As the new Cyber Security Law (CSL) comes into force June 1, more details of regulations are coming to light that will affect no small number of companies around the world who wish to do business with China. Every one of them should radically change their way of operating in China, especially as regards the processing of their customers’ data.
Although a few months ago the focus was on how the new legislation would affect tech companies, the fact is that the labyrinthine legislation of the Cyber Security Law puts practically all companies at the mercy of Chinese authorities. It details requirements to be met by “network operators”, a concept that is defined in the law in an extremely broad way and which, when it comes down to it, refers to any company that operates a computer network
The legislation seeks to protect the privacy of citizens and, in order to do this, will force companies to store data on servers located in China. In addition, in specific cases data collection will need to be carried out with previous authorization by the Chinese government, which will also force companies to implement necessary security measures to prevent a cyberattack from endangering the privacy of its citizens.
While the attempt to protect privacy does not seem worrisome (and, in fact, is pretty similar to Europe’s General Data Protection Regulation), the fact is that the lack of transparency in the legislation and the power that the administration retains for itself suggests that the Cyber Security Law will become an obstacle to business growth in China and, paradoxically, a threat to privacy.
A Back Door
It will be the Chinese government itself that establishes the security measures implemented by each company. In cases of non-compliance, companies will face a fine and even the suspension of their license to operate in China. However, the most troubling aspect of the law is that Internet companies will be required to store information related to the activity of their customers.
This, combined with provisions in the new law allowing Chinese intelligence agencies to strongarm collaboration from companies to “safeguard national security,” suggests that the so-called privacy protection regulation is actually a kind of back door through which the government could access confidential information.
In any case, all companies intent on trying their luck in China, whether multinationals or small companies, will be forced to make a significant investment to adapt to the Cyber Security Law, which could reduce the innovation budget while jeopardizing the confidentiality of the corporations themselves.