The proposed Cybersecurity Law features with data localisation, surveillance, and real-name requirements. It will require instant messaging services and other internet companies to require users to register with their real names and personal information, and to censor content that is “prohibited”. Real name policies restrict anonymity and can encourage self-censorship for online communication.
There is also an element of data localisation, which would force “critical information infrastructure operators” to store data within China’s borders.
According to Human Rights Watch, an advocacy organisation that is opposing the legislation, the law does not include a clear definition of infrastructure operators, and many businesses could be lumped into the definition.
Sophie Richardson, Human Rights Watch’s China director said the new law will effectively put China’s Internet companies, and hundreds of millions of Internet users, under greater state control.
Many of the regulations are not new, most were informally carried out or specified in low-level law. However, implementing the measures on a broader level will lead to stricter enforcement.
Companies are required to report “network security incidents” to the government and inform consumers of breaches, but the law also states that companies must provide “technical support” to government agencies during investigations. “Technical support” is not clearly defined, but might mean providing encryption backdoors or other surveillance assistance to the government.
The Cybersecurity Law also criminalises several categories of content, including that which encourages “overthrowing the socialist system,” “fabricating or spreading false information to disturb economic order,” or “inciting separatism or damage national unity.”