HRW Submission on the draft Cybersecurity Law

 

August 4, 2015

 

Li Shishi

Chairman

Legislative Affairs Commission

No. 1, Qianmenxi Street

Xicheng District, Beijing 100805

The People's Republic of China

Email: icc@npc.gov.cn

 

 

Human Rights Watch is an international nongovernmental organization that monitors and reports on human rights in about 90 countries around the world. We welcome the opportunity to provide comments on the draft Cybersecurity Law (“the draft law”), which was published by the National People’s Congress Standing Committee Legislative Affairs Commission on its website on July 6, 2015. Human Rights Watch advocates compliance with international human rights law globally, including the rights to privacy, freedom of expression, and access to information that are at the heart of the draft law.

 

Human Rights Watch has examined the draft law in detail and urges the Chinese government to substantially revise it to scrap provisions that require Internet companies to practice censorship, register users’ real names, localize data, and aid government surveillance.

 

The Chinese government’s pervasive use of censorship and broad surveillance is well-documented. The draft law, which further institutionalizes and strengthens these practices, will limit healthy debates in society as well as exchanges important for technological, scientific, and other social advancements.

 

 

The draft law requires Internet companies to demand that users provide their real name and personal information (art. 20). It also requires companies to provide unspecified “necessary assistance” to police when investigating crimes and for “state security reasons” (art. 23), and to censor undefined “prohibited” messages, stop their spread, cease providing services to the offenders, and report the incidents to the authorities (arts. 40-43). Companies can be fined, their licenses cancelled, and businesses closed if they fail to comply with these requirements (arts. 53 and 57). Article 50 also allows local governments to suspend or restrict local Internet services upon higher level approval when it is necessary to protect “state security.”

 

The rights to freedom of expression and to privacy are protected both by the Chinese Constitution and the International Covenant on Civil and Political Rights, which China has signed but not yet ratified. The right to privacy and the right to freedom of expression entail a corollary right to communicate anonymously. Allowing people to speak anonymously has long been recognized as worthy of protection in order to encourage communication that might otherwise invite reprisal or stigmatization, such as anonymous tips for journalists or blowing the whistle on fraud and improprieties in the workplace or government. The ability to seek, impart, or receive information anonymously online creates a “zone of privacy to protect opinion and belief” and other rights. Although governments have an obligation to investigate and prosecute crimes, they should not impose blanket prohibitions on anonymity, as they are neither necessary nor proportionate; this view is forcefully articulated in the May 2015 report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye. That same report also urges governments to refrain from making identification of users (that is, real-name registration) a condition for access to online services.

 

Chinese laws, including the draft law, do not clearly define “state security,” a fact that was recently criticized by the UN High Commissioner for Human Rights. As a result, those laws allow the term to be arbitrarily or broadly misapplied by the state security apparatus in a wide range of circumstances, including crushing peaceful protests and censoring messages critical of the government.

 

Article 31 of the draft law mandates that “all critical information infrastructure operators” store data in China, though it allows for exceptions upon passing a security review. Article 25 broadly defines “critical information infrastructure” as, among other things, “basic information networks such as public communications … services” as well as “networks and systems managed or owned by Internet service providers with many users,” and thus could include most Internet companies.

 

This requirement would allow the government greater access to and control over user data. In the absence of effective safeguards against the government’s abuse of such access, there is great potential for user privacy to be violated. Such a requirement should be removed from the draft law completely.

 

The draft law also requires operators to adopt technological measures for monitoring network security incidents and retaining network logs (art. 17(3)). Government departments are also required to establish such measures and implement response plans in the case of network security incidents (arts. 44-50). However, the draft does not define “network security incidents,” though Article 65(2) refers “network security” to the prevention of “attacks, invasion, disturbance, undermining and unlawful use of networks … unexpected accidents.” The wide range of circumstances which could be construed as “network security incidents” raises concerns about broad, increased surveillance of online activity.

 

Although the draft law also requires network operators and other companies to protect personal data and notify users of potential security vulnerabilities (arts. 18 and 34-37), and stipulates punishments for such privacy breaches (art. 54), the provisions are vague. It is unclear how users’ privacy can be protected given the broad powers the draft law gives to the government and companies to restrict it, and given the lack of effective mechanisms to challenge privacy violations in China, including when such violations are committed by security agencies in the name of protecting “state security.”

 

Thank you for your attention to this important matter. We look forward to hearing from you.

 

Sincerely,

 

Sophie Richardson

China Director

Human Rights Watch