New Chinese cybersecurity laws create tensions with Industry
by GRI, GRI
June 5, 2017
The Chinese Parliament approved a law, which went into force June 1, to increase cyber security by: forcing companies to store data that include national security information on Chinese soil, instituting security reviews on computers in sectors such as finance or communications, requiring users to use real names on messaging services, and restricting international data transfers by “operators of ‘critical information infrastructure’,” which refers to infrastructure related to Chinese national security. The passage of this law has created a backlash among private companies due to the vagueness of the law and a dearth of information on implementation and enforcement. The Cyberspace Administration of China, China’s internet regulator, has delayed the implementation of only the regulations related to cross-border data flow until the end of 2018.
This law was proposed in 2015, and gained traction after the Snowden leaks revealed that private companies could help governments conduct cyber surveillance and spying. The final passage of the law closely followed the high-profile, global ransomware attack known as WannaCry, which impaired PetroChina’s gas stations’ ability to execute transactions using credit cards this past May.
Some companies, such as AirBnb, have reacted by pre-emptively complying and moving Chinese consumer data to servers on China’s mainland, in an effort to preserve their share of the $340 billion Chinese IT market. Other foreign industry groups and tech companies have come out in opposition to the law, with fears that the vagueness of what technology does and does not relate to cyber security will provide the government broad leeway to arbitrarily “review” their technology. Further, companies are anxious that domestic firms would have a perpetual competitive advantage over foreign firms and that their intellectual property may not be secure in China, which has historically been weak on enforcing IP laws.
Steven Chabinsky, former FBI cyber official commented that, although the concerns brought about by companies are legitimate, the law is “remarkable” for its efforts to protect privacy, critical infrastructure, and national security. Other perspectives argue that this law represents China catching up with global cybersecurity norms and practices, noting that Chinese data industry has been lightly regulated in comparison to legal regulations in Europe and North America.