(Nov. 13, 2018) On September 15, 2018, the Ministry of Public Security (MPS) of the People’s Republic of China (PRC or China) issued a new regulation on cybersecurity supervision and inspections by the police. (Gong’an Jiguan Hulianwang Anquan Jiandu Jiancha Guiding [Measures of Internet Security Supervision and Inspection by the Public Security Organs] (Sept. 15, 2018, effective Nov. 1, 2018) (Regulation), MPS website; Nectar Gan, Chinese Police Get Power to Inspect Internet Service Providers, South China Morning Post (Oct. 5, 2018).)
The Regulation was released on the MPS website on September 30, 2018, and took effect on Nov. 1, 2018. (Regulation.) It was formulated in accordance with the PRC Law on the People’s Police and the PRC Cybersecurity Law. (Id. art. 1.) The PRC Cybersecurity Law (also translated as the PRC Network Security Law), which was enacted on June 1, 2017, requires network operators in China to provide technical support and assistance to public security organs (the police) and national security organs that are safeguarding national security and investigating criminal activities in accordance with the Law. (Zhonghua Renmin Gongheguo Guojia Anquan Fa [PRC Cybersecurity Law] (adopted by the Standing Committee of the National People’s Congress (NPC) on Nov. 7, 2016, effective June 1, 2017) art. 28, NPC website.)
According to the Regulation, police may inspect internet service providers, including internet information providers, internet cafes, and data centers. (Regulation art. 9; Gan, supra.) It lists the general content the police are to look for, as well as specific content related to different types of internet services. (Regulation arts. 10 & 11.) In addition, it prescribes the performance of special inspections during “periods of major national network protective tasks.” (Id. article 12.)
The Regulation contains specific measures the police may take in the network security inspections, including physically entering the business sites, machine rooms, and offices; requiring managers or network safety personnel to explain items that are under inspection; reviewing and copying relevant information; and checking how technical measures to safeguard network and information security are running. (Regulation art. 14; Gan, supra.)
According to a Chinese lawyer, while the Regulation might add to concerns among foreign internet service businesses in China, there was actually “not much new in the regulation,” since the police in China have long conducted similar cybersecurity inspections in accordance with a provision in the Police Law that says police have the duty to supervise and manage security and protection work on computer information systems. (Gan, supra.; Zhonghua Renmin Gongheguo Renmin Jingcha Fa [PRC People’s Police Law] (adopted by the NPC Standing Committee on Feb. 28, 1995, amended Dec. 26, 2012) art. 6, NPC website.)