CHINA’S NEW CYBERSECURITY law, which takes effect from June 1, purportedly makes the country more secure from cyberattack and gives citizens greater protection from misuse of their personal information.
But, like so much Chinese legislation, the new law is so broadly and vaguely defined that it potentially affects virtually any person or business that conducts business using a computer network.
The new law also stipulates that data collected in China must be stored in China and only China. The corollary is that data cannot be transferred abroad unless specifically authorised by authorities. Does accessing it from abroad fall foul of this?
If data proposed to be moved out of China contains the personal information of more than half a million users or is “likely to affect national security or social public interests”, then a security review is mandatory.
Although the law applies to domestic and foreign firms alike, it is this ‘sovereignty of information’ that is so troubling to foreign firms: multinationals, especially those now using global cloud services, will struggle to operate efficiently without breaching the law, while the requirement to cooperate with state security services and other government authorities to investigate crimes and cybersecurity issues raises potentially difficult questions about trade secrets and intellectual property rights. Beijing will have the right to request proprietary source code as part of security reviews.
Separate draft legislation announced in April also proposes that the government can demand what is called decryption support, in effect forcing companies to decode encrypted data, “in the interests of national security”.
Authorities have denied that the new law is protectionist, although Alibaba’s cloud services seem a likely commercial winner. Foreign businesses’ lobbying to delay implementation of the new cybersecurity law has been brushed aside. Getting involved to the extent they can in the writing of the implementation of the law is the best they can now hope for.
What is likely, however, is that the new law — like most laws, written to be vague and sweeeping to give authorities the greatest freedom of action in their implementation — will be selectively applied to foreign firms, if nothing else, to be a warning to others.