China’s Cybersecurity Law comes into effect on June 1 – that’s today. If you hadn’t a clue about this new law, you’re not alone. Tons of business and finance people didn’t know too, either wasn’t being informed or simply don’t care. In fact, experts are as confused as the Chinese authorities who have little information to share with the business community.
But the consequences are deadly as failure to comply carries fines that could hit 1 million Yuan (US$150,000; £115,000; RM630,000) and potential criminal charges. The fact that China is ruled by the Chinese Communist Party means offenders would have little room to argue or debate their innocence but to pay, and potentially jailed.
The law – which was rubber-stamped by the country’s Parliament last year – is part of Beijing’s efforts to manage and control the internet within China’s borders. Under the pretext of helping to guard against cyber attacks and prevent terrorism, the Chinese bulldozed the law even though they realize that the industry is not ready because the implementation rules are vague.
On the surface, the law focuses on protecting personal information and individual privacy, and standardizes the collection and usage of personal information. Therefore, the new law would require that companies store their data within China – on domestic servers – and would impose security checks on companies in sectors like finance and communications.
However, when asked what would be considered important or sensitive data, China couldn’t answer satisfactory. The Chinese just said they wanted to regulate “critical information infrastructure,” but had not defined what that meant. In a nutshell, the Chinese government’s priority now is to collect all information – from locals and foreigners – into a central repository.
What the Chinese authorities plan to do with the data later is up to them. How they wish to massage and use the data is equally secret. The Chinese government statement says – “The law is not only for the legal protection for the interests of the masses in cyberspace, but also effectively safeguards national cyberspace sovereignty and security.”
While domestic companies have little choice but to comply, it’s a different story for foreign corporations currently doing business, or planning to do business, in China. Foreign companies with operations in China are facing with two major issues with the new law – more expensive and less secure business operations.
Foreign firms typically store their data and information in their own local server, managed by their own personnel. They normally need to transfer information outside of China back to their HQ for data validation and reconciliation. Because they’re foreign organizations, naturally they need to backup and protect their data outside of China, just in case.
With the new law, all hell breaks loose. All their sensitive business information is now at the mercy of local Chinese servers. This means the Chinese Communist Party can view, retrieve or copy such critical information whenever it wants. Essentially, foreign companies would be exposed to industrial espionage as state-owned companies could easily spy on those multinationals.
Even if foreign companies are willing to comply for the sake of making money in China, they’re now forced to spend more on data migration to a new platform, of which they might need to pay even more for monthly maintenance. Such dictatorship over data localization could make foreign technology firms reluctant to bring their best innovations to China.
Of course, China has its own reasons for such law. As far as Beijing is concerned, the best way to protect Chinese data from foreign spying is by keeping everything within its borders, the same way its “Great Firewall” is keeping its own citizens from foreign influence. However, they’re perfectly fine with foreign data being spied by the Chinese Communist Party.
It’s also a clever plan to create more tech jobs and businesses for the locals. With the implementation of Cybersecurity Law, there would be great demand for data centres, cloud-related services, utility consumptions, engineers, administrators, architects and whatnot. Suddenly, accessing and copying foreigners’ IP (intellectual property) has never been easier.
Back in 2015, the U.S. Director of National Intelligence estimated that Chinese hackers had stolen US$360 billion a year from the U.S. in intellectual property hacking alone. Hence, it’s not hard to understand why international business organizations argue that the new law is as good as requiring foreign companies to transfer their technology and to surrender their brand and operating control in order to do business.
Because China has little respect for human rights, let alone independent and democratic checks and balances, some argue there is no guarantee of how China will use the information it now has access to. Still, despite all the whining and bitching, foreign firms are expected to comply to the new law simply because China is the world’s second-largest economy – a market they cannot afford to lose.