As a contrast to Europe’s General Data Protection Regulation, which seeks to protect individual rights and rein in the actions of large corporates, China’s Cybersecurity Law provides an alternative vision about how nations may choose to apply the law toward cyberspace in the future. China’s Law requires network operators to cooperate with Chinese crime or security investigators, allow full access to data, and unspecified “technical support” to the government upon request.
The Law also imposes mandatory testing and certification of computer equipment for critical sector network operators. These tests and certifications require network operators to formulate internal security management systems and implement network security protections, adopt measures to prevent viruses or unspecified forms of cyberattacks, monitor and record the safety of a network, and undertake data classification, back-ups of important data, and encryption.
On one hand, these security measures form part of what might otherwise be considered best practice recommendations for firms that gather and store important company and client data. On the other hand, the Law requires network operators in critical sectors to store within China all data that is gathered or produced by the network operator in the country. It includes a ban on the export of any economic, technological, or scientific data that could pose a threat to national security or the public interest (with a broad interpretation of what that might be).
International law firms have noted that companies have been asked to provide source code, encryption, or other crucial information for review by the government, increasing the risk of this information being lost, passed on to local competitors, or kept and used by the government itself. Article 9 of the Law states that “network operators must obey social norms and commercial ethics, be honest and credible, perform obligations to protect network security, accept supervision from the government and public, and bear social responsibility.”
The vagueness of this provision, as well as undefined concepts of national security and public interest contained within the Law, increases the government’s grounds to make wide assertions about the need for investigation, and reduces a foreign company’s ability to contest a government demand for data access. Spot checks can be initiated at the request of the government or a trade association, meaning domestic competitors can request spot checks on foreign firms.
To comply with the data localisation requirements, foreign firms must either invest in new data servers in China—which would be subject to government spot checks—or incur new costs to hire a local server provider (such as Huawei, Tencent, or Alibaba, which have spent billions of dollars in recent years establishing domestic data centres). The substantial investment by these Chinese technology firms is one of the reasons critics of the new law believe it is partly designed to bolster the domestic Chinese data management and telecommunications industry against global competitors.
An alternative explanation is that the requirement is a legal move by Beijing to bring data under Chinese jurisdiction to make it easier to prosecute entities seen as violating China’s Internet laws. When combined with China’s National Security Law, which can deem almost any action taken by a domestic or foreign firm a national security threat (with corresponding penalties), companies’ actions are severely restricted, and they must essentially hand Beijing the keys to their kingdom if they wish to continue to operate there.
Prior to implementation of the Cybersecurity Law, a foreign firm would monitor its energy turbines in China from its headquarters, using its real-time global data to optimise operations, and a provider of global online education would send data on Chinese users overseas to allow them to access its courses abroad. Now such firms must reconfigure their IT systems to keep such data inside China. Critics worry that the new law is a Trojan horse designed to promote China’s aggressive policy of indigenous innovation. Some foreign technology firms worry that they will be forced to divulge intellectual property to government inspectors, with no knowledge of or control over what may happen to the data once it is released.
In 2017, Apple announced it was setting up its first data centre in Guizhou, China in order to comply with the new Law. Apple put a public relations face on the move, stating that it would allow the company to improve the speed and reliability of its products and services, while also complying with China’s new regulations, which require cloud services be operated by Chinese companies. Apple was the first foreign firm to announce amendments to its data storage for China following the implementation of the new law. It insisted that no “back doors” would be created into any of its systems. That month, Apple also silently removed VPN apps from its app store in China, which had given Chinese citizens the ability to access the unfiltered Internet.
While at first glance the Law appears to give the Chinese government and Chinese companies a built-in advantage—given that interest in investing in China is strong and is likely to remain so well into the future because of the size of the domestic marketplace—China’s companies and its consumers may lose out in the end. While many of the companies that operate in China will accede to “moving legal goal posts” by implementing the Cybersecurity Law and enforcing increasingly burdensome regulatory requirements, some foreign firms will no doubt be pushed to the brink, decide they have had enough, and leave the country. If that occurs, it will hurt Chinese consumers by creating a less vibrant and less competitive marketplace.
China’s Cybersecurity Law is masquerading as an attempt to enhance cybersecurity, but it is so much more. The danger is that other countries may adopt a similar approach, in a brazen attempt to gain commercial advantage for indigenous firms, while clearly crossing a legal and regulatory boundary that far surpasses what is required to be considered consistent with best practices. That has already occurred in countries across the world where China has shared its surveillance methodology, especially in Africa.
So there are two sides of the cybersecurity legal pendulum—the Chinese version and the EU version. Given the evolutionary state of the cyber landscape, the reactive nature of the legal regime, and that best practices constitute a moving target, it is anyone’s guess in which direction the cyber legal sphere will move in the longer term. The Chinese model may well prevail. Chinese companies, and foreign companies operating in China, have already succumbed to the new normal.
China has become masterful at establishing new boundaries for what constitutes the latest version of the new normal. It crosses existing lines of acceptable behaviour, withdraws briefly, then crosses it again and again with success, until a new line has been established. That is what it is in the process of doing in the cyber arena. The looming danger is that more countries subscribe to the Chinese model, and more global companies have little choice to but to comply if they desire to continue to operate internationally. That paints a very dark picture for our collective future.
Daniel Wagner is CEO of Country Risk Solutions and author of the new book China Vision.