Earlier today, the Chinese government in Beijing approved a sweeping new cybersecurity law aimed at centralizing control over computer networks operating within China’s borders. An unofficial English translation of the newly-enacted law is available here.
The new law is broadly drafted and applies to all entities that “own or manage . . . systems comprised of computers . . . for information gathering, storage, transmission, exchange and processing” within China. On its face, this law appears to cover any business that relies on computer networks in China. Among other things, it requires such network owners and operators to “require users to provide real identity information when signing agreements with users or confirming provision of services,” and requires network operators to censor content that the Chinese government deems “prohibited,” including the transmission of messages that promote “overthrowing the socialist system” or “incite separatism or damage national unity.”
In addition, the new law requires network owners and operators who provide “critical information infrastructure” services within China—such as communications and financial services—to store data on servers within mainland China, and to cooperate with rigorous government inspection and incident response protocols.
Failure to comply with any provision of the new law could result in civil and criminal penalties including substantial fines, the forced suspension of operations, or the cancellation of the offending network operator’s business license.
Critics of the law say that it puts businesses in the untenable position of having to enforce the whims of China’s existing censorship operation or risk stringent penalties—including allowing full access to potentially proprietary data and servers—and that by requiring network operators to collect the real names of users, it could have a chilling effect on free speech. In addition, critics argue that the law’s data residency requirements could create artificial barriers to trade and make global operations less efficient.
In particular, Human Rights Watch has described the law as “abusive,” arguing that the law’s provisions prohibiting network service providers from allowing users to criticize the Chinese government will embolden China’s prosecutors to double-down on their existing practice of punishing peaceful activists who are critical of China’s socialist regime.
Moreover, members of various international chambers of commerce have argued that the new law’s security review and reporting requirements could weaken existing international security standards and create technical barriers to trade in violation of World Trade Organization standards.
The genesis of the new law is somewhat unique by Chinese standards, as several draft versions of the law were circulated for public comment before it was finally enacted. Nevertheless, critics say the Chinese government failed to change its position on a number of the most controversial aspects of the law in the version that has finally become law.
In many respects, how the new law will ultimately impact the international business community remains to be seen, as several key provisions regarding the scope and content of mandatory inspections require further implementing regulations to be enacted by Chinese authorities. There can be little doubt, however, that the international tech community will be watching these developments closely over the next several months until the new law goes into effect next summer, and we will continue to follow those developments here.