China passes cyber security law despite strong foreign opposition

The law was passed by the Standing Committee of the National People's Congress, China's top legislature, and will take effect in June

China has green-lit a sweeping and controversial law that may grant Beijing unprecedented access to foreign companies’ technology and hamstring their operations in the world’s second-largest economy.

The Cyber Security Law was passed by the Standing Committee of the National People’s Congress, China’s top legislature, and will take effect in June, government officials said on Monday. Among other things, it requires internet operators to cooperate with investigations involving crime and national security, and imposes mandatory testing and certification of computer equipment. Companies must also give government investigators full access to their data if wrong-doing is suspected.

China’s grown increasingly aggressive about safeguarding its IT systems in the wake of Edward Snowden’s revelations about US spying, and is intent on policing cyberspace as public discourse shifts to online forums such as Tencent Holding’s WeChat. The fear among foreign companies is that requirements to store data locally and employ only technology deemed “secure” means local firms gain yet another edge over foreign rivals from Microsoft to Cisco System. 

“A number of IT companies have really serious concerns. We don’t want to see barriers put up,” US Deputy Secretary of Commerce Bruce Andrews told reporters during an October visit to Beijing. “Cross-border data flow has become increasingly important to trade and to companies in the way they operate every day.” The decision on cyber security was revealed on Monday along with a raft of other announcements, including a ruling that barred a pair of elected Hong Kong localists from office and the surprise replacement of veteran official Lou Jiwei as finance minister. 

Companies operating on Chinese soil rarely raise public objections to domestic policy for fear of repercussions, but much is at stake in a Chinese IT market Gartner puts at $340 billion. The draft law prompted more than 40 business groups from the US, Europe and Japan to pen a letter to Premier Li Keqiang this summer, arguing it would impede foreign entry and the country’s own growth. Parallel legislation governing the use of data for the insurance industry has also provoked objections.

The measures are part of a sweeping push under President Xi Jinping to control China’s internet, including the passage of a security law establishing “cybersovereignty” and making the spread of rumours and defamatory posts a crime. 

“The law fits international trade protocol and its purpose is to safeguard national security,” said Zhao Zeliang, director general of the bureau of cyber security for the Cyberspace Administration of China. “China’s cyber security requirements are not being used as a trade barrier.”

China’s campaign to safeguard its infrastructure echoes post-Snowden efforts in Europe and elsewhere. 

The difference lies in how the vague language affords regulators leeway to expand their scope if needed, critics say. And it’s not just technology providers who’re concerned, but also any company that relies on foreign systems to run its business there. Broad or vague language casts uncertainty over the steps required for compliance, for starters, said Xiaoyan Zhang, an attorney with Mayer Brown in Shanghai.

The requirement on certification could mean technology companies will be asked to provide source code, encryption or other critical intellectual property for review by security authorities. This is something Microsoft already does with its software, under controlled conditions. 

Bloomberg