Controversial Cybersecurity Law Soon Expected to Pass

The Standing Committee of the National People’s Congress on Monday began the third and likely final reading of a proposed . Previous drafts of the law met consistent criticism for vague language, concern that it could disadvantage foreign businesses, and its potential to further restrict and legally codify China’s tightly controlled internet. At Reuters, Paul Carsten and Michael Martina report that the NPC will likely pass the draft into law next week, outlining the longstanding concerns attracted by the draft :

The official Xinhua news agency said parliament had fully taken on board the views of the its standing committee and other parties, and had proposed passing the third and typically final reading at its current meeting from Monday to Nov. 7.

[..] The new law has met with a barrage of opposition from foreign business lobbies and governments, which say it is vague and could discriminate against overseas companies.

In its previously seen form, published after the second reading, the cybersecurity law would codify sweeping powers for the government, ranging from widespread censorship to heightened control over certain technologies. [Source]

The second draft of the law was open for public consultation until August. Presenting draft legislation to public comment is a tactic that has been used sparsely throughout the history of the PRC, but has in recent years and along with China’s adoption of the internet become increasingly common. For more on the topic, see a CDT interview with George Washington University’s Steven J. Balla, who warns that a lack of disclosure of public input can merely “provide a veneer of popular legitimacy to decisions that government officials have already made behind closed doors.”

The revised cybersecurity draft also included changes aimed at punishing foreign hackers, thereby bolstering Beijing’s claims that maintaining cybersecurity in the face of hostile foreign actors, and not legitimizing domestic cybercontrols via legislation, is the new law’s main intent. At The South China Morning Post, Viola Zhou reports:

The proposed cybersecurity law changes would let the government freeze assets of foreign individuals or groups if they damaged China’s key information infrastructure, Xinhua reported. Police would apply “other necessary punishment” to those outside the country who attacked, intruded, disrupted or harmed Chinese websites, according to the revised draft quoted in the report.

[…] China claims to be a victim of global cybercrimes, reporting growing numbers of attacks from overseas every year. Last year, authorities found more than 64,000 “control points” that had been controlling Chinese websites with malware from abroad, a 52 per cent rise from 2014, according to a government website.

[…] Liu Deliang, an internet law professor at Beijing University of Posts and Telecommunication, said that while it was difficult to freeze hackers’ assets, the threat of doing so was a warning to institutions and countries that might launch on China. [Source]

More on the U.S. and China’s trading of hacking accusations, and on foreign tech firms’ concerns over protectionism implicit in the draft law from the AP:

Cybersecurity has been a top source of friction between China and the United States, which both say they suffer hacking attacks originating from the other. Chinese officials have long characterized their country as a top victim of hacking and have called for expanded law enforcement powers and more stringent regulations on imported equipment.

If passed in its current form, the cybersecurity law could introduce new rules about how Chinese citizens’ data are stored and expand data access and censorship powers for law enforcement.

Foreign technology companies, particularly Silicon Valley giants with a stake in the Chinese market, also worry that the rules have a secondary motive of protecting the domestic technology sector by discouraging Chinese buyers in both the private and public sectors from purchasing foreign products. [Source]

Just as the final reading of the was beginning, U.S.-based short-term rental service Airbnb Inc informed its Chinese and China-based users that as of December 7, all of their personal data would be “transferred to, stored, used and processed by Airbnb China in accordance with Chinese laws and regulation.” Reuters’ Catherine Cadell reports:

The comments follow a blog post last week in which Airbnb announced the launch of a separate Chinese entity which will oversee the management of local data from next month.

[…] China has exerted increasing pressure on foreign tech companies operating within the country over the past year.

On Monday the country’s parliament held a second reading of a draft cyber security law that could require foreign technology firms to store certain “important business data” locally, including personal data.

[…] Airbnb is not the only company to proactively move user data to local servers. Consumer electronics giant Apple began using servers provided by China Telecom Corp Ltd (0728.HK) on Chinese soil from August 2014. [Source]

Read more about the costly and sometimes abandoned quests by foreign internet firms to enter China’s market, or on recent regulations on internet search engines, via CDT.