What Companies Need to Know About the Chinese Anti-Terrorism Law

January 11, 2016


On December 27, 2015, China’s National People’s Congress Standing Committee approved the Anti-Terrorism Law, which became effective on January 1, 2016. This means that for the first time, China has a legal definition of terrorism and a legal framework for its fight against terrorism. The law defines terrorism broadly to include any proposition and activity that (i) creates social panic, endangers public safety, or violates personal and property rights through violence, destruction, or threats, or (ii) menaces government or international organizations in order to pursue its own political purpose or social ideology. The draft of the law issued in November 2014 (the “November 2014 Draft”) was much debated in political and business circles. Some of the most controversial provisions in the draft do not seem to be included in the final law. This alert will mainly discuss the provisions of the Anti-Terrorism Law that may be relevant to companies doing business in China.

Requirements for Telecommunication Operators and Internet Service Providers (ISP)

Under the Anti-Terrorism Law, telecommunication operators and ISPs are required to provide technical interfaces, decryption, and other technical support and assistance to public security and national security agencies that are, under the law, averting or investigating terrorist activities. Also, telecommunication operators and ISPs are required to prevent dissemination of, and report information about terrorism and extremism if found, to the public security bureau and other relevant authorities. Violation of the foregoing requirements could result in penalty of more than RMB 500,000 for a company, as well as penalty up to RMB 500,000 and detention of five to fifteen days for personnel at the company who are directly in charge of relevant matters.

The above-mentioned provisions seem to be less stringent than those under the November 2014 Draft, which would have required telecommunication operators and ISPs to install government-accessible “backdoors” and surrender encryption information even when no anti-terrorism investigation is being carried out.

Further, the requirement under the November 2014 Draft for telecommunication operators and ISPs to store servers and user data within China was removed from the final law. This should have positive effect on international data flow. However, it is worth noting that the Draft Cyber Security Law, issued on July 6, 2015, still requires key information infrastructure operators[1] to store citizens’ personal information and other important data gathered and produced during operations within China. Although the scope of the “key information infrastructure operators” under the Draft Cyber Security Law seems to be narrower than the scope of “telecommunication operators and ISPs” under the Anti-Terrorism Law, it will be interesting to see whether the final Cyber Security Law will still have the data localization requirement for key information infrastructure operators.

Requirements for Financial Institutions

Under the Anti-Terrorism Law, financial institutions and designated non-financial institutions are required to freeze the assets of terrorist organizations and individuals that have been publicly declared by the working body of the leading national institution for counter-terrorism efforts, and to report this to the State Council’s public security department, the national security agency, and the administrative departments responsible for countering money laundering. Failing to freeze assets in the foregoing situation could result in penalty of more than RMB 500,000 for a financial institution or a designated non-financial institution, as well as penalty up to RMB 500,000 and detention of five to fifteen days for directors, senior executives, and other personnel at such institutions who are directly in charge of relevant matters.

By comparison, the November 2014 Draft contained a provision that would have required financial institutions and designated non-financial institutions to implement a customer identification system, a system to store customer identity information and transactions records, and a system to report block trading and suspicious transactions. Although the foregoing systems are not specifically mentioned in the final law, it does impose legal liability on financial service operators and providers that do not check the customers’ identifications or provide services for unidentified customers or customers who refused to be checked.

Protection of State Secrets, Business Secrets, and Personal Privacy

The Anti-Terrorism Law reiterates the importance of protection of state secrets, business secrets, and personal privacy. It provides that leading agencies for counter-terrorism efforts and relevant departments, units, and individuals maintain confidentiality of information involving state secrets, business secrets, and personal privacy. Leaking of such information may result in criminal liability.

Although most provisions of the Anti-Terrorism Law deal with rules on anti-terrorism investigations, security, intelligence, and international cooperation against terrorism, the provisions mentioned above have implications for companies, especially technology and financial companies, operating in China. In other countries, such as the U.S., private lawsuits could arise for violation of anti-terrorism laws, such as anti-terrorist financing lawsuits against banks. It is yet to be seen how China’s Anti-Terrorism Law will be implemented and whether more detailed rules will be issued in this area soon.

[1] Draft Cyber Security Law, issued by China’s National People’s Congress Standing Committee on July 6, 2015, Article 25 (Key information infrastructure refers to basic information networks providing services such as public communication and radio and television broadcasting, important information systems for key industries such as energy, transportation, water conservation and finance, and public service areas such as power supply, water supply, gas supply, medical services and social security, military networks, government affairs networks for state organs at the level of city with districts and above, and networks and systems owned or managed by network service providers with numerous users.)

O'Melveny & Myers LLP is a foreign law firm registered with the Ministry of Justice of the People's Republic of China. Under current Chinese regulations, we are allowed to provide information concerning the effects of the Chinese legal environment, but we are not authorized to practice Chinese law or to render legal opinions in respect of Chinese law. We work in cooperation with a number of Chinese law firms. Should you require a legal opinion in respect of any Chinese law matter, we would be happy to assist you in obtaining one from a Chinese firm.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Bingna Guo, an O'Melveny partner licensed to practice law in New York, and Sean Wu, an O'Melveny associate licensed to practice law in New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York's Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, Phone:+1-212-326-2000. © 2016 O'Melveny & Myers LLP. All Rights Reserved.