China imposes Cybersecurity Law on foreign firms

The tightened Chinese cyber laws will give foreign firms a tough time when conducting business in China.

By Nicolette Chua

Last month, China’s Cybersecurity Law on foreign firms came into effect. This new law applies to large network operators and businesses in critical sectors.

Article 37 of the law mandates that these network operators are to store all data within mainland China itself. Such data cannot be transferred abroad without permission. Companies are to allow Chinese crime or security investigators full access to their data and provide them with “technical support” upon request. Companies will also have to pass security reviews with regards to their best practices in keeping company and client data secure.

Online service providers are also prohibited from collecting and selling users’ personal information. Users can opt to have their personal information deleted in the event of abuse.

China’s new law is aimed at combating growing online threats

The Chinese government has asserted that the slew of regulations is aimed at improving China’s cybersecurity which is susceptible to threats.

“China is an internet power, and as one of the countries that faces the greatest internet security risks, urgently needs to establish and perfect network security legal systems,” said Yang Heqing, an official from the National People’s Congress.

Yang’s comment reflects the growing threat of cyberterrorism, hackings and online security breaches in China. 22 people were arrested on suspicion of stealing Apple users’ personal data shortly after the law came into effect. The suspects were employees working under the marketing and outsourcing department for Apple in China. They were allegedly paid between 10 yuan (US$1.47) and 180 yuan (US$26.45) for pieces of illegally obtained data.

A black market for private data obtained from police and government bases was also exposed by Southern Metropolis Daily newspaper last December.

China is often blamed for launching cyber-attacks on foreign governments. In 2015, the US believed that the Chinese government was responsible for one of U.S. investigators believe that Chinese government was responsible for a data breach on the Office of Personnel Management which is one of the government’s databases.

But China is also a “frequent victim” of hacking. Its rail system was hacked in December 2014 and passengers’ personal information were stolen. Cyber-attacks in China have in fact, risen by over 950% between 2014 and 2016, according to a PwC survey, with “Internet of Things” (IoT) connected devices identified particularly vulnerable.

Businesses are apprehensive about the new law

The new Cybersecurity Law has received much controversy. Foreign companies are primarily concerned about “data localisation” and “data export”, which is where companies move data and store data respectively. Data movement and storage is lifeblood of many businesses in an era of global e-commerce. China’s new law contradicts principles of economic openness and information transparency.

In August 2016, more than 40 global business groups petitioned for the government to amend controversial sections of the Cybersecurity Law but to no avail. The law was passed by the National People’s Congress in November 2016. The government has said that the law will not hurt business activity or the flow of data across China.

“The purpose is to safeguard (China’s) national cyberspace sovereignty and national security… rather than to restrict foreign enterprises,” the Cyberspace Administration of China (CAC) said in a statement on its website.

Businesses and lobby groups have criticised the wording of the regulations as “vague” and have asserted that the law  “leaves foreign firms vulnerable to abstract implementations of the rules”.

The CAC met foreign business groups privately to attempt to allay their fears. It was claimed that there would be an 18-month phase-in period until the end of 2018. The phase-in period would be meant for measures affecting cross-border data transfers – one of the most contentious elements of the new law. But the most recent CAC notice made no mention of a phase-in period.

The law is unlikely to detract investments into China on a whole. Yet the added internet regulations could cause the efficiency and long-term competitiveness of key businesses to decline.

China is infamous for its strict regulations on its online sphere

Internet regulation encompasses political and societal implications in China. The Cybersecurity Law on businesses is merely one aspect of the online sphere that the central government heavily intervenes in.

China is well-known for its “Great Firewall” which blocks netizens from viewing websites outside of the country. China blocks access to 135 out of 1000 sites including Google, Facebook, Twitter and Youtube, according to, which monitors China’s online censorship. China’s online sphere has its own spin-offs of famous search engines, social networking sites and messaging applications such as Baidu, Weibo and WeChat.

Tech-savvy netizens have been using virtual private networks (VPN) to bypass the Great Firewall. VPNs route internet traffic to servers outside of China to prevent censorship by Chinese filters. On July 1, popular virtual private network GreenVPN was forced to shut down by the government.

VPNs are in fact commonly used by businesses, universities, news-run organisations and even state-run newspapers. The government limits online content that it deems “undesirable” or detrimental to the Party’s values. Such content includes news, discussions on politics and pornography.

The Chinese government has embarked a 14-month nationwide campaign against unauthorised internet connections since January 2017. All special cable and VPNs in China would need to be approved by the government, a notice by the Ministry of Industry and Information Technology revealed. The campaign will run till end March 2018.

Critics claim that the new Cybersecurity Law will strengthen China’s censorship regime even more so than tackling cybersecurity threats. The recent moves show that the Xi administration appears to be consolidating his political stronghold in the online sphere.

“Despite widespread international concern from corporations and rights advocates for more than a year, Chinese authorities pressed ahead with this restrictive law without making meaningful changes,” said Sophie Richardson, China Director for non-profit organisation Human Rights Watch. “The already heavily censored Internet in China needs more freedom, not less.”

Questions about the law remain unanswered

The existence of China’s Great Firewall means that foreign companies based in China are already accustomed to strict online and data regulations. These companies have existing practices regarding information technology and data management and privacy in China. These internal policies apply to both in-country operations and travel for international staff.

Despite reports about companies in critical sectors already preparing to comply with the Cybersecurity Law, most firms are likely adopting a wait-and-see approach, according to The Diplomat. These companies are awaiting news about the phase-in period from the authorities. Business sentiment is unlikely to be heavily affected.

Firms and lobby groups have expressed that most of the original law remains intact and broad. This is despite the late changes such as the 18-month phase-in period that have been made. The impact of the law will hence depend on how the government enforces it.