China has moved to start enforcing its new cybersecurity law as of Thursday, June 1, but the impact of the rules on foreign firms remains to be seen. The law was originally promulgated November 7, 2016 (as King & Spalding previously reported) and serves to increase the Chinese government’s control over domestic internet security. Companies are concerned that Beijing has not provided sufficient detail about how the wide-reaching law will be implemented, especially as failure to comply could result in up to 1 million yuan (about $150,000) in fines or even criminal charges.
The cybersecurity rules require businesses to store data in China if they operate in “critical” areas, to inform and provide “technical support” to the Chinese government in the event of data breaches, and require users to register with their real names and personal information, as well as censor “prohibited” content. However, the wording of the law is ambiguous. For example, “critical” information infrastructure has not been clearly defined. Additionally, although the law allows China to conduct security reviews of technology products that could affect national security, it is not clear what kinds of products or potential trade secrets might fall under this definition. The Cyber Administration of China, the country’s internet regulator, is still working on defining the new rules and standards, even though the law has already taken effect.
Businesses worldwide have expressed concerns that the current regulations would weaken security and separate China from the global digital economy. For example, requiring businesses to store data in China could actually increase the risk of data theft to the extent that it requires businesses to develop new, costly, and potentially less secure infrastructure within China to store the data. In response to business concerns, the Cyberspace Administration of China has opted to delay implementation only of the rules governing cross-border data flow until the end of 2018. As the rest of the cybersecurity law has not been delayed, companies may face an uncomfortable wait until the rules of the new cybersecurity law become more clearly defined.
