The Chinese Parliament approved a law, which went into force June 1, to increase cyber security by: forcing companies to store data that include national security information on Chinese soil, instituting security reviews on computers in sectors such as finance or communications, requiring users to use real names on messaging services, and restricting international data transfers by “operators of ‘critical information infrastructure’,” which refers to infrastructure related to Chinese national security. The passage of this law has created a backlash among private companies due to the vagueness of the law and a dearth of information on implementation and enforcement. The Cyberspace Administration of China, China’s internet regulator, has delayed the implementation of only the regulations related to cross-border data flow until the end of 2018.

(Image of Servers, Wikimedia/Victorgrigas)

This law was proposed in 2015, and gained traction after the Snowden leaks revealed that private companies could help governments conduct cyber surveillance and spying. The final passage of the law closely followed the high-profile, global ransomware attack known as WannaCry, which impaired PetroChina’s gas stations’ ability to execute transactions using credit cards this past May.

Some companies, such as AirBnb, have reacted by pre-emptively complying and moving Chinese consumer data to servers on China’s mainland, in an effort to preserve their share of the $340 billion Chinese IT market. Other foreign industry groups and tech companies have come out in opposition to the law, with fears that the vagueness of what technology does and does not relate to cyber security will provide the government broad leeway to arbitrarily “review” their technology. Further, companies are anxious that domestic firms would have a perpetual competitive advantage over foreign firms and that their intellectual property may not be secure in China, which has historically been weak on enforcing IP laws.

Steven Chabinsky, former FBI cyber official commented that, although the concerns brought about by companies are legitimate, the law is “remarkable” for its efforts to protect privacy, critical infrastructure, and national security. Other perspectives argue that this law represents China catching up with global cybersecurity norms and practices, noting that Chinese data industry has been lightly regulated in comparison to legal regulations in Europe and North America.

Sources and Further Reading:

  1. New cyber law in China stirs alarm – The Hill
  2. China’s New Cybersecurity Law Leaves Foreign Firms Guessing – New York Times
  3. China’s new cyber law just kicked in and nobody’s sure how it works – CNN
  4. Overview of China’s Cybersecurity Law – KPMG
  5. China’s cyber security law rattles multinationals – Financial Times
  6. Why China’s New Cybersecurity Law Is Bad News for Business – Fortune
  7. China postpones portion of cybersecurity law – NZHerald
  8. China’s Cybersecurity Law: What You Need to Know – The Diplomat
  9. China’s New Cybersecurity Law Could Cost Foreign Companies Their Ideas – Newsweek
  10. China Adopts Cybersecurity Law Despite Foreign Opposition – Bloomberg
  11. Japan and China wake up to global ‘ransomware’ cyberattack while Microsoft slams US government – The Telegraph