China’s Cybersecurity Law comes into effect on June 1. It requires network operators to store select data within China and allows Chinese authorities to conduct spot-checks on a company’s network operations. Beijing asserts that the law is intended to bring China in line with global best practices for cybersecurity.
The law has raised concerns among some foreign companies over greater data controls as well as increased risks of intellectual property theft. Vague terminology and absent official guidance on complying with the law have created uncertainty, prompting many to call for the law to be delayed. It is likely an 18-month phase-in period will be announced and the vague provisions of the law ensure that most companies are adopting a wait-and-see approach in compliance preparations.
Background
The Cybersecurity Law was initially passed by the National People’s Congress in November 2016. It will reform data management and internet usage regulations in China and impose new requirements for network and system security. The law is the latest step in China’s long-term campaign for jurisdictional control over content on the internet.
Efforts to control data and content date back to a 2010 government white paper which asserted that “within Chinese territory, the internet is under the sovereignty of China.” China has previously focused its efforts on controlling access to the internet within its borders through its Great Firewall, and since July 2015 introduced a series of laws and draft laws on internet controls and state access to private data. Legislation regulating data management in the insurance sector was already passed in mid-2016.
At another level, the new law should be considered a means by the government to bring itself in line with global cybersecurity norms and best practices. Currently China’s data industry is loosely controlled compared to the comprehensive legal codes in place for cybersecurity and data management in Europe and North America. Chinese laws do not presently have formal requirements for data safeguards, which can help protect networks from cybercrime.
Scope of the Law
The Cybersecurity Law is applicable to network operators and businesses in critical sectors. Network operators are defined as network owners, managers, and providers; a network is defined as any system comprised of computers and related equipment that gathers, stores, transmits, exchanges, or processes information. These definitions mean the law is applicable to almost all businesses in China that manage their own email or other data networks. “Critical sectors” encompasses businesses involved in communications, information services, energy, transport, water, financial services, public services, and electronic government services. Law firm Baker McKenzie has also publicly warned that any company that is a supplier or partner with firms in these sectors could also be subject to the law.
The law requires network operators to cooperate with Chinese crime or security investigators and allow full access to data and unspecified “technical support” to the authorities upon request. The law also imposes mandatory testing and certification of computer equipment for critical sector network operators. These tests and certifications mainly relate to Article 21 of the law, requiring network operators to formulate internal security management systems and implement network security protections; adopt technological measures to prevent viruses or unspecified forms of cyber attacks; adopt technological measures to monitor and record the safety of a network; and undertake data classification, back-ups of important data, and encryption. These security measures are fairly standard, and form part of best practice recommendations for firms that gather and store important company and client data.
Importantly, Article 37 of the law requires network operators in critical sectors to store within mainland China data that is gathered or produced by the network operator in the country. In addition, the law also requires business information and data on Chinese citizens gathered within China to be kept on domestic servers and not transferred abroad without permission. The law also includes a ban on the export of any economic, technological, or scientific data that would pose a threat to national security or the public interest.
Concerns and Uncertainty
Several of the provisions outlined above have become a cause for concern among foreign companies. Regarding the requirements for spot-checks and certifications, international law firms have warned that companies could be asked to provide source code, encryption, or other crucial information for review by the authorities, increasing the risk of this information being lost, passed on to local competitors, or used by the authorities themselves.
Article 9 of the law states that “network operators … must obey social norms and commercial ethics, be honest and credible, perform obligations to protect network security, accept supervision from the government and public, and bear social responsibility.” The vagueness of this provision, as well as undefined concepts of national security and public interest, increase the government’s grounds to make wide assertions about the need for investigation and reduce a foreign company’s ability to contest a government demand for data access. In addition, the spot-checks can be initiated at the request of the government or a trade association, meaning domestic competitors could request spot-checks on foreign firms. From a business continuity perspective, the new powers of inspection also present a new challenge for operations.
To comply with data localization, foreign firms will have to either invest in new data servers in China which would be subject to government spot-checks, or incur new costs to hire a local server provider, such as Huawei, Tencent, or Alibaba, which have spent billions in recent years establishing domestic data centers as part of Beijing’s 12th Five-Year Plan (2011-2015). The substantial investment by these Chinese technology firms in recent years is one of the reasons critics of the new law believe it is partly designed to bolster the domestic Chinese data management and telecommunications industry against global competitors.
However, one international law firm with a Chinese presence told PGI that the intention of the law is not to prohibit foreign businesses from operating in China, nor is it to boost Chinese competitiveness. Indeed, a study by Matthias Bauer and Hosuk Lee-Makiyama in 2015 showed that data localization causes minor damage to economic growth due to inefficiencies that arise from data transfer processes and the duplication of data between several jurisdictions. The requirement for data localization should instead be seen as a legal move by Beijing — bringing data under Chinese jurisdiction will make it easier to prosecute entities seen as violating China’s internet laws.
Compliance and Implications
The implementation of the law could be phased in gradually, which will allow companies to better assess their obligations and learn from the experience of other firms. More than 50 U.S., European, and Japanese businesses signed a letter to Premier Li Keqiang in June 2016 criticizing the law, stating it would impede foreign entry and innovation. There have been reports by Reuters that this opposition could delay its roll-out. The Cyberspace Administration of China reportedly held a meeting on May 20 and opened discussions about an 18-month phase-in period from June 2017, delaying the full implementation of the law to give companies more time to comply.
The published drafts of the cyber law have already prompted some firms to begin taking preparatory measures. Companies in critical sectors, such as finance and energy, have begun conducting data mapping exercises to determine what information is too critical to be stored on Chinese servers and will be required to remain in China. Companies such as the hospitality sharing app company Airbnb have already begun complying with provisions concerning data on Chinese citizens.
However, the law gives little indication of how firms are expected to demonstrate compliance and the ambiguity over its roll-out is indicative of the uncertainty new legislation in China can create for companies. Those in non-critical sectors are unsure of the scope and applicability of the law and there has been very little communication by the Chinese authorities ahead of the implementation date. It remains unclear if a phase-in period would be accompanied by guidance on the new law or if companies would be subject to immediate penalties for non-compliance. This is not unusual with Chinese legislation. It is often only after laws are drafted and feedback is received that authorities then communicate some guidelines on the roll-out, albeit inconsistently. For example, the pollution laws for the shipping industry, which were initially announced in late 2015, were phased in through 2016, and fully enforced by early 2017.
Foreign companies based in China are already accustomed to tight internet and content controls. Many have existing internal policies for information technology and data management and privacy in China, linked to long-standing concerns around intellectual property security, which apply to both in-country operations and travel for international staff. China’s Great Firewall means that the adaptation of information technology practices to Chinese requirements is not a new concept. Despite the reports of some companies in critical sectors already preparing for compliance, most firms appear to be adopting a wait-and-see approach to the Cybersecurity Law, anticipating some communication from the authorities about a phase-in period.
The law presents another important operational consideration for businesses present in the Chinese market. Although unlikely to deter investment, it will introduce another layer of internet regulation on key businesses in China that could reduce efficiency or undermine long-term competitiveness.
Jack Wagner is an Asia analyst at PGI Intelligence, a U.K.-based risk management consultancy.