China gives businesses 19 months to comply with controversial cross-border cyber data rules
Beijing gives grace period for foreign businesses to satisfy a controversial new law demanding critical information be stored on the mainland
China will delay enforcement for 19 months of part of its controversial cybersecurity law, after vigorous complaints from foreign businesses.
The Cybersecurity Law takes effect from Thursday but the Cybersecurity Administration, the government body responsible for overseeing it, said a grace period would be given for businesses to comply with cross-border data transfer regulations. That period starts on June 1 and continues until the end of next year.
The law was passed in November to “defend cyberspace sovereignty, national security and public interests”, according to the central government. But foreign companies and governments complained the law set unfair barriers, ran counter to World Trade Organisation rules, and lacked compliance details.
Michael Chang, vice-president of the European Union Chamber of Commerce in China, said some key areas of the law would have a huge impact on the way business was done on the mainland. “There are [still] uncertainties and unclarified terms,” Chang said.
One of the biggest concerns is the requirement that all critical data and the data from “critical information infrastructure” be saved on the mainland. Such information also has to be examined and assessed before being transferred out of the country.
A draft of the supporting regulations was released for public comment in April, while another draft measure on the definition of “critical information infrastructure” was released on Saturday. It is also not clear how such infrastructure will be protected.
The Cyberspace Administration met international stakeholders on May 19 and discussed the cross-border data movement regulations, offering the grace period, according to a document obtained by the South China Morning Post.
Chen Jihong, a partner at the Beijing-based Zhonglun Law Firm, said the decision to have a grace period might have been prompted by the absence of supporting regulations; the need for internal communication within relevant ministries and government departments; and the companies’ demands for more time to make the necessary changes.
Chen said the supporting regulations, including the cross- border data transfer rules, would probably be finalised later this year because Beijing was determined to enforce the law.
The Cyberspace Administration said the cross-border data flow measures were not meant to disrupt email, e-commerce or other commercial activity.
It also said the requirement that operators must stop transmitting “illegal information” would not jeopardise privacy or freedom of speech.
A partner at one international law firm said: “A number of people have questioned whether it is the right way to proceed, but as of now the requirement to store data in China still applies.
“The authorities indicate they haven’t sort through all of the implementations of the requirements, all of the difficulties that they present.
“Hopefully there will be some rethink of the regulation.”