Bloomberg and others have long reported China’s intention to purge most outside technology from its banks, military, state-owned enterprises, and key government agencies by 2020. The government has a history of restraining or forcing out foreign tech companies through regulation and directly subsidizing purchases of homegrown technology.
This nationalist tech business strategy is often folded under the cybersecurity umbrella. As of June 1, 2017 the Cybersecurity Law of the People’s Republic of China has come into effect, governing data privacy and security. The law requires data localization, government security reviews, and restrictions on cross-border transfers. According to analysts at Morrison & Foerster, “many of the CSL’s key provisions are broadly drafted and omit critical details, making it difficult for companies to determine whether the provisions apply to them and, if so, how to comply.”
Chinese Prime Minister Xi Jinping has claimed there is a cybersecurity “double standard” where the U.S. is concerned. Some large Chinese technology companies have found it hard to do business in the U.S. market. In the meantime, it has been estimated that over 80% of all information thefts targeting American businesses emanate from China.
Has China stepped over the line with its wide-ranging new cybersecurity laws? They come on top of existing requirements that telecommunications and Internet companies operating in China provide extensive technical assistance to government agencies conducting investigations—a measure that may include decryption of sensitive user data.
- Requiring companies to get security certifications for network hardware and software might be used to obtain security keys and access to proprietary technology, which in turn could potentially find its way to government-owned companies.
- “Real-name” provisions would require instant messaging users to register their actual names and personal information, a move that obviously encourages more self-censorship online.
- Data localization would force information infrastructure operators to store citizens’ data within China’s borders, creating greater government control and enforcement.
- Content deemed to encourage “overthrowing the socialist system” and “fabricating or spreading false information to disturb economic order,” among others, would be criminalized, increasing the power of the state to limit online speech.
Morrison & Foerster recommends that companies operating in China thoroughly review their data privacy policies and practices regarding cross-border transfers of persona information, including remote access to data by parties overseas. It’s also a good idea to refresh “dawn raid” protocols for responding to visits from government authorities.
Like the EU, USA, and other global actors, China is flexing its regulatory and national security powers to address the threat of cyber-attacks in an increasingly interconnected world. As the National Law Review points out, navigating the potential liabilities of China’s Cybersecurity Law now, rather than later, can relieve the regulatory burden of complying with similar mandates that could soon find international support.