May 31, 2017

CHINA’S NEW CYBERSECURITY LAW LEAVES FOREIGN FIRMS GUESSING

[And while Chinese officials say the new rules will help guard against cyberattacks and prevent terrorism, critics, many of them from businesses, have their concerns. Companies worry that parts of the new law, which takes effect on Thursday, will make their operations in China less secure or more expensive. In some cases, they argue, it could keep them out entirely.]


By Sui-Lee Wee
President Xi Jinping spoke by video link to delegates at the World Internet Conference
 in Wuzhen, China, in November. The country is stepping up efforts to manage the
internet within its borders. Credit Agence France-Presse — Getty Images
BEIJING — As China moves to start enforcing a new cybersecurity law, foreign companies face a major problem: They know very little about it.

The law — which was rubber-stamped by the country’s Parliament last year — is part of wide-ranging efforts by Beijing to manage the internet within China’s borders. Those efforts have been stepped up in the years since Edward J. Snowden, the whistle-blower and former American intelligence contractor, revealed that foreign technology firms could help governments spy.

And while Chinese officials say the new rules will help guard against cyberattacks and prevent terrorism, critics, many of them from businesses, have their concerns. Companies worry that parts of the new law, which takes effect on Thursday, will make their operations in China less secure or more expensive. In some cases, they argue, it could keep them out entirely.

The law will have a big impact on how business is done in China, said Michael Chang, an executive with the Finnish technology company Nokia and the vice president of the European Union Chamber of Commerce in China. But, he said, “There’s unfortunately a lot of confusion.”

Continue reading the main story
RELATED COVERAGE


As Zeal for China Dims, Global Companies Complain More Boldly APRIL 19, 2017

China’s Cybersecurity Efforts Could Pose New Challenge for Foreign Firms DEC. 27, 2016

China’s Internet Controls Will Get Stricter, to Dismay of Foreign Business NOV. 7, 2016

New Rules in China Upset Western Tech Companies JAN. 28, 2015
“Industry is not ready because the implementation rules are not clear,” Mr. Chang said, speaking at an event organized by the lobbying group to announce the results of its annual business confidence survey.

“We still have a lot of unclarified territory that needs to be addressed as soon as possible.”

The law would require that companies store their data within China, and would impose security checks on companies in sectors like finance and communications. Individual users, meanwhile, would have to register with their real names to use messaging services.

But Mr. Chang said that officials had conveyed “less than half” of the specifics of how the law would be implemented.

“A wide range of companies are doing data transfers — it’s the lifeblood of their business,” he said.

Executives have complained that the wording of the law is ambiguous, fearing that it gives China’s ruling Communist Party substantial leeway to target them.

One instance cited by Mats Harborn, president of the European Union Chamber of Commerce in China, in a round-table discussion with journalists, was that the government said it wanted to regulate “critical information infrastructure,” but had not defined what that meant.

“The way it’s enforced and implemented today and the way it might be enforced and implemented in a year is a big question mark,” added Lance Noble, the chamber’s policy and communications manager. He warned that uncertainty surrounding the law could make foreign technology firms reluctant to bring their best innovations to China.

In May, a coalition of business lobby groups representing European, American and Asian companies called on China to delay implementing the law, while the European Union Chamber of Commerce in China asked for additional time to allow companies to adhere because of the “substantial compliance obligations.”

The Cyberspace Administration of China, the country’s internet regulator, has so far decided to delay implementation only of the regulations governing cross-border data flow, which will now take effect at the end of 2018, according to a revised draft of the rules that was seen by The New York Times.

The regulator could not be reached despite multiple telephone calls.

Paul Triolo of the political risk consultancy Eurasia Group noted the decision to delay that component of the law, saying in a report last week that “getting the cross-border data flow issue right is a prerequisite for Beijing’s efforts to promote economic globalization.” He wrote that China, for the time being, “is eager to avoid being seen as stifling digital trade.”

The European Union and China plan to hold a summit meeting on Thursday in Brussels. Friction between them has mounted after the European Union imposed anti-dumping duties on Beijing, accusing it of flooding the European market with cheap steel.

Many foreign companies are becoming increasingly skeptical of China’s promises of economic reform. Mr. Harborn, the lobbying group president, said he expected European officials to complain to Premier Li Keqiang of China about unequal market access in the country for European companies.

The European Union Chamber of Commerce in China said that half the members who took part in its annual business confidence survey reported higher sales in China last year, thanks largely to a Chinese government stimulus package in the first half of the year. But 40 percent of respondents said they believed regulatory barriers would increase over the next five years.

Follow Sui-Lee Wee on Twitter @suilee.

Paul Mozur contributed reporting from Hong Kong. Carolyn Zhang contributed research from Shanghai.