Amendments to China’s new Cybersecurity Law, which is set to take effect on June 1, will require a much broader range of companies operating in China to store business and user data on servers inside the country. Whereas the rule only applied to critical information infrastructure operators prior to the change, a much larger number of companies will be subject to restrictions limiting the transfer of data outside China, in addition to provisions setting in place tougher product security review processes and rules governing cooperation with government security investigations. As foreign companies come to grips with the uncertainties brought by the recent changes, some are already turning their data to local cloud providers. From Bloomberg Technology:
“Almost all our companies are making moves to ensure that the majority of the data they collect in China is stored on servers located within China,” said Jake Parker, vice president of the US-China Business Council in Beijing. “It’s not just the technology companies – it’s financial services, semiconductor manufacturers, every sector of business in China, that’s impacted.”
[...] In addition to the restrictions on moving data beyond the mainland, provisions in the law include a more comprehensive security-review process for key hardware and software deployed in China and a requirement to assist authorities conducting security investigations.
[...] Another provision requires IT hardware and services to undergo inspection and verification as “secure and controllable” before companies can deploy them in China. That appears to be already tilting purchasing decisions at state-owned enterprises. [Source]
Sarah Cook at The Diplomat discusses what the "worst-case scenario" could look like under the new law, which is expected to tighten an already restrictive cyber environment. In recent years, authorities have carried out an ongoing and persistent crackdown on social media, even without the new law. Influential public intellectual and Peking University Law professor He Weifang recently told the media that he would no longer post to social media after having his blog, Weibo, and WeChat accounts repeatedly closed by authorities. “I feel utterly helpless,” He told Gerry Shih of the Associated Press. “It’s as if I’m not allowed to make a single sound.” From Cook's report:
First, social media accounts would be closed on a large scale across multiple platforms. This has already been taking place in a more piecemeal fashion. Since 2013, online opinion leaders with millions of microblog followers on Sina Weibo have had their accounts shuttered. In March 2014, dozens of public accounts on WeChat that shared information on current affairs were closed or suspended. More recently, some journalists and academics have reported having their personal WeChat accounts shuttered. Under the new rules, millions of social media accounts sharing information on even apolitical news topics could be subject to such censorship.
Second, there would be an increase in arrests of ordinary users, including based on private information obtained by Chinese security forces from internet companies. [...]
The Chinese authorities have made clear that they are willing to imprison ordinary citizens based on content shared or viewed via social media. A February 2017 Freedom House study on religious freedom found that Falun Gong practitioners had been jailed for posting messages about the spiritual group or human rights abuses to WeChat or QQ, and that young Uyghurs had been imprisoned for viewing online videos about Islam. Last month, Wang Jiangfeng of Shandong Province was sentenced to two years in prison for referring to “Steamed Bun Xi” — a banned nickname for President Xi Jinping — in a group message on WeChat.
Third, full enforcement would mean greater government control over private media companies and news portals. The CAC rules promulgated on May 2 significantly restrict the space for investment and editorial input by foreigners, requiring editors in chief, for example, to be Chinese passport holders. [...] [Source]
A coalition of industry groups from several countries collectively appealed to China this week to postpone the implementation of the cybersecurity law, warning that it could hurt cross-border trade. Business and human rights groups critiqued the law before it was passed as well, though their concerns were not included in the final draft. Meanwhile, experts within China who support the law are cautioning against efforts to delay its implementation, according to a report by Cao Siqi at Global Times:
Although the Chinese government said the measure is not intended to unfairly target overseas companies and to "monitor, defend and handle cyber security risks and threats originating from within the country or overseas sources," some overseas business groups have been pressuring Chinese regulators to delay the law's implementation.
A Bloomberg report on Thursday said more than 50 trade associations and chambers of commerce signed a letter in May addressed to the government seeking a delay. They argued that the law could have an impact on cross-border trade, lock out foreign cloud operators, restrict competition and may decrease the security of products and jeopardize the privacy of Chinese citizens.
"Some overseas companies, especially multinational corporations from developed countries, have been accustomed to their privilege and special treatment in China. So when they are required to be regulated the same way as Chinese companies, they feel uncomfortable and resist," Shen Yi, Director of the research center for the governance of global cyberspace at Fudan University, told the Global Times.
"However, many foreign firms have already saved their data in China or have been inspected by the government, and no untoward consequences have happened. We should maintain vigilance against some organizations or governments which have forced their companies to stir trouble. We will never tolerate any disruption to the practical cooperation between the Chinese government and overseas companies," said Shen. [Source]