China is beginning to implement a controversial cybersecurity law over the vocal objections of international business groups that contend it could hamper their operations in the country.
Billed as an effort to combat hacking and boost national security, the law is viewed by outside experts as a move by Beijing to both shield Chinese data from other governments and reduce dependence on technologies from the West.
“They do have legitimate cybersecurity concerns that were heightened with the [Edward] Snowden revelations,” said Adam Segal, director of the cyberspace policy program at the Council on Foreign Relations.
While some regard the law as a step forward for data protection in China, civil rights advocates fear it will lead to further restrictions on the country’s internet, which is already tightly controlled by the government.
Controversial elements of the law include measures that require companies to store national security-related data on servers in China. Other provisions subject some companies’ products and services to security reviews.
U.S. experts say the law could carry major implications for foreign companies doing business with and inside China.
The law goes into effect on Thursday, though the latest draft of regulations viewed by businesses indicates that provisions regulating cross-border data flows will not be enforced for 18 months, allowing a grace period for compliance.
In May, the Cyberspace Administration of China was pressed by more than 50 business organizations from the United States, Australia, Japan and elsewhere to delay the law’s entry into force.
The law has been in the works since 2015 and was approved by China’s parliament last November, after drafts were released in July 2015 and 2016 to solicit public comment.
Many observe that the law is written with vague language, making it difficult for multinational businesses to figure out which provisions could apply to them.
Specifically, the law institutes computer equipment security reviews and restrictions on cross-border data transfers for what are called operators of “critical information infrastructure,” which is broadly defined as infrastructure potentially affecting China’s national security.
The category is believed to extend across an array of sectors, including technology, financial services and manufacturing.
“We don’t really have a definition of critical information infrastructure,” said Yan Luo, a Beijing-based lawyer at Covington & Burling LLP who specializes in cybersecurity and international trade. “We assume … this will be a very selective group of companies that operate in key sectors in China.”
The law also sets forth data protection requirements for a more general category of network operators — comprised of all owners, managers, and service providers of computer networks in China.
The law has spurred uncertainty among multinational corporations about whether they will be classified as operators of critical information infrastructure — and as a result subject to security reviews and required to store data on servers inside China.
Some fear that the security reviews — on which China has released few details — could involve companies being compelled to turn over source code or encryption keys.
“The concern is really that the scope of the Chinese security review might be too broad and obviously there are concerns of the [potential] abuse of this process,” Yan said. “The most common concern is: How do we know that my products or services will trigger this requirement?”
Enforcement of the security reviews, unlike the cross-border data flow requirements, will not be put off until next year.
The delay was welcomed by some business groups, which see it as an opportunity to further engage with Beijing to find ways to ensure the free flow of data across borders without compromising security.
“That’s a very encouraging sign,” said Aaron Cooper, vice president of global policy at BSA The Software Alliance. “Providing a grace period would allow there to be more input and provide more certainty.”
“Where we face forced data localization requirements, that inhibits the deployment of the best [artificial intelligence] tools and the best data analytics tools,” Cooper said.
Other groups are less optimistic.
“Our fear is that the new law and accompanying implementing measures, whether implemented tomorrow or a year from now, will add costly burdens, restrict competition and trade, and decrease the security of products and jeopardize the privacy of Chinese citizens,” a spokesperson for the U.S. Chamber of Commerce said.
Legal experts note that, regardless of the law’s controversial provisions, it does contain measures that move the ball forward on data protection and privacy for Chinese citizens.
“I don’t want to discount the concerns about protectionism and the difficulties companies face with data localization rules or possibly needing to pass new technology certification rules, but that’s only part of the story,” said Steven Chabinsky, a lawyer at White & Case LLP and former FBI cyber official.
“China’s new cybersecurity law is remarkable as well for its strong approach to promoting privacy rights, strengthening critical infrastructure, deterring cybercrime and protecting national security.”
Still, some suspect that the law could give Chinese companies a leg up over foreign competitors, which could trigger accusations that the country is violating existing trade agreements.
BSA and the U.S. Chamber of Commerce were part of a coalition of business groups that penned a May letter to the Cyberspace Administration of China appealing for a delay in the law’s implementation, raising concerns that its provisions would “effectively erect trade barriers along national boundaries” and bar companies that rely on information technology from the Chinese market.
“This is really kind of an industrial policy designed as cybersecurity,” said Claude Barfield, a former consultant to the office of the U.S. Trade Representative and an expert at the conservative American Enterprise Institute.
Beijing vehemently pushed back on that notion this week. “The purpose is to safeguard [China’s] national cyberspace sovereignty and national security … rather than to restrict foreign enterprises,” the Cyberspace Administration said on its website.
For now, experts and businesses are waiting to see final drafts of the implementing regulations that offer more information on how China will enforce the broad language of the law. It is unclear when these will be issued, but legal experts expect to see more in coming weeks and months.
“This is not certain, but we know there are ongoing efforts to draft regulations which may offer more practical guidance on who might be the operators of [critical information infrastructure],” Yan said.