New Chinese Cybersecurity Law: A Step Backward?Experts Analyze Potential Impact of Measure Designed to Battle Cyberattacks
Western experts evaluating China's new cybersecurity law contend it will do very little to safeguard information but will erode privacy rights and make it harder for foreign enterprises to do business in China.
See Also: DevOps - Security's Big Opportunity
James Zimmerman, chairman of the American Chamber of Commerce in China, characterizes the new law - which takes effect next June 1 - "as a step backwards for innovation in China that won't do much to improve security."
The National People's Congress, China's rubberstamp legislature, enacted the law on Nov. 7, with Chinese officials contending the measure will help halt cyberattacks and prevent acts of terrorism.
"China is an internet power, and as one of the countries that faces the greatest internet security risks, urgently needs to establish and perfect network security legal systems," Yang Hequing, a parliamentary official, told reporters, according to Reuters.
Burden on Foreign Businesses
The law will require that personal information of Chinese citizens collected or generated in China must be stored in China. That's seen as placing a burden on foreign companies working in China.
"This, in essence, would mean a segregation of the global information system into one distinct system for China and one for the rest of the world," according to an analysis of the new law written by partner Gabriela Kennedy and counsel Xiaoyan Zhang of the law firm Mayer Brown JSM. "This could have a significant impact on multinational companies doing business in China, which inevitably need to share data internally and across borders on a daily basis. No exemptions seem to be envisaged by the new law except for the security assessment channel, which appears even more stringent than what data privacy regimes such as the EU have always had."
The Chamber's Zimmerman contends the law's restriction on cross-border data flow would furnish no security benefits but would create barriers to Chinese as well as foreign companies operating in industries where data needs to be shared internationally. "Some of the requirements for national security reviews and data sharing will unnecessarily weaken security and potentially expose personal information," Zimmerman says.
Much of the language in the law is vague, leaving its interpretation up to the State Council, China's chief administrative authority, which is headed by Premier Li Keqiang.
One example of this ambiguity is the term "critical information infrastructure." Although the law cites specific critical information infrastructure sectors - public communication and information services, power, traffic, water, finance, public service and electronic governance - it suggests other industries also could be deemed critical information infrastructure. Allowing the State Council to interpret the meaning of critical information infrastructure gives the government "considerable leeway to bring industries not specifically singled out in the definition into the scope of the legislation at a later stage," Kennedy and Zhang write.
Limiting PII Collection
Experts analyzing the law differ on the privacy protections it affords.
Christopher Mirasola, executive editor of the Harvard International Law Journal, says the law provides substantial individual protections by restricting the amount of personally identifiable information that can be collected, limiting how it can be transferred and giving an individual the right to request information be deleted if mishandled. "For this reason, some may welcome the law's implementation," Mirasola says.
On the other hand, the advocacy group Human Rights Watch describes the Chinese internet law as "abusive," contending it defines the term "information security" broadly enough to encompass information sharing that diverges from official narratives, where "preserving internet sovereignty" is the overachieving goal. "If online speech and privacy are a bellwether of Beijing's attitude toward peaceful criticism, everyone - including netizens in China and major international corporations - is now at risk," says Sophie Richardson, the group's China director. "This law's passage means there are no protections for users against serious charges."