Recent changes to the language of the law ahead of its 1 June implementation, such as a broader definition of those affected, could drag in a wider array of services and products. While industry groups are lobbying for a delay, the government is moving ahead.
China is bringing in a raft of new measures, giving the government unprecedented access to foreign companies’ technology, as it bolsters control of the collection and movement of data. Forcing companies to store information within the mainland has already led some to tap cloud computing providers with more local server capacity, a potential boon to homegrown Alibaba Group Holding Ltd. and Tencent Holdings Ltd. at the expense of Amazon.com Inc. and Microsoft Corp.
“Almost all our companies are making moves to ensure that the majority of the data they collect in China is stored on servers located within China,” said Jake Parker, vice president of the US-China Business Council in Beijing. “It’s not just the technology companies – it’s financial services, semiconductor manufacturers, every sector of business in China, that’s impacted.”
One organization that could feel the pinch of the regulations is GreatFire.org, which monitors blocked websites in China and helps users behind the nation’s controls. The nonprofit creates copies of banned sites hosted outside the mainland, putting them on Amazon Web Services cloud servers to circumvent government restrictions known as the Great Firewall.
“Our strategy would collapse because if foreign businesses host all of their data in China, they would face minimal disruption if the authorities cut off access to the foreign internet,” said GreatFire.org founder Charlie Smith.
Alibaba said in a statement it follows “all local laws where we conduct our business.” Microsoft declined to comment, Tencent couldn’t immediately comment and Amazon didn’t immediately respond to a request for comment.
In addition to the restrictions on moving data beyond the mainland, provisions in the law include a more comprehensive security-review process for key hardware and software deployed in China and a requirement to assist authorities conducting security investigations.
While individual firms in China rarely speak out publicly against government policy, more than 50 trade associations and chambers of commerce signed a letter in May to the government seeking a delay. They argued that the law could impact billions of dollars of cross-border trade and lock out foreign cloud operators because of limits on how they operate in the country.
“These measures will add costly burdens, restrict competition and may decrease the security of products and jeopardize the privacy of Chinese citizens,” according to the letter from bodies representing businesses based in the U.S., Europe, Japan, Korea, Australia, and elsewhere.
While foreign firms are pushing for change, the law has support from some domestic experts, such as Li Yuxiao, a professor who studies internet regulation at Beijing University of Posts and Telecommunications. He sees secure information systems as integral to protecting the economy while also placing value on domestic operating systems over foreign products.
“Cyber security is crucial to national security,” he said.
The National People’s Congress’s Standing Committee passed the law in 2016 ahead of its implementation, giving companies and others time to adjust. Subsequent language published by the government “expanded the scope of a law that was considered quite onerous to begin with,” said Gabriela Kennedy, a Hong Kong-based partner of Mayer Brown JSM.
For example, rules limiting the transfer of data outside China’s borders originally applied only to “critical information infrastructure operators.” But that was changed mid-April to “network operators,” which could mean just about any business.
“Even a small e-business or email system could be considered a network,” said Richard Zhang, director of KPMG Advisory in Shanghai.
Another provision requires IT hardware and services to undergo inspection and verification as “secure and controllable” before companies can deploy them in China. That appears to be already tilting purchasing decisions at state-owned enterprises.
“We’ve heard from our members that domestic banks and SOEs are being much more thoughtful about purchasing domestic technology, and shifting away from foreign products - despite the fact that there’s no specific requirement for them to do so,” said Parker.
While the laws affect all companies in China, it’s expected to hit the foreign firms the hardest. That is because they typically have more businesses, headquarters and data-processing centers overseas with a greater need to move information outside the mainland, according to Scott Thiel, a Hong Kong-based partner at DLA Piper
Sophisticated or widespread cyberattacks, such as the recent WannaCry ransomware attack that exploited versions of Microsoft Windows, may bolster the government’s resolve.
“We can assume that Chinese leadership will use it as an example of why China needs its own technology and cannot continue to rely on foreign suppliers,” said Adam Segal, Director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations in New York.
Data breaches cause for alarm among corporate counsel, survey reveals
Most firms lack cybersecurity crisis management playbooks, GCs reveal
Just days before China’s new Cybersecurity Law goes into force, foreign companies are grappling with rules that could tighten what is already one of the world’s most restricted technology regimes.