China’s New Cybersecurity Law May Be Used to Slow Foreign Trade

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By John Butcher

China may use its new cybersecurity law to shift the technology market towards domestic products at the expense of foreign companies—or to punish companies in the event of geopolitical or trade disputes, regulatory analysts told Bloomberg BNA.

The new law, which took effect June 1, has been lauded by Chinese authorities as providing a safeguard for companies and consumers without restricting foreign companies’ operations in China. However, it also creates new costs and onerous obligations that foreign companies may be unwilling or unable to meet, the analysts said.

“Every country should take seriously their cybersecurity and their obligations to protect personal privacy, but cybersecurity should not become a mechanism for erecting trade barriers that create unjustifiable obligations on companies based overseas while diminishing competitiveness and innovation,” Lester Ross, chairman of the policy committee at the American Chamber of Commerce in Beijing, told Bloomberg BNA.

The law imposes new security review requirements on companies sending data overseas and broadens the scope of information that must be stored within China’s borders. The latest, detailed set of regulations implementing the law also requires internet operators to cooperate with investigations involving crime and national security, and imposes data localization requirements on infrastructure companies that collect and store data.

China has been pursuing avenues to access foreign companies’ technology as it bolsters control of the collection and movement of data. Forcing companies to store information within the mainland has already led some to tap cloud computing providers with more local server capacity—a potential boon to homegrown Alibaba Group Holding Ltd. and Tencent Holdings Ltd. at the expense of Amazon.com Inc. and Microsoft Corp.

“These requirements encourage business operations in China to use cloud and storage services in China, and thus benefit the domestic cloud and storage service providers,” such as Alibaba’s AliYun cloud service, Yang Xun, commercial intellectual property and technology practice leader at Simmons & Simmons in Shanghai, told Bloomberg BNA.

Requiring companies to store information inside China will almost certainly effect market access for U.S. firms, Yang said.

Push for Domestic Tech

China has “long pursued a domestic technology agenda,” and the new law “could be a tool in this,” Carly Ramsey, a regulatory risk specialist at risk consultancy firm Control Risks in Shanghai, told Bloomberg BNA. Although much of the increased regulatory enforcement of foreign companies “across many areas” is due to regulators finally enforcing previously set rules, it is sometimes motivated by geopolitics, she said.

Under the cybersecurity law, companies are designated as critical information infrastructure (CII) operators or network operators.

CII operators— companies that conduct business China’s government deems essential —are required to store data collected inside the country and must share their software source codes with Chinese authorities during a technology review process. Network operators must conduct cybersecurity audits, collect data on users and, under draft implementing regulations, undergo a security review of data designated to be transferred outside of China.

Creating non-tariff barriers to foreign companies, potentially in the form of “slowing or blocking market access through a long and arduous security review process,” could also advance the domestic technology agenda, Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations in New York, told Bloomberg BNA.

A combination of the law’s lack of clarity, Chinese companies’ closeness with the government, and Beijing’s stated intention to reduce dependence on foreign suppliers has created “legitimate” concern the law may be used to discriminate, Segal said.

Ross said new cross-border data flow restrictions could impose “a huge restricting cost on almost every foreign firm that operates in China.”

Precedent for Slowing Trade

There is historical precedent to support the potential for Chinese authorities to use the security law in ways that may slow trade, James Gong, a cybersecurity and data privacy senior associate at Herbert Smith Freehills in Beijing, told Bloomberg BNA.

A law introduced by the China Banking Regulatory Commission in 2016 required financial institutions to use Chinese technology and share source code of software applications used by banks, Gong said. The legislation was suspended a few months after its implementation amid a backlash from foreign tech firms and Chinese banks, but it demonstrated the authorities’ agenda of moving the Chinese market toward domestic products, he said.

Ramsey said that part of the review process under the new cybersecurity law is “looking at market position.” The authorities are aware of what happened with the banking law, so they may consider if there is a replacement Chinese technology before blocking or hindering market access to a foreign product, she said.

Yang said that, although the security review process isn’t designed to discriminate against foreign companies, opinions and comments from domestic businesses will be “given more weight” as the government finalizes implementing regulations. “As a result, domestic business will be benefited more from the standards,” he said.

To contact the reporter on this story: John Butcher in Beijing at correspondents@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security