By now, most are aware of The People’s Republic of China’s new Cybersecurity Law which took effect June 1, 2017, in efforts to improve national cybersecurity for the largest digital shopping and mobile/internet based financial service markets in the world. Intense discussions and debate continue within government offices, multinational businesses and human rights circles regarding the new law’s uncertainty and vague sets regulations. Enforcement of localization for foreign firms has been delayed until Dec 31 2018 to provide time for companies to prepare for compliance which will often include costly upgrades in efforts to meet tighter government scrutiny while still maintaining as much control as possible over intellectual property.
Considered by many as one of the most comprehensive legislation in Chinese history, the new law aims to tighten sovereignty over its public domain by collecting, controlling and storing corporate and personal information as it struggles to combat online fraud. Promoted as a public safety measure, its primary goal is to prevent external and internal attempts to “…spread violence, terror, false rumors, pornography and other hazards to national security, public safety, and social order.” Standardizing the collection and usage of personal data is a milestone in data privacy.
Under the law, strict measures will be enforced when assessing national security and cross-border transfer of information with specific mandates detailing all “personal data collected and generated by critical information infrastructures must be stored domestically. Additionally, any information and data collected and generated by critical information infrastructures outside of China’s mainland must be reviewed and assessed by the State Council authorities to discern the relevance of material to national security.”
In a nutshell, The PRC Cybersecurity Law is one of a series of laws and regulations published by a government concentrating all efforts to “protect the rights and interests of citizens, safeguard national security, and promote economic development through heightened network” via network audits, surveillance, and localization of all data. This specific aspect of the law concerns many multinational foreign companies currently operating in China, as it allows The PRC the legal right to access any/all perceived sensitive data of any company and personal information within its jurisdiction.
Opposition to the law, in its aggressive measure to control data and limit shared information, are concerned by its potential to impact trade, dull innovation and slow the global economy by making it harder to do business in China. Others point out the unfair edge many domestic companies now have under the law, as data storage and compliance appear tailored to nationalists. James Gong, a cybersecurity and data privacy senior associate at Herbert Smith Freehills in Beijing notes, “There is a historical precedent to support the potential for Chinese authorities to use the security law in ways that may slow trade.”
Interestingly, until recently The PRC did not have any data protection policy or agency in place, making its past efforts to enforce compliance, especially with foreign industry operating within its boards confusing, inconsistent and unpredictable. In the past, multinational companies experienced little interference in sharing data across varying communication platforms. Now, over sixty Internet regulations have been created, forcing compliance in the restructuring of cloud-based storage and information sharing platforms to allow the PRC full access and legal capacity to edit and monitor industry and personal Internet usage. With China’s new regulations, limits on how companies will market, communicate, plan and operate are subject to review.
As shared data continues to be a primary part to free trade in a global economy, new cross-border data flow restrictions concern many, as it will increase costs for foreign firms operating in China today. Additionally, opponents voice issues in the laws new mandate in the localization of data storage, especially when restricting its movement. Others and the cost it will have on the daily operations and control over intellectual property. Most notably, smaller companies will be pushed out of business, because they usually lack the economic means to readjust operation costs in accordance with new mandates.
The fact that China has been focused on gaining access to foreign companies’ technology for decades is not uncommon, but under the new law, many point to the PRC legal claim in governing of the collection, movement, containment of information and data as a game changer. With harsh restrictions on the transfer of any, if not all data outside of China, network access servers must be registered with the government to investigate and eradicate any perceived illegal business operations. The Ministry of Industry and Information Technology, in charge of distributing approved ICP serial numbers to approved sites, can reject any site considered a threat to disruption of China’s economic order with intent to “damage national unity.”
Localizing comprehensive data storage with total access worries business leaders and human rights advocates. Past arrangements between cloud service providers are no longer tolerated, forcing all non-Chinese cloud providers to either restructure or close down. Additionally, those who fail to comply with the PRC Cybersecurity Law guidelines will be subject to huge fines, potential suspension of operations and losing their business license.
James Zimmerman, Chairman of the American Chamber of Commerce in China believes the law is a “step backwards for innovation” as foreign businesses will scramble to adhere to such complex regulations in a less welcoming environment. Likewise, economists point out the expansive costs associated with restructuring cloud services large enough to handle the containment of data, noting large multinational companies will be able to manage the cost of compliance, but less fortunate companies who fail to meet the new regulations will be pushed out of the country, and that market.
Opposition from the United Nations High Commissioner of Human Rights views the law as having an extraordinarily broad scope in control over content and operations; requiring real-name information from its users to be handed over for law enforcement when/if necessary. This includes all VPN to be formally registered and monitored.
While those living, working or operating businesses within China domain are directly affected by China’s strict cybersecurity law, so too are online media outlets. The Cyberspace Administration of China (CAC) has begun enforcing tighter rules and regulations for online news portals and network providers by limiting and guiding online content and discussions. Primarily, the CAC enforces guidelines and strict regulations in what news agencies are allowed to produce and share online; assigning everyone approved a party-sanctioned editorial staff. This means, all information is edited; political, economic, military and diplomatic platforms or news sites, blogs, forum, search engines and instant messaging apps must be state approved prior to being released. And all network providers and all products used by people who might touch upon national security and public interest clear intense security reviews.
In an increasingly interconnected world, with varying governments flexing their power in regulating the movement of information to lessen potential national security risks, the weight of complying to the new law rests on foreign businesses and the hundreds of millions of Chinese citizens wishing to access its public domain. Those who fail to comply with the new PRC Cybersecurity Law will face harsh penalties, huge fines, and potential prosecution.
Today, all network owners, administrators, service providers and critical information infrastructures, including those based outside of China but operating networks inside of China, must allow full access to the Chinese government in their continued efforts to “protect national security and public interest.” Yet, market analysts note recurrent levels of uncertainty remain as companies who meet compliance and censorship standards are denied government approval.
Compliance and Implications: 3 key areas to consider:
- Procurement and processing of personal data of all corporations and persons living and working in China must remain in the country on government approved hosting sites. Companies that once enjoyed the flow of cross-border data are now required to host and storage of all data within Mainland China. Hosting in Hong Kong and other China Special Administrative Regions (SARS) are considered outside with respect to this law and therefore not in compliance.
- Use licensed host and cloud service providers approved by the Chinese government to operate in China. The Internet Data Centre Value-Added Telecom Service (“IDC VATS”) license enables those approved to sell Infrastructure as a Service (IaaS) or Platform as a Service (PaaS), your provider will need to have this license.
- Existing partnerships with foreign companies outside of China are also required to comply with the new regulations in efforts to build a cohesive relationship between server and networking businesses. If you are an existing customer of an American or European Hosting or Cloud company, it would be good to double verify they and therefore you are in compliance.
- IDC VATS licenses are not available to foreign companies.
3. For any company local or foreign hosting a website of any kind within Mainland China, it is required to obtain an Internet Content Provider (ICP) License; a permit approved and issued by the respective Communication and Administrative body for each Province. Those without a government-approved permit or failing to comply will be blocked, face harsh fines, and, or even face a permanent online blackout in China.
- ICP’s are issued by each municipality, for example, Shanghai located companies would go to www.shca.org.cn and Beijing companies would go to www.bca.org.cn
- Each website will require the ICP number to be included at the bottom of the page like this example for www.Nike.cn (translation included).
Over the next 12 months, companies and individuals hoping to remain in operation in China must comply with the new law. In a global economy where the flow of data and shared information are key components to innovation and trade, opponents voice concern of China’s efforts to isolate information and technology from the rest of the world. Anxiety remains high as companies and individuals content to increasing costs in compliance to meet the new laws extensive restrictions, with the potential to limit trade and inhibit the introduction of new innovation.
While internet security is a global issue, China’s new law stands as a cornerstone for leading economies to build upon in efforts to control and mandate the exchange of intellectual knowledge and the procurement of private information. And while human right organizations and economic think tanks continue to translate the new law, the total scope in its efforts to “protect the sovereignty and public interest” may become a global norm.
My article was published on BBN Times on 14 December 2017
About the author
I am an Internet, Security, and Data Center Industry veteran and executive who has worked for several Internet startups to Fortune 150 in many different capacities from technical to business level roles.
Unless otherwise noted, opinions expressed are solely my own and do not express the views or opinions of my employer.