China’s Draft Cybersecurity Law

Publication: China Brief Volume: 15 Issue: 24

Chinese President Xi Jinping speaks at the World Internet Conference in December 2015 (Source:China News).

In early December, China and the United States reached an agreement in their first round of high-level dialogue on fighting cybercrime and other malicious cyber activities (China Daily, December 2; Legal Daily, December 2). The meeting marked a significant step for both countries in establishing acceptable rules on cybersecurity after Chinese President Xi Jinping and U.S. President Barack Obama signed a bilateral “no-hacking” pact during Xi’s state visit to the U.S. in September 2015.

The cybersecurity agreement brought international attention again to China’s Draft Cybersecurity Law unveiled by the Standing Committee of the National People’s Congress (NPC) on July 6, 2015 (NPC website). The 68-article draft law was released shortly after the passage of China’s revised National Security Law and the publication of two other draft laws on counterterrorism and NGO management. All four laws are considered an ambitious effort by the Chinese Communist Party (CCP) under Xi Jinping’s leadership to maintain its firm grip on power in a changed domestic and international environment. Against this backdrop, it is important to take a careful look at the legislative background and the text of the draft law to understand China’s views of the risks posed by cyberspace and the policies it will implement to cope with these risks.

Legislative Background

An explanatory of the draft law suggests as justifications for this proposal “new situations,” “[the] CCP Central Committee’s requirements” and “people’s expectations” (NPC website, July 6).

– “New situations” are a reference to: (1) cyber-attacks threatening the security of critical information infrastructure in the sectors of telecommunication, energy, transportation, finance, national defense and public administration; (2) unlawful actions, such as illegal acquisition, release, purchase, or sale of personal data, insulting or slandering other people, and violating intellectual property, which seriously violate the legitimate rights of natural persons or legal entities; (3) dissemination of illegal information propagating terrorism or extremism and instigating the subversion of state power or overthrow of the socialist system, or spreading of pornographic information.

– “CCP Central Committee’s requirements” include: (1) “new thoughts, new opinions and new judgments” by President Xi Jinping; (2) the suggestions of the Fourth Plenary Session of the 18th CCP Central Committee for improving cybersecurity.

– “People’s expectations” are obligations put on the authorities to: (1) strengthen cyberspace governance according to law; (2) regulate the transmission of Internet information; (3) suppress violations and crimes in cyberspace; (4) create a transparent and safe cyberspace.

The explanatory report also points out the draft law’s “guiding thoughts” that include the “overall national security outlook” (总体国家安全观) proposed by Xi Jinping and the Chinese Internet policy of “active use, scientific development, law-based administration and ensured security” (Xinhua, April 20; China Brief, July 17; People’s Daily Online, June 8, 2010).

Cybersecurity Administration of China

A key point of the draft law is the suggestion of a leadership role for the Cybersecurity Administration of China (CAC) for maintaining security in cyberspace. Pursuant to Article 6 of the legislation, the CAC is responsible for planning, coordinating, supervising, and administering cybersecurity-related affairs. Accordingly, other governmental organs such as the Ministry of Industry and Information (MIIT) and the Ministry of Public Security (MPS) may discharge their own duties in accordance with this law and other regulations. The CAC, therefore, will be elevated to the role of China’s paramount Internet security regulator.

Aside from the general authorization granted under Article 6, the CAC’s specific tasks and powers also include: (1) handling complaints about harmful acts against cybersecurity (Article 10); (2) designating critical Internet equipment and specialized cybersecurity products (Article 19); (3) organizing security inspections of Internet products and services purchased by critical information infrastructure operators (Article 30); (4) setting security assessment rules on the admissibility of storing personal information and other important data outside Chinese territory (Article 31); (5) developing coordination mechanisms for security testing, emergency drills, information sharing, and technical assistance for protecting critical information infrastructure (Article 33); (6) requiring Internet service providers (ISPs) to stop or block the transmission of information prohibited by law (Article 43); (7) coordinating the collection, analysis and reporting efforts with regard to Internet security information (Article 44).

The CAC, also known as the Office of the Central Leading Group for Cybersecurity and Informatization, is headed by Lu Wei, who also serves as the deputy head of CCP Propaganda Department, an internal CCP organ in charge of ideology-related work. This Central Leading Group, headed by Xi Jinping, is a decision-making body of the CCP Central Committee for formulating and implementing policies on cyberspace affairs. The group’s two deputy heads are Li Keqiang, Premier of the State Council, and Liu Yunshan, chief of the CCP Propaganda Department. Lu’s position within the CCP as a top propaganda official implies that the CAC’s main task is to censor the cyberspace.

At the first meeting of the Central Leading Group in February 2014, Xi Jinping called for a dual focus on “cybersecurity” (网络安全) and “informatization” (信息化, “advancing information technology”), arguing that “without cybersecurity, there is no national security; without informatization, there is no modernization” (Xinhua, February 27, 2014).

According to Article 1 of the draft law, the legislation’s objectives are fourfold: cyberspace sovereignty, social stability, privacy protection, and economic development. As such, the first objective is to provide a legal basis for preserving China’s “cyberspace sovereignty” (网络空间主权), also known as “cyber sovereignty” (网络主权).

Cyberspace Sovereignty

The proclamation of cyberspace sovereignty may date back to a 2010 Chinese government white paper on Internet policy, whose core tenet was that “the Internet is an important infrastructure facility for the nation” and “within Chinese territory the Internet is under the jurisdiction of Chinese sovereignty” (China Daily, June 9, 2010). China’s intention to uphold cyber sovereignty has also been written into its 2015 white paper on military strategy, which characterizes cyberspace as a new domain for national security and announces China’s preparation for strengthening its cyber military forces (Xinhua, May 26; China Brief, June 23). From the perspective of the Chinese government, while the Internet is global in nature, how it is governed should be subject to the jurisdiction of each country. President Xi Jinping reaffirmed the principle of cyberspace sovereignty in his most recent keynote speech at the Second World Internet Conference held in China (Xinhua, December 16).

According to Ye Zheng, an information warfare expert with China’s Academy of Military Science, cyber sovereignty is a new concept first proposed by China and subsequently opposed by some Western countries. But this concept is gradually finding acceptance in the international community, including some Americans. In this regard, the current contention is not on whether sovereignty in cyberspace exists, but on how it is interpreted and safeguarded (People’s Daily Online, July 20).

The China-U.S. debate over cyberspace sovereignty is linked to the global controversy on Internet governance. Growing discomfort with the dominance of the United States in global cyberspace and its use of cyber capabilities has prompted China to pursue actions directed at changing the status quo of global Internet governance. China’s recent submission, together with like-minded allies in the Shanghai Cooperation Organization (SCO), of an updated version of the International Code of Conduct for Information Security to the United Nations in January 2015, is one such example (China Brief, September 4). [1]

Cyberspace Censorship

Another major objective of the draft law is to maintain “social stability.” This concern is so serious that it is, in the lexicon of the CCP, synonymous with “national security” as seen through the lens of Xi’s comprehensive national security concept (China Brief, November 16). In his explanatory report on the resolution by the Third Plenary Session of the 18th CCP Central Committee on major issues concerning comprehensively deepening reforms, Xi stressed the importance of reforming Internet management. In Xi’s opinion, the driving force of the reform is the challenge to “national security and social stability” posed by the rapidly growing number of social network users and instant messaging tools characterized by fast communication, high influence, broad coverage, and strong mobilizing capability (Xinhua, November 15, 2013).

In order to promote social stability, the draft law dedicates the entire fourth chapter, entitled “Internet information security” and comprised of 10 articles, to this issue. While Articles 34–39 are designed to protect personal information, Articles 40–43 are measures for censoring illegal information.

In terms of privacy protection, ISPs are required to meet their legal obligation to protect personal information (Article 34). Thus, the ISPs must follow principles such as legality, legitimacy and necessity (Article 35). They are also required to adopt measures necessary to keep the personal information collected strictly confidential (Article 36). An individual has the right to request the deletion of his or her personal information collected or used by the ISPs (Article 37). Nobody is allowed to acquire or disclose the personal information of others in an illegal manner (Article 38). Government authorities must not disclose any personal information obtained while performing their duties (Article 39).

As for censorship measures, ISPs are obligated to stop the spread of information prohibited by law (Articles 40 and 41) and to set rules for handling complaints on Internet information (Article 42). The CAC and other public offices are empowered to order ISPs to block the transmission of such illegal information (Article 43).

It is surprising to note that, while the first half (Articles 34–39) of the fourth chapter is devoted to the protection of cyberspace privacy, the second half (Articles 40–43) lays down the obligations of ISPs and the powers of government agencies in censoring all illegally collected or used information, whether personal or non-personal. The fact that all these provisions are gathered in one chapter begs the question of whether the law is really meant to protect cyberspace privacy or, rather, is intended to carry out Internet censorship under the pretext of privacy protection.

Another reason for skepticism is that this law has other provisions, outside the fourth chapter, that may be used for cyberspace censorship. For example, Article 20 requires Internet users to register in their real names in order to receive Internet services. Article 50 of the draft law goes even further, allowing the government to temporarily shut down Internet access in areas where public security is deemed to be threatened.

These censorship measures may be necessary and even useful for maintaining order in cyberspace, but they will also disproportionately infringe on the freedom of speech of Internet users.

Cybersecurity with Chinese Characteristics

The Chinese concept of cybersecurity was clearly articulated in a 2013 speech by Lu Wei. This involves four concepts: security of cyberspace sovereignty, security of Internet information, security of privacy in cyberspace, and security of information technology (Xinhua, December 10, 2013). It is necessary to note that basic rights such as privacy are often interpreted as defensive rights of citizens against state intervention. Since, in many cases, individual privacy and national security are by nature in conflict, the so-called “security of privacy,” an elusive term coined by Lu, is doomed to be a mission impossible.

The Chinese cybersecurity bill needs to be understood in the context of China’s rise in economic strength and global influence and its aspiration to set norms in global affairs. By attempting to create borders in cyberspace and solidify the status of the CAC as the leading organ for governing the cyberspace, the draft law demonstrates the CCP’s resolve to protect national interests in the face of international pressure.

A review of the draft law reveals that while the list of powers granted to the government is long, only one obligation is imposed under Article 39 (see above); the obligations imposed on Internet service providers and Internet users are numerous, but no rights are granted to the providers and only one to the users under Article 37 (see above). According to Xie Junzhe, a cybersecurity law expert with Renmin University of China (RUC), the draft law leaves the impression that it deals solely with questions of how the government may rule the cyberspace and how companies and individuals need to cooperate with the government (China Civil and Commercial Law Net, July 19). This leaves the question of how will rights be protected. As Xie’s colleague at the RUC, Professor Liu Pinxin, argues, the law needs more provisions on the protection of fundamental rights in order to balance the interests of security and liberty in the cyberspace (People’s Daily Online, September 1).


The sweeping and vague draft law on cybersecurity gives the Chinese government almost unbridled powers to maintain the nation’s security in cyberspace. If the draft law in the current form is passed and the discretionary powers enjoyed by the government are not balanced by strict conditions and strong oversight, it remains questionable whether the security, achieved at the expense of fundamental rights, is genuinely worthwhile.

Dr. Zunyou Zhou is a senior researcher and head of the China section at Germany’s Max Planck Institute for Foreign and International Criminal Law and the author of “Balancing Security and Liberty: Counter-Terrorism Legislation in Germany and China” (2014).


  1. Wang Xiaofeng, The Issue of Cybersecurity in the China-U.S. Relationship, in: American Studies, No. 3, 2013 [汪晓风, 中美关系中的网络安全问题, 《美国研究》2013年第3期], pp. 20–24).