The New Cybersecurity Requirements Of Doing Business In China

Doing business in China is always a rollercoaster — and for Internet businesses, the ride just became more thrilling.

The Chinese government has rolled out new cybersecurity laws, which begin affecting foreign companies today, June 1, 2017. The new rules give the Chinese government more control over Internet companies. The government says that the rules are designed to help address threats causes by terrorists and hackers – but the terms are broad enough to confuse anyone doing business in China.

Two of the biggest requirements of the new legislation:

  • Companies that do business in China must store all data related to that business, including customer data, within China.
  • Consumers must register with their real names on retail sites, community sites, news sites, and social media, including messaging services.

According to many accounts, the wording of the new law is too ambiguous to assure compliance. Perhaps the drafters were careless, or lacked of understanding of technical issues. However, it’s possible that the ambiguity is intentional, to give Chinese regulators room to selectively apply the new laws based on political or business objectives. To quote coverage in The New York Times,

One instance cited by Mats Harborn, president of the European Union Chamber of Commerce in China, in a round-table discussion with journalists, was that the government said it wanted to regulate “critical information infrastructure,” but had not defined what that meant.

“The way it’s enforced and implemented today and the way it might be enforced and implemented in a year is a big question mark,” added Lance Noble, the chamber’s policy and communications manager. He warned that uncertainty surrounding the law could make foreign technology firms reluctant to bring their best innovations to China.

The government organization behind these laws, the Cyberspace Administration of China, offers an English-language website.

Keep Local Data Local

The rules state that companies that store data relevant to Chinese customer overseas without approval can have their businesses shut down – and all businesses operating in China must provide technical support to the company’s security agencies in order to investigate anything that the authorities claim threatens national security or might represent a crime.

According to the South China Morning Post, the new rules can affect nearly any company that moves data:

For example, rules limiting the transfer of data outside China’s borders originally applied only to “critical information infrastructure operators”. But that was changed mid-April to “network operators,” which could mean just about any business.

“Even a small e-business or email system could be considered a network,” said Richard Zhang, director of KPMG Advisory in Shanghai.

Another provision requires IT hardware and services to undergo inspection and verification as “secure and controllable” before companies can deploy them in China. That appears to be already tilting purchasing decisions at state-owned enterprises.

Compliance Will Be Tricky

According to a report on CNBC,

The American Chamber of Commerce in Shanghai has called the data localization and data transfer regulations “unnecessarily onerous,” with a potential impact on cross-border trade worth billions of dollars.

Multinationals may be better equipped to take on the cost of compliance, but “a lot of the small and medium sized companies may not be able to afford to put in the control that the Chinese government is asking for, and if they can’t put in those controls, it may actually push them out of that country and that market,” said James Carder, vice president of cybersecurity firm LogRhythm Labs.

It’s clear that, well, it’s not clear. There do seem to be legitimate concerns about the privacy of Chinese citizens, and of the ability of the Chinese government to examine data relevant to crime or terrorism. It’s also true, however, that these rules will help Chinese firms, which have a home-court advantage – and which don’t face similar rules when they expand to the rest of Asia, Europe or North America. To quote again from CNBC:

While Chinese firms are also subject to the same data localization and transfer requirements — a potential challenge as many domestic companies are going global — experts said the regulation could help China bolster its domestic tech sector as more companies are forced to store data onshore. But that could mean continued uneven market access for foreign versus Chinese companies, which is also a long-time challenge.

“The asymmetry between the access that Chinese companies enjoy in other markets and the access foreign companies have in China has been growing for some time,” said Kenneth Jarrett, the president of the American Chamber in Shanghai.

One example is that Chinese firms usually can fully own and control data centers and cloud-related services around the world without foreign equity restrictions or technology transfer requirements, but foreign cloud companies in China don’t enjoy the same environment.

The opportunities are huge, so Internet firms have no choice but to ride that rollercoaster. Strap it, it’s going to be a wild ride.