China has green-lit a sweeping and controversial law that may grant Beijing unprecedented access to foreign companies’ technology and hamstring their operations in the world’s second-largest economy.
The Cyber Security Law was passed by the Standing Committee of the National People’s Congress, China’s top legislature, and will take effect in June, government officials said Monday. Among other things, it requires internet operators to cooperate with investigations involving crime and national security, and imposes mandatory testing and certification of computer equipment. Companies must also give government investigators full access to their data if wrong-doing is suspected.
China’s grown increasingly aggressive about safeguarding its IT systems in the wake of Edward Snowden’s revelations about U.S. spying, and is intent on policing cyberspace as public discourse shifts to online forums such as Tencent Holdings Ltd.’s WeChat. The fear among foreign companies is that requirements to store data locally and employ only technology deemed “secure” means local firms gain yet another edge over foreign rivals from Microsoft Corp. to Cisco System Inc.
“This is a step backwards for innovation in China that won’t do much to improve security,” James Zimmerman, chairman of the American Chamber of Commerce in China, said in an e-mailed statement after the law was passed. “The Chinese government is right in wanting to ensure the security of digital systems and information here, but this law doesn’t achieve that. What it does do is create barriers to trade and innovation.”
The decision on cybersecurity was revealed along with a raft of other announcements, including a ruling that barred a pair of elected Hong Kong localists from office and the surprise replacement of veteran official Lou Jiwei as finance minister.
Companies operating on Chinese soil rarely raise public objections to domestic policy for fear of repercussions, but much is at stake in a Chinese IT market Gartner puts at $340 billion. The draft law prompted more than 40 business groups from the U.S., Europe and Japan to pen a letter to Premier Li Keqiang this summer, arguing it would impede foreign entry and the country’s own growth. Parallel legislation governing the use of data for the insurance industry has also provoked objections.
The measures are part of a sweeping push under President Xi Jinping to control China’s internet, including the passage of a security law establishing “cyber sovereignty” and making the spread of rumors and defamatory posts a crime.
“The law fits international trade protocol and its purpose is to safeguard national security,” said Zhao Zeliang, director-general of the bureau of cybersecurity for the Cyberspace Administration of China. “China’s cybersecurity requirements are not being used as a trade barrier.”
China’s campaign to safeguard its infrastructure echoes post-Snowden efforts in Europe and elsewhere. The difference lies in how the vague language affords regulators leeway to expand their scope if needed, critics say. And it’s not just technology providers who’re concerned, but also any company that relies on foreign systems to run its business there. Broad or vague language casts uncertainty over the steps required for compliance, for starters, said Xiaoyan Zhang, an attorney with Mayer Brown LLP in Shanghai.
The requirement on certification could mean technology companies will be asked to provide source code, encryption or other critical intellectual property for review by security authorities. This is something Microsoft already does with its software, under controlled conditions.
The law also requires business info and data on Chinese citizens gathered within the country to be kept on domestic servers and not be transferred abroad without permission. That last condition hampers the operations of multinationals accustomed to a global Internet computing environment.
“A number of IT companies have really serious concerns. We don’t want to see barriers put up,” U.S. Deputy Secretary of Commerce Bruce Andrews told reporters during an October visit to Beijing. “Cross-border data flow has become increasingly important to trade and to companies in the way they operate every day.”
Some foreign companies may have already begun to ring-fence their Chinese data. In November, Airbnb sent an e-mail last week informing its Chinese users that their personal data will be transferred to servers within the country, “in accordance with Chinese laws and regulations.” It’s not clear if the move was in anticipation of the cybersecurity law. Airbnb didn’t respond to requests for comment.
The law may drive further business to local giants such as Huawei Technologies Inc or Lenovo Group Ltd., the world’s largest PC maker. Alibaba Group Holding Ltd.’s paying cloud customers had already doubled in the September quarter. Alibaba said in an e-mail it will ensure it’s compliant with relevant laws.
Not all see it this way. Advocates say the government will issue future regulations to clarify its scope and intent.
“The new law is to protect China’s cyber security and will not damage the interests and the normal operations of foreign companies,” said Ma Minhu, director of the Information Security Laws Research Center of Xi’an Jiaotong University.