China's new cyber security law brings a new challenge for foreign companies: they know very little about it.
The law is part of Beijing's efforts to more tightly control the internet within China's borders - already one of the most restricted online environments in the world. It came into effect today, the 1st June; and, while it has been hailed as an increase to privacy, both multinationals and analysts have warned that it will give Chinese companies an unfair advantage. Some have even warned that it will make them more vulnerable to having IP and trade secrets stolen.
Under the new legislation, ‘critical' companies (a vague term that encompasses banks, energy suppliers and firms holding sensitive data - itself an undefined term) with information relating to Chinese citizens or national security must store that data within China. There will be a review process before large amounts of personal data can leave the country. Security checks will also be carried out on companies in sectors like finance; and private individuals will be required to register to messaging services with their real names.
‘Critical' companies must go through a security review, through which the government could request programme source code and investigate their IP.
It is widely thought that the law is an attempt to shield Chinese data from foreign eyes, after Edward Snowden revealed that governments were spying on communications from multinationals.
Companies are concerned that the move will make their businesses less secure. In May, companies from the Americas, Europe and Asia petitioned Beijing to delay its implementation. China's internet regulator, the Cyberspace Administration of China, delayed the regulation governing cross-border data flow to 2018; however, the rest of the law has now come into full effect.
What are the effects?
The American Chamber of Commerce in Shanghai has said that the data localisation and transfer regulations have a potential impact on cross-border trade worth billions of dollars. There is also a concern that smaller firms, which cannot afford to implement the controls that the government is asking for, will be forced out of the country altogether.
Michael Chang, an executive at Nokia and VP of the European Chamber of Commerce, said, "Industry is not ready because the implementation rules are not clear." Carl Ramsey of risk-management consultancy Control Risks, told The Financial Times, "The law is both extremely vague and exceptionally wide in scope, potentially putting companies at risk of regulatory enforcement that is not related to cyber security."
Many companies will be affected by the new law, from fast-food chains (which collect large amounts of user data) to multinationals (which will not be able to pool client data in cloud storage globally). As the FT notes, the need to store data in a specific location will add to fragmentation and cost.
At the end, we come - again - to encryption. Beijing has joined the likes of the US and UK governments in trying to force companies to decrypt data in the interests of national security, with a proposed law in April. While the likes of WhatsApp and Facebook have spoken up against these measures, and Apple point-blank refused to unlock an iPhone used by an attacker in the San Bernardino shooting, we cannot see Chinese companies acting in the same way.
The World Bank already ranks China, the world's second-largest economy, as the 78th most difficult country to do business in, out of 190 countries. It is likely that this new law will only further lower its ranking.
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal
Microsoft, Google and Samsung all targeted as Avast admits to the scale of the CCleaner compromise
Not all loose ends tied yet, admits Bain backer SK Hynix