China pushes through cybersecurity law despite foreign business fears
Overseas companies say requirements to store data in China and undergo ‘security reviews’ pose threat to their intellectual property and security
China has adopted a controversial cybersecurity law to tighten control over the internet, triggering concerns from foreign businesses and rights organisations.
The law was passed yesterday by the standing committee of the national legislature and will come into effect in June next year.
“China is an internet power and as one of the countries that faces the greatest internet security risks, it urgently needs to establish and perfect network security legal systems,” committee official Yang Heqing said.
Contentious provisions include demands that “operators of critical information infrastructure” store personal information and important business data in China, provide unspecified “technical support” to security agencies and pass national security reviews. Those critical areas include information services, transport and finance.
Firms that store or provide internet data overseas without approval could have their business suspended or shut down and their business licenses revoked.
They are also required by law to provide technical support and assistance to police and national security agencies “safeguarding national security and investigating crimes”.
The demands have raised concern within foreign companies that they would have to hand over intellectual property or open back doors in products to operate in China.
James Zimmerman, chairman of the American Chamber of Commerce in China, said the law was a step backwards for innovation in China and would do little to improve security.
Broad restrictions on the flow of cross-border data provided no security benefits but would create barriers to Chinese and foreign companies operating in industries where data needed to be shared internationally, Zimmerman said.
Jacob Parker, vice-president of China operations of the US-China Business Council, said the council was concerned the definition of “critical information infrastructure operators” had expanded from previous drafts and could be widened further. He said this related directly to the types of data and information that needed to be localised in China.
Members feared they could be required to disclose source code or adopt domestic encryption standards that had not been reviewed by international encryption review bodies, he said.
“All these implications go far beyond foreign companies in China. It affects all players in the market,” Parker said.
The European Chamber of Commerce said the overall lack of transparency over the last year surrounding the significant and wide-reaching legislation had created much uncertainty and negativity in the business environment.
Human Rights Watch said elements of the law, such as criminalising the use of the internet to “damage national unity”, would further restrict online freedom.
“Despite widespread international concern from corporations and rights advocates for more than a year, Chinese authorities pressed ahead with this restrictive law without making meaningful changes,” Sophie Richardson, China director at Human Rights Watch, said