International business outrage at new Chinese cyber law
The law has created a storm among foreign business and human rights groups but Beijing has ploughed ahead regardless.
James Zimmerman, chairman of the American Chamber of Commerce in China, said: “We believe this is a step backwards for innovation in China that won’t do much to improve security. The Chinese government is right in wanting to ensure the security of digital systems and information here, but this law doesn’t achieve that. What it does do is create barriers to trade and innovation.”
Mr Zimmerman added that broad restrictions on cross-border data flows, for example, provide no security benefits but will create barriers to Chinese as well as foreign companies that operate in industries where data needs to be shared internationally (not least insurance).
hide
“Moreover, some of the requirements for national security reviews and data sharing will unnecessarily weaken security and potentially expose personal information,” he added.
The Cyber Security Law has been created by the The Standing Committee of the National People’s Congress (NPCSC). The law is set to become the first legislation enacted by the NPCSC that specifically deals with cyber networks in China, and in particular the supervision of network security.
It will reportedly give sweeping powers to the government, including widespread censorship and tight control over certain technologies.
According to news agency Reuters, the legislation was approved by China’s parliament and will take effect in June 2017. This is an “objective need” of China as a major internet power, a parliament official reportedly said.
When the second draft of the law was introduced back in July, international law firm Linklaters commented that this increased attention by China’s regulators to the country’s online ecosystem may not be surprising given reports, such as that by analysts eMarketer, that predict that the internet penetration rate among the Chinese population aged between 12 and 44 will grow to 90% by 2018.
Overseas critics of the law say it threatens to exclude foreign technology companies from various sectors deemed critical. It also includes contentious requirements for security reviews and for data to be stored on servers in China and provide encryption keys.
Technology firms argue this would mean they would be forced to pass on sensitive intellectual property to the government, in the name of security.
Back in August, some 46 global business groups from the finance, information technology, insurance and manufacturing sectors wrote to Chinese Premier Li Keqiang, urging him to revise the draft cyber rules.
The signatories included industry associations from Asia, Australia, the US, Mexico and Europe, according to Reuters.
The business groups said the draft regulations, as well as specific cyber rules proposed by the China Insurance Regulatory Commission (CIRC), include provisions for “invasive” government security reviews and “onerous” requirements to keep data in China.
“Trade-inhibiting security reviews” for information and communications technology products and services under the rules, may constitute technical barriers to trade under the World Trade Organization, the groups said in the letter, according to Reuters.
The letter reportedly stated that the new rules would “impede economic growth and create barriers to entry for both foreign and Chinese companies”.
“The current drafts, if implemented, would weaken security and separate China from the global digital economy,” the letter added.
Chinese officials say the cyber security rules, along with internet restrictions that include the ability to block foreign sites such as Google and Facebook, are needed to ensure security against growing threats such as terrorism.
The new rules first came to light as the CIRC revealed its planned cyber rules last year. These rules stipulate that insurance companies operating in China should prioritise buying “secure and controllable” products, including Chinese encryption technologies, hardware and software.
The regulations would also require all data for insurance products to be stored in China, and stipulate that any international data transfers be conducted according to CIRC regulations.
More than 20 foreign business lobbies, including the American Chamber of Commerce in China and the American Council of Life Insurers, wrote to the CIRC late last year, requesting that it amend the draft regulations, according to Reuters.
Mr Zimmerman at the America Chamber of Commerce in China added that this was actually a missed opportunity for China.
“In terms of improving security, this law is at best a missed opportunity, and some of the measures seem to emphasise protectionism rather than security. But one thing is for sure: the more difficult it is for data to travel across the Chinese border, the more difficult it will be for companies inside those borders to innovate, and China risks becoming isolated technologically from the rest of the world,” he said.
“The only silver lining here is that the government opened the law’s drafting process to public comment, although unfortunately most of the suggestions supplied by AmCham China and other chambers of commerce were ignored. Cybersecurity is too complex and dynamic for any government to tackle singlehandedly. It requires cooperation between the public and private sectors across national boundaries.
“AmCham China hopes that if the government is serious about both promoting innovation and ensuring data security, it will review the effectiveness of these measures sooner rather than later,” concluded Mr Zimmerman.