China’s new Cybersecurity Law has not been widely welcomed by foreign firms
Following the approval by the National People’s Congress last November, China’s new cybersecurity law officially entered into effect on Thursday. The law is presented by Beijing as a national effort to bring China in line with international norms and practices against cybercrimes, but it has also raised critics and concerns. In fact, “there’s unfortunately a lot of
confusion” surrounding the new law, as Michael Chang, Vice President of the European Union Chamber of Commerce in China, said.
Beijing asserts the law is aimed at reforming data management and internet usage regulations in the country by imposing new requirements for network and system security. However, some foreign companies are worried the new measure will make their operations in China less secure or more expensive.
On one hand, everybody agrees China currently lacks comprehensive legal codes, such the ones in place in Europe or America, to help safeguard data from cybercrimes. The world’s second-largest economy should implement its means to protect networks, as no formal requirements were present so far. In some regards, the new law have been welcomed as a milestone in introducing much needed data privacy regulations in China.
However, analysts have expressed fears of greater data controls, as well as increased risks of intellectual property theft, saying that Chinese authorities have not provided enough information about how the wide-reaching law will be implemented.
An article to be watched is number 37 of the law, which states that businesses in critical sectors have to store their data within mainland China, even when gathered or produced by the network operator in a foreign country. Moreover, it is also required that business information and data on Chinese citizens is kept on Chinese servers, and not transferred abroad without permission, and the export of any economic, technological, or scientific data that would pose a threat to national security or the public interest is banned. Unluckily, the concepts of national security and public interest are pretty vague, which leaves the provision open to interpretations.
The law requires companies to allow full access to data, unspecified technical support to security authorities and mandatory testing and certification of equipment, among other measures. It provides new powers to inspectors, and it allows domestic competitors request sport-checks on foreign firms.
Foreign companies are lamenting that abiding to the new law may result in high costs, and storing data domestically could pose a few problems: not only foreign firms normally do need to transfer information outside of China, but also they worry that keeping sensitive information on domestic servers might expose them to industrial espionage.
In June 2016, more than 50 foreign companies from Europe, America and Japan jointly sent a letter to Premier Li Keqiang stating that the law will have the effect of impeding foreign entry and innovation. After that, the Cyberspace Administration opened a discussion about a gradual implementation of the measure, over a period of 18 months, to allow the companies more time to assess their obligations.
If, as critics say, the law will increase costs to foreign firms, exposing multinationals to cyber-espionage, and giving domestic companies an unfair edge, this will result in making it even harder for foreign companies to do business in an already tough environment, as China is currently ranked by the World Bank 78 out or 190 countries in terms of ease of doing business.