China's Ambiguous, Overreaching Cybersecurity Law

Cybersecurity in China imageChina's new regulations are implementing one of the strictest approaches to cybersecurity and data privacy worldwide. The Cybersecurity Law (CSL) came into effect June 1st, despite protests from numerous interest groups calling for changes or delays.

Critics cite vague, ambiguous laws combined with a lack of guidance, and unfavorable conditions for foreign companies. Amnesty International and other human rights organizations sharply denounced the strengthening of censorship and surveillance under the new law.

Two related and troublesome components of the CSL are - A requirement for data to be stored in China, and Regulation of cross border data transfers. Foreign companies regard data localization as an unfair burden, requiring them to maintain separate storage for Chinese data. It is also thought to be a hindrance to trade, and to make it difficult or impossible for all but the largest companies to do business in China.

A group of 40 plus business organizations for the EU, Asia, and the US asked Chinese officials to make significant changes to the law, particularly regarding cross border data transfer, but it came into effect unchanged. Now however, the urgency to enforce data transfer restrictions is off, with compliance pushed back to Dec 31, 2018.

But foreign business groups are not being credited with securing the delay.  Rather, domestic companies, particularly tech companies, are concerned the restrictions will hamper their ability to expand outside their borders. China is focused on economic globalization and the flow of data across borders is essential for that growth. It will be interesting to see how the application of aspects of the law evolves.

In some ways the CSL is reasonable - it consolidates a hodge podge of outdated laws which left China far behind global standards and best practices for data protection and cybersecurity. The law outlines consent requirements for collection and use of personal data, requires measures to protect data, allows people to request deletion of their data, and introduces mandatory breach notifications and potential fines. 

But then it goes too far.

Companies will have to submit to inspections of their systems and products, and must meet vague criteria to earn certifications necessary to conduct business.  Nebulous provisions leave companies vulnerable to investigation for violations of rules impossible to comply with because they are so unclear.

The law gives the Chinese government unprecedented access to and control of foreign companies operating in China. This includes potentially demanding access to source code or encryption keys. Other fears include using the laws to favor a domestic company over a foreign competitor.

The government can at any time initiate a spot check of a company. There are at least four different Chinese government agencies empowered to conduct security audits, but the criteria to be met is not known. Obviously the reviews can be used to block market access or for political reasons.

Trade organizations can also initiate a spot check. This leaves foreign companies vulnerable to the whims of domestic competitors and the potential for theft of trade secrets or tech innovations.

Companies must fully cooperate with authorities by turning over data on "troublemakers" upon request. Providers of services such as internet access, mobile phones, messaging platforms, and social media must require users to provide real identity info when they sign up.

The multinational tech giants have been planning ahead for years now, spending millions to placate the Chinese government and situate themselves to best advantage. Smaller companies with fewer resources may find themselves locked out of the enormous and lucrative Chinese market.

But even the giants with all their millions of investments are on uncertain footing. This revealing article describes the outlandish hoops companies like Microsoft, HP, and Cisco have been jumping through as they jockey for advantage. Those efforts include investing millions, with the promise of billions to come.

China is known for crafting vague laws and regulations. This is advantageous in 2 main ways. First, they can interpret those laws as they choose, depending on each circumstance, adapting to get the results they desire. And second, they often want to see how the broadly drawn regulations play out, and then refine the specifics with later decrees.

At this point much mystery remains on how the Cybersecurity Law will ultimately shape business.

Further Reading: