On June 1, the Chinese government passed the country’s first national cybersecurity law. Over the past two years of the Cyberspace Administration of China’s (CAC) review and revision of drafts of the law, experts speculated about the extent to which it would restrict the behavior of foreign information technology firms operating in China. Critics of the final document note that its regulations regarding data localization—the storage of Chinese users’ data within China—real-name registration, and security reviews are both particularly stringent and, at times, vague. The law undergirds Xi Jinping’s goal of establishing “cyber sovereignty,” or control of the internet and its infrastructure within a state’s territorial borders.
How drastic are the immediate effects of the law on foreign tech companies operating in China? According to Samm Sacks in a piece from the Lawfare Blog, popular Chinese support for data localization following the Snowden leaks made non-Chinese tech firms anticipate the eventual need to comply with tighter rules:
[… M]any companies in China already assume that data localization requirements will become the de facto reality for China operations. In December 2015 the government entirely removed a provision from the final version of the Counterterrorism Law that would have required telecom operators and ISPs to store all data and equipment in China. But even without the requirements written in law beyond a handful of sector-specific regulations (for example, in online publishing and maps), many Chinese and foreign companies voluntarily began to plan for data localization in anticipation of stricter requirements to come. Some Chinese companies even stopped sending their data to foreign companies that had the ability to store and process data within mainland China. [Source]
Sacks characterizes the cybersecurity law as a “keystone in an arch” of the Xi administration’s long-term agenda for expanding information controls. Although the Chinese government has given foreign companies until December 31, 2018 to fully comply with the new rules on cross-border data flows, Sacks argues that at best this will provide more time for regulators to clarify the more open-ended stipulations.
Moreover, Sacks is not the only commentator to identify the misperception that data localization invariably means better data protection. Nor is she alone in arguing that the CAC must permit the international data flows that are vital to China’s economic growth. In the Information Technology and Innovation Foundation report “Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost?”, Nigel Cory cites econometric studies predicting that China could lose up to 1.1% GDP as a result of restrictions on cross-border data flows, along with $63 billion of consumer welfare losses. Cory’s report provides a detailed list of sector-specific data localization policies in China dating back to 2006, further demonstrating the gradual process by which China has built up its data protection legislation.
Some sources have commented that the data localization requirements benefit domestic Chinese cloud computing firms, which many multinationals are now turning to in order to transfer and store Chinese citizens’ data. Yet The Financial Times notes that domestic Chinese tech companies will have to weather the law’s new strictures as well:
Multinationals will be hardest hit, as the data localisation measures prevent them pooling client data in cloud storage databases across the world. The need to store some data on China-based servers and the rest elsewhere will add to fragmentation and cost. ”It’s huge work for foreign companies to restructure their business,” said Mr Yang.
Cloud storage companies are also affected. One lawyer said his foreign clients were switching data from Amazon Web Services in Singapore to Alibaba’s China cloud service.
China’s own technology companies will themselves be hit. The bulk of Alibaba’s ecommerce takes place in China, but it has increasingly been setting up cloud data centres around the globe. “We comply with applicable laws in jurisdictions where we operate,” said Alibaba. [Source]
Shortly after the cybersecurity law’s passage, at least sixty celebrity social media news accounts were removed from Weibo, WeChat, and other platforms in compliance with the its mandate to only allow circulation of “healthy and positive” online content. Despite this public display of enforcement, the Central Commission for Discipline Inspection has recently criticized the CAC for failing to carry out Xi Jinping’s guidelines on internet management in a timely manner.
In addition to netizen backlash over the removal of popular celebrity social media accounts, the recent aftermath of the cybersecurity law is further complicated by a recent data theft incident in which 22 people were arrested in Zhejiang for illegally selling Apple users’ personal information. The Cangnan County police have reported that the thieves made up to $7.3 million from selling this trove of customer data, which includes names, Apple identification numbers, and phone numbers associated with these accounts. The cybersecurity law makes the illegal sale of these types of personal information a criminal act at a time when similar data theft incidents have become commonplace in China. Last year, Chinese police cracked over 2,000 cases of stolen personal data often sold by internal employees of banks, telecommunications companies, and academic institutions.