On December 27th, 2015, Anti-Terrorism Law of People's Republic of China has been passed and promulgated on the eighteenth session of the 12th NPC Standing Committee, whose aim is to combat terrorism, safeguard national security and public safety (hereinafter referred to as "Anti-Terrorism Law "). The Anti-Terrorism Law will take effect since January 1st, 2016. Terrorist activities severely jeopardize public security and it is everyone’s hope to eradicate it. However, it is worth noting that the law also includes several provisions ending up setting obligations or restrictions on the telecommunication operators and Internet service providers (hereinafter referred to as "Internet Corporations"), some of which have already became the center of controversy. We hereby list those provisions as following for your attention and easy reference: 

According to the Anti-Terrorism Law, the Internet Corporations shall share the obligations with authorities at all levels, schools and news media to carry out anti-terrorism publicity and education. 

The Anti-Terrorism Law clearly prescribes that the Internet Corporations shall implement network security supervision and take preventive measures to prevent the dissemination of terrorist information and extremist information and in case of finding any of such information, shall promptly delete them and report to the public security department. If any operator violates this article, the violating operator and the direct responsible personnel may be fined for a certain amount by relevant regulatory authorities and the direct responsible personnel may subject to administrative detention in serious cases. It is worth noticing that effective version of Anti-Terrorism Law does not retain the article of “The Internet Corporations should preserve related servers and domestic users data within the territory of China” which used to appear in the previous draft version. Although no existing laws and regulations has clear provisions with respect to whether all Internet Corporations should store their users data within the territory of China or the requirements for cross-border data storage and transmission, while in practice there indeed existing requirements that data should be stored within the Chinese territory (especially the sensitive information). Even though the Anti-Terrorism Law has not made any clear breakthrough on this regard, it is still possible that relevant authorities may strengthen restrictions regarding data storage and transmission for Internet Corporations by virtue of Anti-Terrorism Law. 

Article 18 of Anti-Terrorism Law is one of focus of attentions for both domestic and foreign corporations, which clearly prescribes that relevant Internet Corporations shall have obligations to provide technical interface, decryption as well as other assistance so as to give support to relevant authorities in preventing and investigating terrorism. Even though the aforesaid stipulation is not the invention of China, but as a worldwide practice like used in the United States and EU. However, it is well known that as a light asset enterprise, an Internet Corporation’s core competitiveness lie in its technical resources. So the Internet Corporation should pay special attention to coordinate with relevant authority during its interaction with them, so as to maintain its normal business operation and protect its intellectual property in this process. 

The Anti-Terrorism Law also provides that the Internet Corporations should verify the user’s identity before providing services. Any Corporation violating this provision may be ordered to correct by relevant regulatory authority and those refusing to rectify or in serious breaches may subject to a fine of a certain amount by the regulatory authorities. 

Although the user-identity-verification obligation has already been prescribed in other laws, the Anti-Terrorism Law further clearly defines the related penalties. In this case, we recommend that in the future, the Internet Corporations should make more efforts to improve the user identity verification process and save verification data in complete manner so as to defend itself during terrorism-related investigation with the claim of “Our corporation has made all reasonable efforts to verify the user’s identity”. 

In addition, the Internet Corporations should also pay attention to comply with the Regulations on Protection of Telecommunication and the Internet Users’ Personal Information and other relevant laws and regulations, including but not limited to the rules of “The corporations shall  not collect personal information other than those necessary for providing services nor use the information except for purpose of providing services; the corporations shall keep strictly confidential of the foregoing information and shall not sell or illegally make them available to others.” 

In summary, it can be seen that the Anti-Terrorism Law has set more clearer and specific obligations and restrictions on business operations for Internet Corporations. It is still unknown whether Internet Corporations’ direct supervision departments, such as the Ministry of Industry and Information Technology, will introduce further rules or not in the future. We will keep tracking this matter and bring the updates to your attention in time.