Insights & Analyses

China’s sweeping Cybersecurity Law takes effect, foreign tech firms still in the dark

June 1, 2017

China’s far-reaching Cybersecurity Law officially enters into force on June 1, but for many international technology companies the new rules are leading to many more questions than answers.

The law, originally approved in November of last year, is the country’s first formal cyber-governance framework. It imposes a series of new regulatory obligations on companies, network providers, and individuals using the internet in China. Despite a subsequent clarifying resolution, though, the rules emphasize scope over clarity, and many international business leaders fear that its vague wording will leave them subject to heavy compliance costs and unpredictable legal consequences.

“The situation is still a lot of uncertainty and unclarified terms,” Michael Chang, vice president of the European Union Chamber of Commerce, told ABC News. “We still see a lack of tangible rules for business to follow.”

In particular, the Cybersecurity Law requires that companies undergo compulsory review of network equipment, forces firms to make their products available to authorities as needed for national security investigations, and restricts cross-border information transfers. The text offers little detail regarding what types of companies and information will be included under this new regulatory umbrella, but the rules as written could give the Chinese Communist Party nearly unfettered access to firms’ proprietary information and pose significant obstacles to international business transactions.

“We believe this is a step backwards for innovation in China that won’t do much to improve security,” said James Zimmerman, Chairman of the American Chamber of Commerce in China, in a statement responding to the law’s initial approval. “The Chinese government is right in wanting to ensure the security of digital systems and information here, but this law doesn’t achieve that. What it does do is create barriers to trade and innovation.”

Earlier this month, a coalition of more than 50 global business organizations sent an open letter to China’s Central Leading Group for Cyberspace Affairs, condemning the legislation and pointing out that some sections may be inconsistent with China’s obligations as a member of the World Trade Organization. They urged that implementation be postponed until the government can provide more clarity.

The Chinese government has rejected these concerns, arguing that the new rules are a step forward for national security, “internet sovereignty” and citizen privacy. Official media has also touted the statute’s stricter rules governing personal data collection and sharing as a victory for civil rights.

“It does not restrict foreign companies or their technology and products from entering the Chinese market, nor does it limit the orderly, free flow of data,” the Cyberspace Administration of China said in a statement to Xinhua. “China is entitled to make laws and rules to regulate its cyberspace sovereignty following international practice.”

Despite these protestations, Chinese authorities appear to have at least temporarily bowed to international pressure. On May 31, just one day before the Cybersecurity Law was slated to take effect, companies were informed that enforcement of the particularly contentious data transfer portion of the law would be delayed by 18 months until December 31, 2018. No official rationale was provided for the postponement.

With the rest of the law taking effect this week, however, international tech firms will have to learn to navigate a shifting and increasingly inhospitable regulatory regime in order to access the Chinese market and its nearly 1.4 billion consumers.