China’s Cybersecurity Law Takes Effect: What to Expect

Samm Sacks
Thursday, June 1, 2017, 10:56 AM

China’s cybersecurity law (CSL) officially takes effect today.

Published by The Lawfare Institute
in Cooperation With
Brookings

China’s cybersecurity law (CSL) officially takes effect today. The New York Times warns that “as China moves to start enforcing a new cybersecurity law, foreign companies face a major problem: They know very little about it.”

Certainly the language of the law is broad and ambiguous, and that vagueness creates problematic uncertainties. But we actually know more about how the CSL might operate in practice than it seems at first glance.

The CLS is only one part of an emerging and evolving system of Chinese cyber governance. Examining the legislative text within the broader context of its passage reveals that officials are likely to only selectively enforce its vast scope. This means that political and economic interests are likely to shape important elements of implementation.

To better understand how the law might operate, it is necessary to consider the internal debates involving Chinese technology companies and the degree to which voluntary compliance began before the law formally took effect. While acknowledging ambiguity will persist, below are initial thoughts on how to understand key issues like data localization and the cybersecurity review regime, and assess what directions they might be moving in.

Cybersecurity Law as the "Keystone in the Arch"

The CSL is just one element of the Chinese government’s rapidly constructed system of institutions, laws, regulations, and policies aimed at strengthening cyber governance. It marks a broader effort by President Xi Jinping and the Chinese Communist Party leadership to assert ultimate control over the Chinese internet, data, and information communications technology (ICT) industry. Therefore, the CSL shouldn’t be read in isolation from the dozen other mutually reinforcing parts of China’s evolving cyber governance system. The CSL is better understood as the “keystone in an arch” of the Xi government’s larger buildout of a legal framework for security controls in cyberspace. It is intimately linked with national security, via Xi Jinping’s dictum “without cybersecurity there is no national security” (没有网络安全就没有国家安全).

Below are key highlights:

China’s Evolving Cyber Governance Framework

Laws

Cybersecurity Law

June 2017

Encryption Law (Draft)

April 2017

National Security Law

July 2015

Counterterrorism Law

December 2015

Regulations/measures/guidelines

Measures on Security Assessment of Cross-border Transfer of Personal Information & Important Data

Effective June 2017; Compliance required by December 2018

Security Review Measures for Network Product and Service Security Inspection (Interim); also known as the Cybersecurity Review Regime (CRR)

June 1 2017

Further measures defining Critical Information Infrastructure

TBD

Sector-specific cybersecurity implementation measures

TBD

Sector-specific IT ‘secure and controllable’ guidelines (Internet Plus, medical devices, banking, insurance)

2014 - present

Standards

Dozens of information security standards including those related to critical information infrastructure and data protection under Technical Committee 260 (TC260)

Ongoing

Practical Impact for Companies Operating in China

Typically, the Chinese government first releases a law of broad principles and then clarifies the scope in a series of implementation decrees and standards. As the table above shows, implementation guidelines for the most important and controversial issues in the cybersecurity law are still pending, including data localization and cross-border data transfer, CRR, and the scope of critical information infrastructure (CII). As a result, many outside and inside China have been reluctant to weigh in about what to expect. Unfortunately, this kind of reactive, wait-and-see approach is rarely is a good idea in China. Below are initial thoughts on how to understand these issues and assess what directions they might be moving in.

The data localization ship may have already sailed...

Long before the CSL took effect, companies were reassessing their operations on the assumption that Beijing would soon require data localization. But while data localization is a top priority for Beijing, recent official statements suggest that concerns about Chinese companies’ ability to expand globally might provide some space for negotiation over the extent of restrictions on cross-border data transfer.

Following the Snowden disclosures and amid questions about western law enforcement access to data, popular support for data localization has grown in China. There is now a widespread—though inaccurate—belief that geographic location matters for data security and that demanding data stay in China affords a higher level of protection.

Article 37 of the Cybersecurity Law states:

Personal information and other important data gathered or produced by critical information infrastructure operators during operations within the mainland territory of the People's Republic of China, shall store it within mainland China.

The government is still in the process of defining “other important data” or what sectors fall under CII under separate guidelines, but early indications suggest even follow-on guidelines will be vast and ambiguous. For example, draft Guidelines for Cross-border Transfer Security Assessment issued on May 27th give a sweeping definition of “important data” that echoes the National Security Law, spanning that which can “influence or harm the government, state, military, economy, culture, society, technology, information...and other national security matters.”

Separate Measures on Security Assessment of Cross-border Transfer of Personal Information & Important Data—which takes effect June 1 with compliance mandated by December 2018—states that all “network operators” will be subject to data transfer assessments. According to TC260’s draft guidelines, “network operators” could mean anyone who owns and manages an IT network (本标准所指网络运营者,是指网络的所有者、管理者和网络服务提供者). This raises questions about scope, including the possibility that e-commerce could be deemed critical infrastructure given all the personal data held by companies like Alibaba and Tencent.

Despite these uncertainties, many companies in China already assume that data localization requirements will become the de facto reality for China operations. In December 2015 the government entirely removed a provision from the final version of the Counterterrorism Law that would have required telecom operators and ISPs to store all data and equipment in China. But even without the requirements written in law beyond a handful of sector-specific regulations (for example, in online publishing and maps), many Chinese and foreign companies voluntarily began to plan for data localization in anticipation of stricter requirements to come. Some Chinese companies even stopped sending their data to foreign companies that had the ability to store and process data within mainland China.

...but Chinese tech companies need cross-border data flows

Notwithstanding all of the above, Beijing has recently showed some willingness to reassess how far it will extend data transfer restrictions. This suggests the government could leave room for maneuverability and negotiation with companies when it comes to implementation.

The main driver of the government’s reassessment is probably not the objections of foreign companies, so much as domestic tech companies concerned about their global operations. China’s national champion tech companies are not always in lockstep with Beijing. As Jack Ma once said of Alibaba’s relationship with the government, “be in love with them, but don’t marry them”. Since at least 2015 Alibaba has pushed back on data restrictions, arguing that they create “major problems for Chinese internet companies expanding overseas...ultimately leading to the fragmentation of cyberspace”. This view is in line with the position of foreign multinational companies operating in China. Additionally, Alibaba’s research institute has argued for a data categorization scheme that distinguishes among personal, government, and commercial data. Tencent, another Chinese internet giant, also indicated support for data classification.

Officials indicated a desire to balance data security with the needs of global commerce in line with international practices. During a recent meeting in Beijing, Director General Zhao Zeliang of the Cyberspace Administration of China (CAC) stated that the government does not want to cut off cross-border data flow or hinder economic globalization under the One Belt One Road (OBOR) initiative. He suggested that the government will treat CII, personal, and business data differently. The government’s stated intention is not to block export of “important data,” but to gain more visibility for regulators and companies into the risks, primarily through “self assessments.” A revised version of the cross-border data transfer measures showed some attempt at moderation, including stating that companies do not have to stop operations while undergoing an assessment and removing a stipulation that would have subjected all personal and important data to security assessment before leaving China.

Cybersecurity Review Regime (CRR)

The CRR essentially creates a black box security review—one that is nearly impossible for most people to assess—that can be used for political purposes to delay or block market access. Foreign companies now face at least four separate security audits by different Chinese government agencies with unclear jurisdictions.

On May 2, the CAC released the Security Review Measures for Network Product and Service Security Inspection (Interim). The measures require network products and services used in critical infrastructure to undergo a cybersecurity review administered by the CAC. The specific criteria, metrics, and those conducting the evaluation are unknown.

The most telling part of the measures appears in article 4, section 5, which states that the review will focus on “other risks that could harm national security.” This catch-all statement—which is included in some form in every law and regulation in the cyber legal framework—essentially gives the government authority to interpret the scope of reviews however it wants, underscoring the inherently political nature of the review.

Foreign companies now face multiple, overlapping security reviews at different levels in the bureaucracy. In practice, the government has not clarified how the CRR will work with the existing multilevel protection scheme (MLPS) run by the Ministry of Public Security (MPS). Technically, the CSL states that normal network providers will go through MLPS while CII operators will undergo the CRR. But given the lack of definition around these concepts, foreign companies could get caught in the crosshairs as the CAC and MPS jockey for influence as the new cybersecurity legal framework takes shape. Moreover, the CAC and sector-specific regulators both have responsibility for the CRR, creating conflicting jurisdiction even within the CRR itself.

Beyond the MLPS and CRR, companies will also have to contend with other new assessments that are still in the works, including cross-border data export (referenced above) and a broader national security review akin to CFIUS (under the umbrella of the National Security Law from July 2015).

Three Takeaways

First, China’s new legal framework for cybersecurity does not mean that it will be impossible for foreign tech companies to do business in China, but it is written so as to provide legal imprimatur to Beijing’s political whims. There is an expression in Chinese for the discretionary authority that high-ranking officials have when it comes to laws: “If they say it is fine, then it will be fine. If they say it is not fine, then it will not be fine (说行就行,说不行就不行).” If the Chinese government, customers, and partners want to do business with a foreign company, they will find a solution to get through these new regulatory hurdles. But if they do not, there is now an easy way to say no.

Second, informal implementation of the CSL and related measures began long ago, making the June 1 deadline less relevant than it seems. Global industry associations calling for a delay in implementation are wasting their energy, not least because the law is tightly linked with national security and is not directed at market access alone. Foreign companies have grown accustomed to submitting to invasive security reviews and pressure to store some types of data locally in China for some time. However, the time period before the entry into force of the cross border data flows measures will be crucial for clarifying the parameters of data that will be subject to some type of review.

Third, the most important point of leverage for the US when it comes to China’s cybersecurity regime may be access to overseas markets for Chinese companies as they go global. Beijing appears to be in the process of moderating its approach on cross-border data flows in recognition of the problems this would cause for its global tech ambitions. The threat of sanctions against Chinese companies finally brought Beijing to the negotiating table in September 2015 for the Obama-Xi agreement on cyber economic espionage. US industry and policymakers should keep this in mind as they consider responses, particularly related to the need for business-related data to go back and forth across borders.

***

Special thanks to Paul Triolo for providing invaluable research, insight, and notes, as well as to Yanjun (Jennifer) Meng for her excellent research assistance.


Samm Sacks is a Senior Fellow at New America and Yale Law School’s Paul Tsai China Center. She is also a Senior Fellow for China Cross Border Data Forum. She has worked on Chinese tech and cyber policy for over a decade, both in the national security community and the private sector. She is writing a book (to be published by the University of Chicago Press) on U.S.-China relations through the lens of data, including the geopolitics of data privacy and cross-border data flows.

Subscribe to Lawfare