China Issues Rule on Security Assessment of New Technologies for Online News Services

China has promulgated a series of implementation rules and guidelines after the Cybersecurity Law of China took effect in June 2017. The most recent one requires that online news information service providers conduct security assessments when they use any new technologies and new applications with the function of shifting public opinion and social mobilization. “Administrative Provisions on Security Assessment of New Technologies and New Applications for Internet-based News Information Services” (the “New Rule”) will become effective on December 1, 2017, by the Cybersecurity Administration of China (CAC). The New Rule is also issued in the efforts to implement Article 17 of “Internet-Based News Information Services Administrative Provisions” (the “Provisions”) amended earlier this year. It is obvious that the New Rule’s primary goal is content security control over the internet by managing the technologies used for news information transmission systems.

Background

Since the CAC’s inception, internet content supervision has always been a high priority, and online news has been given the most regulatory attention. CAC first published rules effective June 1, 2015, empowering itself to conduct “interviews” with the principals of the online news outlets, to order rectifications and impose sanctions when the rectifications are subpar.

The amended Provisions, which became effective in June 2017, clarified that the services of “editing, reporting, publishing or dissemination (or providing a platform for such dissemination)” of “news information” targeting the public via websites, applications, online forums, blogs, microblogs, public accounts, instant messaging tools, online video streaming or other means on the internet” would be considered “internet-based news information services” (INIS) and consequentially subject to a special licensing requirement. “News information” refers to reports and commentaries on current affairs, economic, military, diplomatic and other social events of public interest, and also those on emergency social events.

The Implementation Rules for the Administration of the Licensing for Internet-based News Information Service (the “Licensing Rules”) came out around the same time as the amended Provisions. According to the amended Provisions and the Licensing Rules, the INIS licenses are issued by CAC or its provincial-level branches and subject to renewal every three years. An eligible applicant for INIS licenses must be an entity organized under Chinese laws, and its principal must be a Chinese national. Such regulations further distinguished two types of INIS services, namely, the “editing, reporting and publishing” services that would produce original content (the “Original Content INIS”) versus the others. The licenses allowing Original Content INIS are available only to the state-owned presses, broadcasters, television stations, news agencies and film studios, or entities “controlled” by the foregoing entities (“control” would require more than 50 percent equity ownership or otherwise possessing the power to direct management decisions of the foregoing entities). Notably, foreign entities are not allowed to have any ownership interest in any INIS license holder; moreover, project-based collaboration between a foreign entity (or foreign-invested enterprise) and an INIS license holder will also be subject to prior security assessment and approval by CAC or its provincial-level branches.

The amended Provisions also required INIS operators to undergo a security assessment conducted by CAC prior to adopting certain new technologies or applications. The recently promulgated New Rule furthers this requirement. 

Definition of New Technologies and New Applications

According to the New Rule, new technologies and new applications refer to innovative applications (including their functions and forms) for providing internet-based news information services and relevant supporting technologies. To further clarify the definition, CAC has given a broad description of the platforms where the new technologies and new applications will be regulated in a recent press statement. Such platforms include websites, online forums, blogs, microblogs, public accounts, instant messaging tools and webcasting, according to CAC.

Security Assessment

The New Rule clarified that the security assessment requirement will be triggered if the new technology or application to be adopted by an INIS operator has a functionality operating as news and media or able to mobilize public opinion, or results in material change in such functionality compared with previous technology/application due to variation in user base, functions, technological solutions, resource allocation, etc. 

Under the New Rule, the security assessment will first be conducted by an INIS operator itself, and then followed by an official assessment conducted by the CAC or its provincial-level branches. If risks are detected in the security assessment report, the online news information service providers shall take measures to correct until in full compliance with laws and regulations and national standards. Before the completion of correction, the intended new technologies and applications shall not be used to provide online news information services.

A Look Forward

From news information services providers’ perspective, due to the broad and vague language, like most of the Chinese rules, the New Rule contains uncertainty with the missing operating details. Such security assessment may be burdensome to operators in two ways: (i) the official assessment may take as long as 45 working days, which may significantly delay the launch of the new technology/application; and (ii) the need to disclose various technical details regarding the new technology and application may raise concern over the operator’s need to protect trade secrets and maintain competitive edge.

CAC indicated in a recent press statement that drafting of the detailed guidelines regarding self-assessment, administrative assessment and qualifications on entrusted third-party assessment, is underway, and the guidelines should be promulgated in the near future.