Trust Act specifying the data subject’s right to access and correct information and the transparency requirements for broker’s data collection and use, but without the provision that the data broker obtains the consent of the data subject for data processing.
Digital Accountability and Transparency to Advance Privacy Act On February 27, 2019, the US Senate introduced the Digital Accountability and Transparency to Advance Privacy Act or the DATA Privacy Act, which, based on legislation, effectively improves the data privacy protection of American consumers from the perspective of data protection, transparency, consumer personal control and other aspects. Additionally, the Act requires data brokers who collect more than 3000 persons’ personal data every year to carry out privacy risk management by adopting technical means to protect consumer data and to appoint a technician for privacy protection by establishing a data and privacy protection culture for the company to improve employees’ privacy protection awareness through training.
Privacy Bill of Rights Act The Privacy Bill of Rights Act issued by the U.S. Senate on April 11, 2019, expressly defines the notion of personal data to protect the legitimate rights of consumers, such as the right to delete personal data, the right to correct inaccurate personal data and to choose to join. It is also required therein that data controllers establish and maintain reasonable data security practices to protect the confidentiality of personal data.
Data Broker List Act of 2019 On July 30, 2019, the Data Broker List Act of 2019 was introduced by the U.S. Senate to regulate the access to, use and protection of consumers’ personal information by data brokers, who are stipulated to do the following 5 points: 1. 2. 3.
Shall not acquire brokered personal information through fraudulent means; shall not acquire or use brokered personal information for illegal purposes; shall not sell or transfer brokered personal information to a third party if the data broker knows or reasonably should know that the third party intends to engage in any conduct prohibited by this Act.;
228
Annex: Research on Global Data Trading Practices, Industry Norms …
Shall develop, implement, and maintain a comprehensive information security program to protect against security breaches or other inadvertent or improper disclosure of the brokered personal information acquired by the data broker; shall register with the Federal Trade Commission annually.
Vermont Data Broker Regulation On May 22, 2018, Vermont passed a special act for regulating data brokerage Vermont Data Broker Regulation (Act 171), which became the first special act for data broker industry in the history of America, meanwhile enabled Vermont to became the first state to enact a law for supervising data brokers.37 The provisions on data brokers in the Act came into effect on January 1, 2019, and with a far-reaching influence, this Act is of great significance for China to strengthen legal regulations and protect the rights and interests of consumers. The Data Broker Regulation, evolved on the basis of Vermont code, falls into four main parts: first, the legislative background and purpose of the Act is expounded; second, provisions related to data brokers are added in Chapter 62 in Vermont code— “Personal Information Protection”; third, provisions relevant to credit freeze are amended in Chapter 63 in Vermont code—“Consumer Protection”; Fourth, the regulatory authorities related to data brokers and the effective date of the Act are further specified. When put into practice, the Data Broker Regulation strengthens the regulation of the data brokerage: on the one hand, the Act establishes an annual registration system, which improves the overall transparency of the data broker industry requiring information of brokerage practice to be provided by data brokers; on the other hand, objective standards and technical requirements are set by the Act to promote data brokers to complete corporate information security system and to better assume the responsibility of information security. In addition, the protection of consumers’ rights is effectively guaranteed by the Data Broker Regulation. First, this Act guarantees consumers’ right of data control, requiring that data brokers permit consumers to choose whether to quit the data broker service and are obliged to inform consumers of the way to apply for exit and the scope of application of exit option. Second, with consumers’ right to be informed of credit reports added, the Act requires that credit agencies shall provide consumers with accurate credit scores, forecasts, credit status in the past year, and the latest contact information of the agency for consumers to fully know about the information they can obtain and their basic rights. Third, the right of controlling consumers’ credit reports is added in the Act to ensure that any consumer can freeze or unfreeze their own credit reports at any time to minimize the losses caused by information leakage and identity theft.
37
Xing and Yujiao [1].
Annex: Research on Global Data Trading Practices, Industry Norms …
229
California’s Shine the Light Law California’s Shine the Light Law establishes a regulation for information sharing by enterprises and expressly states that enterprises shall upon the request of consumers inform them whether the information can be shared with a third party and the type of information shared.
Utah’s Notice of Intent to Sell Nonpublic Personal Information Act Utah’s Notice of Intent to Sell Nonpublic Personal Information Act provides provisions for the transparency of the intent to sell nonpublic personal information, requiring business entities to disclose to consumers the types of nonpublic personal information sold or shared with third parties.
California Consumer Privacy Act of 2018 On June 28, 2018, California passed the California Consumer Privacy Act of 2018, giving consumers more control over the information collected by enterprises and imposing new requirements and prohibitions on enterprises. The Act tremendously extended to a great extent the long-standing protection scope of personal information provided in Code of Federal Regulations, and the protection of personal information was no longer limited to consumer credit information, medical information, student education information, children’s information and other special fields, instead almost all types of personal information were included in the protection scope, among which the requirement of transparency and the right to refuse the sale of personal information given by the law will have much impact on the transaction of personal data. As provided by the law, consumers have the right to know whether their personal information has been sold or disclosed, the type of information sold or disclosed and the objects to which the information is sold or with which the information is shared. On the other hand, under the law, enterprises selling personal information shall provide consumers with the exit mechanism to refuse the sale of their information. The enterprise shall not sell the information of consumers who have chosen not to sell their personal information and shall not require reauthorization from consumers within 12 months. Unless the consumer has received a clear notice and has been offered a corresponding exit mechanism, the third party receiving the personal information shall not sell the personal information purchased from the former party. In addition, businesses are not allowed to sell the personal information of a consumer under the age of 16 unless it is explicitly authorized by the consumer’s parents.
230
Annex: Research on Global Data Trading Practices, Industry Norms …
The Characteristics of American Policies and Laws on Data Exchange State Deregulation and Market Innovation Different from the EU’s great emphasis on the protection of personal data, the United States attaches more importance to the use of data to promote the development of the data economy. Therefore, on the whole, the United States has less supervision of data exchange and allows it to be determined by the market. Both personal data and nonpersonal data can be traded in principle. There is no high threshold similar to that of the European Union for the transaction of personal data.
Limited Application of Consent Rules and Improved Transparency of Date Transactions For personal data, the United States, different from the EU’s high emphasis on the consent of data subjects, only emphasizes the rules of consent in the use and reuse of personal data in several special areas, such as credit reference, medical care, children, education, etc. In areas where consent rules are applicable, the opt-out mode is more applicable than the opt-in mode of the European Union. Additionally, the United States places more emphasis on the transparency of data processing for data utilization (data exchange), which is embodied in the Data Broker Accountability and Transparency Act, Data Accountability and Trust Act and California Consumer Privacy Act 2018.
The Ownership of Data not Specified and the Guarantee of Data Security Improved With holistic view of U.S. legislation, yet there are no clear provisions concerning data property rights or data ownership. The ownership and rights protection of data resources are solved principally through industrial self-discipline or corporate contracts. For the problems that may arise from data trading, unlike the EU’s emphasis on prior consent rules, more emphasis is placed on security measures during and after the event in the United States.
Current Status of Data Transaction Policies and Laws in China At the Policy Level With the development of the data industry, China has successively introduced a series of policies to promote data trading. It is explicitly stated in the Notice of the State Council on Issuing the Program of Action for Promoting the Development of Big
Annex: Research on Global Data Trading Practices, Industry Norms …
231
Data of 2015 that efforts shall be made to study and promote legislation concerning the rights and interests of data resources, to guide and cultivate the market for big data exchange and to launch pilot projects for application-oriented trading markets of data. Additionally, the trading market of big data derivatives should be explored, and the market entities in all links of the industrial chain should be encouraged to carry out data exchange and trading with the aim of promoting the circulation of data resources and establishing a sound trading and pricing mechanism of data resources; ultimately, the standard system of the big data industry should be established and promoted by standardizing transactions. The Notice of the State Council on Issuing the “13th Five-year” Plan on National Informatization of 2016 takes as one of the major tasks and key projects “establishing a sound system and mechanism for the management of national data resources”, “building policies and regulations relevant to data opening, property rights protection and privacy protection”, “consummating the systems for data asset registration, pricing, trading and intellectual property protection”, and “cultivating the market for data exchange”. In the Outline for the National IT Application Development Strategy of 2016, it is pointed out that work shall be done to develop information resources, release digital dividends, and explore the establishment of the system to protect the rights and interest of information property. On April 9, 2020, the CPC Central Committee and the State Council issued the Opinions on Building a More Perfect System for Market-based Allocation of Factors of Production. This document is a programmatic document giving full play to the decisive role of the market allocation of resources. It juxtaposes data with the other four factors for the first time and provides clear guidelines for the direction of China’s economic transformation and upgrading in the future. The document specifies that we shall “accelerate the cultivation of data elements market”, “research how to perfect the property rights according to the nature of data”, “guide the establishment of big data exchange market and conduct data exchange in compliance with laws and regulations”, for the ultimate goal of “establishing a sound system for the trading of data property rights and industry self-discipline”.
At the Legislation Level At present, there is no specific and direct legislation on data exchange at the national level. In 2016, Guizhou Province issued the Regulations on Promoting the Development and Application of Big Data in Guizhou Province, designed to stipulate the basic principles of data resource transactions, data exchange methods, data exchange
232
Annex: Research on Global Data Trading Practices, Industry Norms …
service institutions, etc.38 Regulations have become the first local law regulating data trading in China. The norms most relevant to data trading are principally reflected in the field of personal data protection. The Ninth Amendment to the Criminal Law clearly states the crime of infringing citizens’ personal information, by which those who, in violation of the relevant provisions of the state, sell or provide citizens’ personal information to others, steal or illegally obtain citizens’ personal information by other means, if the circumstances are serious, may be convicted of the crime of infringing citizens’ personal information. The Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues Concerning the Application of Laws in Handling Criminal Cases of Infringing Citizens’ Personal Information (Fa Shi [2017] No. 10) further refines the constitutive requirements of the crime. It is expressly illegal to provide the lawfully collected personal information of citizens to others without the consent of the collected. In violation of the relevant provisions of the state, obtaining citizens’ personal information through purchase, acceptance, exchange, etc., or collecting citizens’ personal information during execution of duty or the process of providing services would be “illegally accessing citizens’ personal information by other means”. In terms of civil legislation, before the promulgation of the General Principles of Civil Law, in China, personal information could be protected principally by the right of privacy, the right of name and the right of reputation. Although the concept of personal information rights or personal information protection rights has not been clearly defined in the General Principles of Civil Law, the dual protection mechanism of privacy and personal information has been determined, which means that personal information will be protected by law directly as a protected civil interest independent of the right of privacy. Moreover, a series of regulations, such as the Cyberspace Security Law, the Law on the Protection of Rights and Interests of Consumers, and the Advertisement Law of the People’s Republic of China (hereinafter referred to as the Advertising Law), specifies the rules for the collection and use of personal information. After the issuance of Opinions on Building a More Perfect System for Marketbased Allocation of Factors of Production in 2020, the state and many regions accelerated the legislation of data trading. In terms of national policies, it is explicitly stated in the Notice on the Overall Plan for the Lingang New Area of China (Shanghai) Pilot Free Trade Zone, the General Scheme of the Construction of Hainan Free Trade 38 Article 18 of the Regulations on Promoting the Development and Application of Big Data in Guizhou Province stipulates that the data exchange market be cultivated and the data tradings be standardized. Data resources shall be traded by following the principles of voluntariness, fairness and good faith, and complying with laws and regulations, and social morality, with no harm to national interests, social public interests and the legitimate rights and interests of others. In data tradings, a contract shall be concluded in accordance with the law to specify data quality, bargain price, method of submission, data use, etc. In addition, model texts of data exchange contracts shall be introduced. By Article 19, service institutions of data exchange shall be qualified for carrying out data exchange and equipped with relevant personnel, make rules for data tradings and trading registration, and provide law-based services for encouraging and guiding parties to data tradings to conduct data tradings in legally established service institutions.
Annex: Research on Global Data Trading Practices, Industry Norms …
233
Port and many other documents that cross-border data circulation and transaction risk assessment management should be achieved to promote data processing and trading. From the perspective of national legislation, the Data Security Law of 2021 makes it clear that data activities include data transactions. Article 19 of the Data Security Law states that “the state is to establish and complete management systems for data transactions, regulating data exchange conduct, and cultivating data exchange markets”. Article 33 of the Data Security Law states that “the provision of services by institutions engaged in data transaction intermediary services shall require the party providing the data to explain the data’s origins, and shall review and verify both parties to the transactions’ identities, and store records of the verifications and transactions”. Furthermore, it also stipulates the legal liability for violating Article 33, e.g., “where establishments engaged in services as intermediaries in data transactions fail to perform the obligations in article 33 of this Law, the relevant regulatory departments are to order corrections, confiscation the unlawful gains, and give a fine of between 1 and 10 times the value of the unlawful gains, or where there are no unlawful gains or the unlawful gains are less than 100,000 RMB, a fine of between 100,000 and 1,000,000 RMB is to be given, and they may be ordered to stop relevant operations, suspend operations for rectification, or cancel related business permits or license s; a fine of between 10,000 and 100,000 RMB is to be given to the directly responsible managers and other directly responsible personnel”. At the department level, the Ministry of Commerce issued the Notice of the Ministry of Commerce on Issuing the Overall Plan for Comprehensively Deepening the Trials for Innovative Development of Trade in Services (Shang Fu Mao Fa [2020] No. 165), and it is proposed that we shall completely explore the model of innovative development, which shall be supported and directed by Office of the Central Leading Group for Cyberspace Affairs, Ministry of Industry and Information Technology, Ministry of Commerce and the CSRC, and be carried forward in pilot areas. Furthermore, we shall develop cross-border services such as big data collection, storage, processing, analysis, mining and trading based on industrial networks; explore rules and standards of data service collection, desensitization, application, transaction and supervision; and advance the commercialization and securitization of data assets to explore new models for big data exchanges while conducting a study on the security guarantee of data transactions. Since data exchange is a new legal matter in China, there are many disputes and problems in the design of data security systems at the national level. In this context, the local areas take the initiative in trials accumulating much early experience for the legislation of data tradings at the national level in the future. Some typical examples are as follows: (1)
On December 14th, 2018, the seventh session of the Standing Committee of the 17th National People’s Congress of Tianjin passed the Regulations on the Promotion of Big Data Development and Application of Tianjin, of which article 29 clearly stipulates that “all kinds of data legally acquired can be traded, exchanged or developed and utilized in other ways on the condition
234
(2)
(3)
Annex: Research on Global Data Trading Practices, Industry Norms …
that they cannot be restored or providers of specific data cannot be identified after processing. Data exchanges and exchanges shall comply with laws and regulations and social morality and shall not harm the interests of the state, public interests and the legitimate rights and interests of others.“ Then, article 45 clearly requires that measures be taken by the people’s governments of cities and regions and their relevant departments to cultivate data exchange markets, standardize trading practices for encouraging and supporting the development and utilization of government data and social data in accordance with law through data tradings, encourage market entities in all sectors of the industrial chain to exchange and trade data for the sake of the circulation of data resources, and encourage and guide parties to carry out data tradings and transactions in lawfully established service institutions for data tradings with an aim to enhance the development and application of big data.“ By Article 50, management systems for data security protection shall be established, emergency plans of data security be made, security evaluations, risk assessments and emergency drills be regularly carried out by service units of data collection, storage, cleaning, development, application, transaction and release; and they shall adopt technical measures for security protection to prevent data loss, damage, leakage and tampering and ensure data security. In the case of major data safety accidents, the emergency plan should be immediately launched, and remedial measures should be taken in time. Additionally, they should have consumers who may be affected informed and report to the relevant competent departments in accordance with the provisions. On August 1, 2019, the Eleventh Session of the Standing Committee of the 13th People’s Congress of Guizhou Province passed the Regulations of Guizhou Province on Big Data Security, which includes the units and individuals of big data exchanges in the persons in charge of big data security and defines the security protection responsibilities of the person in charge of big data security. On 29 June 2021, the Shenzhen Special Economic Zone Data Regulations were adopted by the Standing Committee of Shenzhen Municipal People’s Congress and will come into force on 1 Jan. 2022. Article 65, Article 66, Article 67 and Article 69 of the regulations stipulate data transactions, transaction platforms, transaction pricing, etc. The regulations state that data transactions shall follow the principles of voluntariness, fairness and good faith, and data shall be traded in the data element market through discretionary trading, trading platforms and other legal ways. Data trading platforms are required to establish a safe, reliable, controllable and traceable trading environment and draw up rules for data exchange, information disclosure, self-regulation and other rules. Moreover, effective measures should be adopted to protect personal privacy, business secrets and important data. In addition, rules of data trading platforms shall be implemented after being approved by the municipal department in charge of data statistics and processing. A data trading platform is proposed to construct data property pricing indicators from real time, time span, sample coverage, integrity, data category and class, and data mining potential and to cooperate with data value evaluation institutions to reasonably evaluate the value of data
Annex: Research on Global Data Trading Practices, Industry Norms …
235
properties. Data products and services formed by the legal processing of data by market entities can be traded in accordance with the law, except that the traded data products and services include personal data that are not authorized according to law, the traded data products and services include public data that are not opened according to law, and other circumstances prohibited by laws and regulations. Market entities are not allowed to use data analysis to impose differential treatment on counterparties with the same trading conditions, but exceptions are also stipulated at the same time. Article 94 stipulates the legal liability for violation of Article 67. In Terms of Standard To date, the standardization of data exchange in China has gradually improved, and a series of relevant standards of data exchange have been released and implemented. The national standards directly concerned would be: (1)
(2) (3)
Requirements on Security Capability of Big Data in Information Security Domain (GB/t35274-2017) issued on December 29, 2017 and implemented on July 1, 2018; A Description of Trading Data of IT Data Exchange Service Platform (GB/T 35,274–2017) issued in June 2018 and implemented on January 1, 2019; Information Technology-Data Exchange Service Platform-General Functional Requirements (GB/t37728-2019), Maturity Model of Data Security Capability in Information Security Domain (GB/t37988-2019) and Requirements on Service Security of Data Exchange in Information Security Domain (GB/t37932-2019) issued on August 30, 2019 and implemented on March 1, 2020
Characteristics of China’s Policies and Laws of Data Transactions After data have been identified as an element, a series of policies and laws of data trading have been made and released at the national level and local level. However, on the whole, it is obviously policy-driven and lacks a law-based system.
Characterized by Policy-Driven and Deficient Law-Based Systems In the field of data exchange, the national strategies concerned reflect a distinct color of “governance by policy”, while “legal governance” appears to be absent and has no say. The existing Program of Action for Promoting the Development of Big Data, the “13th Five-year” Plan and the Notice on Organizing and Implementing Major Projects for Promoting Big Data Development are policy-driven development paradigms, which are characterized by rough lines, difficult implementation and instability causing hard implementation of substantive norms for data tradings. As
236
Annex: Research on Global Data Trading Practices, Industry Norms …
an important support for building the market of data elements, the security rules of data exchange shall be a key part of the Data Security Law, but the Law does not establish a data exchange system with maneuverability and in line with the status of data exchange development. First and foremost, the principle stipulated lacks maneuverability. As a provision of principle, Article 19 necessitates the support of following rules, but the current draft provides for them only by articles 33 and 47, rendering it difficult to establish a basic framework for the complex data exchange system with just a few articles. Second, the data exchange subject regulated by the draft is too single to regulate other entities in the trading market. From the current situation of the data exchange market in China, the subjects involved in data exchange are very complex and are not limited to intermediaries of data exchange services. Third, there is no correspondence between behavior patterns and legal consequences. The draft does not provide for the licensing requirements for data tradings, but in the legal liability section of Article 47, the form of penalty for revoking the relevant business license is contained. Regarding the problems arising from big data exchanges, there are many difficulties with regulating data transactions or addressing issues of data rights by means of real rights, intellectual property, creditor rights, or anti-unfair competition under the current legal framework, such as difficulty in being self-consistent in theory or insufficient legal effects. For example, as an intangible object, data are difficult to include in the property law system where the object is limited to tangible objects. In view of the reproducibility of data, the same data can be owned by multiple persons at the same time, which violates the basic principle of “one property, one right” if the data are included in the real right specification. The object of intellectual property protection is “creative intellectual achievement”, and a certain degree of originality of the object is a requisite for obtaining legal protection. Therefore, it is difficult to regulate and protect data lacking originality. In terms of creditor rights, protection against third-party infringements is not guaranteed due to the relativity of bonds. Anti-unfair competition is restricted to the existence of competitive relations. In the context of the rapid development of the data industry, overall, China’s legislation specifically regulating data transactions is very scarce, and the legislative provisions on data transactions are relatively fragmented.
Basic Rules not yet Established and the Core Issues to Be Solved Currently, the data exchange in China basically relies on self-restraint of platforms and self-exploration for rules, such as the Personal Data Protection Principle, Data Circulation Prohibition List, Data Interconnection Rules and Data Circulation Principle formulated by Shanghai Big Data Trading Center; the Anhui Big Data Trading Rules by Anhui Big Data Trading Center; Guiyang Big Data Exchange 702 Convention by Guiyang Big Data Exchange; the Harbin Data Trading Rules by Harbin Big Data Trading Center; the Big Data Exchange Security Standard, Transaction Data Format Standard, Big Data Exchange Code of Conduct and Big Data Exchange Management Regulations established by Central China Big Date Exchange.
Annex: Research on Global Data Trading Practices, Industry Norms …
237
Moreover, as the core of data exchange, the problems of data nature and ownership have not been solved in legislation. Similar to the data specification in Europe and America, as a whole, the current legislation of our country also focuses on the protection of personality rights. For personal data, we follow the example of the EU and have initially established the rules for the collection and use of individual data based on a series of laws and regulations such as the Cyberspace Security Law, the Law on the Protection of the Rights and Interests of Consumers, the Decision of the Standing Committee of the NPC on Strengthening the Protection of Network Information, the Personal Information Protection Law and the Criminal Law. The legislation does not clarify what rights and interests the data controller has if the data are out of context for personality rights or personal data protection. The Civil Code adopted on May 28, 2020, first introduced “privacy and personal information protection” into the chapter of “personality right”, but the law does not specify what categories of object of right “personal information” belongs to.
Current Dilemma of Big Data Exchange in China Whether the ownership of data is clear or not is the core of data exchange research in academic and practical circles, and the “ownership of personal data rights” further is the most intractable problem about data ownership.39 In the absence of clear provisions on the property and trading rules of big data by relevant laws, big data exchanges always in the state of “testing the waters” are confronted with many challenges.
Data Generalization Transaction Without a Clear Red Line of Law The absence of a series of normative mechanisms in the current legislation, such as data exchange scope, data pricing mechanism, data quality and data responsibility, renders it difficult to bring the behavioral guidance of standards into full play in the field of data exchange. There exists a problem of polarization in current data tradings, which either deteriorates into black and gray transaction breeding and proliferating over the years or fails to conduct any tradings fearing legal sanctions.
Characteristics of Rules Lacked and Innovation of Transaction Limited The existing big data exchange rules are too conservative and uniform, and few new market trading rules are designed based on the characteristics of big data. Taking the common commodity sales contract as the basic norm, the current rules regard data as common goods, for which the information provider and demander are called “seller” 39
Chengzhen [7].
238
Annex: Research on Global Data Trading Practices, Industry Norms …
and “buyer”, respectively. and the transaction is also characterized as “exchange of currency and data”, with a strong color of civil exchange and the concept of commercial dealing not highlighted. Above all, the existing rules have difficulty agreeing with the characteristics of big data, and the business develops in an inefficiently extensive way, which is not beneficial to the expansion of the transaction volume and further innovation of the trading mode.
Unclear Data Rights and Restrained Industrial Development An effective system of property allocation contributes to lowering transaction costs and boosting the development of the data exchange and data industry. However, the current legislation has not made clear the nature of the data, ownership and other issues, for which we cannot know exactly what the rights and interests the data subject, data controller, data processor, data receiver and data trading platform enjoy for each data. If much emphasis is placed on the negative side that personal data protection is not beneficial to the release of data property value from the perspective of personality rights and that the data rights enjoyed by controllers of original data sets and data processors fail to be effectively guaranteed by the law in force, it will inhibit the enthusiasm of data opening and investment, hindering the development of the data economy. References 1. P. Xing, W. Yujiao, Analysis of vermont data broker act as well as its enlightenment. Wuhan Finance 230(02), 48–52 (2019) 2. J. Yao, Research on legal regulation path of data industry—from the point of view of American data broker system. Judicial Reform Rev. (2) (2017) 3. Z. Jiguang, Introduction to American personal credit information system. Econ. Aff. 000(001), 78–80 (2003) 4. S. Xiangyan, B. Jinglv, The development of the U.S. personal credit information market. China Finance (04), 81–82 (2017) 5. Z. Jinxin, Analysis of three types of big data exchange platforms and their advantages and disadvantages. China Ind. Rev. 10, 109–111 (2016) 6. Z. Yinglong, On the legal protection of no original databases. Zhejiang Acad. J. (2) (2008) 7. L. Chengzhen, Research on legal issues of data exchange. Legal Syst. Econ. 7, 87–89 (2020)