As a stark contrast to Europe’s recently implemented General Data Protection Regulation law, which seeks to protect individual rights and rein in the actions of large corporations on the internet, China’s cybersecurity law, implemented a year ago, gives an alternative vision about how nations may choose to apply cybersecurity laws in the future.
China’s law is applicable to almost all businesses in China that manage their own email or other data networks, and includes “critical sectors” of the Chinese economy, including communications, information services, energy, transport, water, financial services, public services, and electronic government services. Any company that is a supplier or partner with firms in these sectors may also be subject to the law.
The law requires network operators to cooperate with Chinese crime or security investigators and allow full access to data upon request. It also imposes mandatory testing and certification of computer equipment for network operators in critical sectors.
These tests and certifications require network operators to formulate internal security management systems and implement network security protections, adopt measures to prevent viruses or unspecified forms of cyberattacks, monitor and record the safety of a network, and undertake data classification, backups of important data, and encryption.
On the one hand, these security measures form part of what might be considered “best practice” recommendations for firms that gather and store important company and client data. On the other hand, the law requires network operators in critical sectors to store within China all data that is gathered or produced in the country.
It also requires business information and data on Chinese citizens gathered within China to be kept on domestic servers and not transferred abroad without permission. This includes a ban on the export of any economic, technological, or scientific data that could pose a threat to national security or the public interest (with a broad interpretation of what that might be).
Foreign investors in China could be asked to provide source code, encryption, or other crucial information for review by the government, increasing the risk of this information being lost, passed on to local competitors, or kept and used by the government itself. Article 9 of the law states that “network operators must obey social norms and commercial ethics, be honest and credible, perform obligations to protect network security, accept supervision from the government and public, and bear social responsibility”.
The vagueness of this provision, as well as undefined concepts of national security and public interest contained within the law, increases the government’s grounds to assert the need for investigation, and reduces a foreign company’s ability to contest a government demand for data access.
Spot checks can be initiated at the request of the government or a trade association, meaning domestic competitors can request spot checks on foreign firms.
To comply with the data localisation requirements, foreign firms must either invest in new data servers in China – which would, of course, be subject to government spot checks – or incur new costs to hire a local server provider (such as Huawei, Tencent or Alibaba, which have spent billions of dollars in recent years establishing domestic data centres).
The substantial investment by these Chinese technology firms is one of the reasons critics of the law believe it is partly designed to bolster the domestic Chinese data management and telecommunications industry against global competitors. An alternative explanation is that the requirement is a legal move by Beijing to bring data under Chinese jurisdiction, to make it easier to prosecute entities seen as violating China’s internet laws.
Prior to implementation of the law, a foreign firm would monitor its energy turbines in China from its headquarters, using its real-time global data to optimise operations, and a provider of global online education would send data on Chinese users overseas to allow them to access its courses abroad. Now such firms must reconfigure their IT systems to keep such data inside China.
Critics worry that the law could be a Trojan horse designed to boost China’s policy promoting indigenous innovation. Other foreign technology firms worry they will eventually be forced to divulge intellectual property to government inspectors.
While at first glance the law appears to give the Chinese government and Chinese companies a built-in advantage, China’s companies and its consumers may lose out in the end.
Although many of the companies that operate in China will comply with the law and enforce its burdensome regulatory requirements, some foreign firms will no doubt decide they have had enough and leave the country. If that occurs, it will hurt Chinese consumers by creating a less vibrant and less competitive marketplace.
China’s cybersecurity law is masquerading as an attempt to enhance cybersecurity but it is so much more. The danger is that other countries may adopt a similar approach, in a brazen attempt to gain commercial advantage for indigenous firms, while clearly crossing a legal and regulatory boundary that far surpasses what is required.
There are two sides of the cybersecurity legal pendulum – China’s and the EU’s. Given the evolutionary state of internet law, it is anyone’s guess whether the majority of the world’s countries will adopt the Chinese or European Union model, but given the current strength of economic nationalism, and the compliance challenges associated with the EU law, Beijing’s approach may well prevail.