On December 27, 2015, the Standing Committee of the National People’s Congress of the People’s Republic of China published the P.R.C. Anti-Terrorism Law. The law was enacted in response to a perceived growing threat from extremists and terrorists, particularly in regions in Western China, and came into effect on January 1, 2016.
As its name suggests, the main goal of the law is to strengthen national security and to prevent terrorism. The law defines terrorism and declares it to be illegal, authorizing both civil and criminal sanctions. The law also takes certain actions that promote its objectives, such as (1) allowing for the designation of certain organizations as terrorist organizations, (2) establishing institutions such as a counter-terrorism intelligence agency and counter-terrorism units of the armed police forces and of the People’s Liberation Army to allow for the requisition of property in urgent circumstances, (3) mandating a system for incident response planning and (4) providing for international cooperation. It also empowers public security agencies to take actions such as launching investigations and even using weaponry in emergency or dangerous circumstances.
Certain provisions in the law require telecommunications system operators and Internet service providers to provide technical support and assistance, such as access to their technical interfaces and assistance with decryption, to public security and state security authorities which may be conducting investigations of terrorist activities or taking action to prevent them. The law also requires telecommunications system operators and Internet service providers to adopt network security systems and information content monitoring systems to prevent the dissemination of information containing terrorist or extremist content over their systems. If they discover information with terrorist or extremist content being disseminated over their systems, they must halt the dissemination, close the relevant websites, keep records of the incident and make a report to the relevant public security organizations. A fine of more than RMB ¥500,000 may be imposed on telecommunications system operators and Internet service providers who fail to provide technical interfaces, decryption and other technical support or assistance to competent government agencies, and the person in charge may be subject to a fine of up to RMB ¥500,000 and possibly detention of up to 15 days.
The Anti-Terrorism Law permits the People's Liberation Army to get involved in anti-terrorism operations overseas. It also restricts the right of media of various types to report the details of terrorist attacks. For instance, social media cannot report on details of terror activities that might inspire copycat attacks, and cruel and inhuman scenes cannot be depicted in their reports.
The Anti-Terrorism Law contains several provisions that are significant in the context of personal information protection. For instance, the law requires railway, road, water and air transport operators and postal offices, couriers or other logistics operators to conduct an examination of the identities of their clients, and to perform security checks and visual checks on the articles they transport and deliver. An operator listed above which fails to comply with the foregoing obligations may face a fine of up to RMB ¥500,000 (approximately $76,250 USD at current exchange rates), and the person in charge may face a fine of up to RMB ¥100,000.
Service providers in certain industry sectors, such as the telecommunications, Internet, finance, hotel, long-distance passenger transportation and automobile leasing sectors, are required to conduct an examination of the identities of their clients as well. Service providers which fail to examine their clients’ identities, or provide services to those who refuse to make this examination, may be subject to fines of more than RMB ¥500,000. The person in charge may face a fine of up to RMB ¥500,000.
The law permits the collection of financial personal information, including information that would be considered sensitive personal information in other jurisdictions, for purposes of investigating suspected terrorist activities. For instance, during such investigations public security organizations have the authority to investigate the financial information of suspects, such as information relating to their bank deposits and stock and bond holdings. Also during an investigation, public security organizations are given the authority to collect information about suspects including their portrait, fingerprints, iris images and biological samples such as blood samples. In addition, government authorities and other entities or individuals that may be involved are required to keep in confidence any state secret, trade secret or private personal information which may be obtained during the performance of their anti-terrorism investigations.
The Anti-Terrorism Law defines circumstances in which state security organizations have authority to collect personal information. In such circumstances, when there is a conflict with other data privacy regulations that may otherwise prohibit collection, the Anti-Terrorism Law presumably would control. The Anti-Terrorism Law represents a further step in the sector-by-sector development of China’s data privacy framework.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code