Apple’s removal of VPN apps from its app store in China could signal a difficult road ahead for companies doing business there. In March 2017, we posted a summary of China’s new cyber security law (Law) that went into effect on June 1, 2017. Now, less than one month later, Apple announced over the weekend that it had “been required to remove some VPN apps in China that do not meet the new regulations,” according to Carolyn Wu, Apple’s China spokeswoman.

Many entities in China turned to virtual private networks (VPN) to get around what is commonly referred to as the “Great Firewall,” to access sites and content banned by the government. It is unclear whether this move by Chinese regulators is a direct result of the provisions in the Law that allow the government to conduct security reviews of technology products that could affect national security. Requiring Apple to remove VPN apps does, however, indicate that stricter internet controls will likely persist and may make doing business in China increasingly difficult.  

Apple’s statement clarified that users who have billing addresses outside of China still have the ability to download the banned VPN apps from other territories’ app stores. It also placed some of the blame on software developers, noting that the Chinese government announced earlier this year that all developers offering VPNs needed to obtain a government license. But these statements provide little comfort to companies struggling to comply with the Law’s requirements and enforcement mechanisms, which critics have (rightfully) condemned as vague and ambiguous.

Strict enforcement of the Law could lead some companies to pull out of the Chinese market if compliance becomes too burdensome. For firms, like Apple, that have large operations in China, the importance of the Chinese market to their bottom lines has influenced some entities to take early steps to comply, for example, with the Law’s stringent data localization requirements (companies have been provided with a grace period until 2018) – Apple announced that it planned to establish its first data center in China. But Chinese regulators’ stepped-up enforcement may lead other companies with smaller operations to conclude that the cost of compliance is too high.