The partial implementation of China’s new cyber-security law has alarmed foreign businesses, already increasingly concerned over the state’s high level of control over the internet. This report assesses the new regulations and their implications for foreign commercial interests.
China’s new cyber-security law (中华人民共和国网络安全法) came into effect on 1 June 2017. The regulations, originally passed by the country’s parliament in November 2016, cover a wide range of issues regarding data in order to address a gap in Chinese law that previously had few measures available to protect personal information.
Underpinning the new law is the Chinese concept of cyber-sovereignty. This emerged as an issue in 2013 after Edward Snowden, a former U.S. intelligence contractor, revealed that the U.S. had been hacking into China and Hong Kong’s cyber-networks for many years. This revelation prompted a review of China’s cyber-defence infrastructure, leading Beijing to conclude the cyber-realm should be governed in ways similar to its national territory. This view was based on the principle that the government has the right to regulate and censor domestic cyberspace and defend it from foreign penetration. This is in contrast with the West’s view of the internet as a decentralised open network with numerous stakeholders.
Beijing has signalled its intention to enforce the rules through several high-profile enforcement actions in recent months
The Cyberspace Administration of China (CAC) is tasked with developing, supervising and implementing this law. The CAC is aided by the Ministry of Industry and Information Technology (MIIT), and the Ministry of Public Security (MPS) as well as other sector-specific agencies. While the CAC has enacted the majority of the regulations, it has delayed sections requiring companies to store personal and ‘significant’ data on servers in the country until 2018.
Beijing has signalled its intention to enforce the rules through several high-profile enforcement actions in recent months, although so far only domestic internet firms have been affected. This appears to reflect concerns that a major legal case against a foreign-owned company in the early days of the law’s implementation would receive a negative response from the international media. Nevertheless, foreign firms should be prepared to face the regulators’ scrutiny in the near term.
There is a broad consensus among domestic and international companies that the regulations will have a significant impact on their operations. Yet efforts to comprehend the new law have frustrated many companies due to a combination of ambiguous language, stringent requirements and a lack of clarity in the implementation plan.
This is coupled with the fact that this is China’s incipient attempt at managing and defending its rapidly evolving cyberspace. This means that the rules and regulations are malleable and subject to change over the next 12 to 24 months. Investors should therefore expect further unveiling of finer details of the regulation and state interpretations of broadly defined terms, including sector-specific regulations.
Although the new measures apply equally to domestic and foreign commercial entities, international investors are disproportionately likely to feel the impact. This is because the headquarters for global corporations are invariably overseas and have other business interests in China that require them to move information to data-processing centres abroad.
The new law have frustrated many companies due to a combination of ambiguous language, stringent requirements and a lack of clarity in the implementation plan
This presents such companies with a higher operating cost as in order to comply with the new laws they must either use local data management centres or build their own facilities in China, with the additional need for more security and labour. Furthermore, this could result in administrative inefficiency as it increases the amount of time and adds to the complexity of retrieving and processing data.
Protection of commercially sensitive data or proprietary information is another major issue. Many foreign companies fundamentally mistrust the Chinese government’s intentions on the basis of its well-attested efforts to sponsor or instigate industrial espionage. Western governments, notably in Germany, the U.K. and the U.S., have accused China of using highly sophisticated means to access and steal advanced technological and engineering information from foreign firms in order to benefit its own national industries.