Companies Required to Give Customer Data to Authorities in China’s New Cybersecurity Law
China has approved a controversial cybersecurity law that gave the government unprecedented access to technology worldwide. The law was green-lit as a national security measure but went too far, human rights groups said. It granted the government the ability to censor online content and restrict free speech.
Some parts of the bill drew more attention than others. For instance, computer equipment manufacturers will be required to undergo mandatory testing and certification of computers and computer parts. Internet companies will be required to store customer data and additionally need to fully cooperate with investigators.
Companies must report any suspected criminal activity to the proper authorities and give authorities full database access. Steep fines and penalties have been implemented for companies that violate these laws.
China’s efforts to protect national infrastructure, as Inside Counsel reported, resemble post-Snowden laws in several countries. The difference, however, is visible when comparing China’s law to those of other countries; the new Cybersecurity Law is incredibly vague and is potentially without a concrete scope. A limit to the powers the law grants may not exist.
“This is a step backwards for innovation in China that won’t do much to improve security,” James Zimmerman, chairman of the American Chamber of Commerce in China, said in an e-mail to Bloomberg. “The Chinese government is right in wanting to ensure the security of digital systems and information here, but this law doesn’t achieve that. What it does do is create barriers to trade and innovation.”
Previously this year, we wrote about a Chinese computer technician getting sentenced to death for selling 150,000 government documents to spies. Critics have expressed that this law will not prevent those types of situations.
Certification requirements in the law were noted as the most vague part of the law. Technology companies could be asked to provide anything from source code, encryption keys, and even proprietary intellectual data. A reporter noted that Microsoft has already been granting Chinese authorities full access to their software, albeit under different circumstances.
Chinese citizens have expressed explicit concern for the data storage requirements in the law. Businesses that obtain data on Chinese citizens are required to store the data on local servers. Said data must remain on the domestic servers and special permission from the government is required in situations where the data is needed abroad.
“A number of IT companies have really serious concerns. We don’t want to see barriers put up,” U.S. Deputy Secretary of Commerce Bruce Andrews told reporters during an October visit to Beijing. “Cross-border data flow has become increasingly important to trade and to companies in the way they operate every day.”
Some foreign companies have already started making changes. For instance, in early November, Airbnb sent an email to all Chinese users explaining some significant changes. The company, the email said, would be transferring all data on Chinese users to servers within China. Later on, Airbnb made it clear that there was a distinction between Airbnb and Airbnb China.
In August, more than 40 international businesses wrote to Prime Minister Li Keqiang regarding the law. They urged that the law (it was still a draft in August) be amended to allow foreign companies an equal market opportunity in China. Foreign companies expressed concern for their intellectual property and product security if their data was to be stored in China. This law, Business Insider wrote, jeopardized the business interests of any outside organization.
The law furthered the government’s online censorship abilities and allowed a greater restriction of speech. The law prohibits “online activities that attempt to overthrow the socialist system, split the nation, undermine national unity,” and “activities including inciting ethnic hatred, discrimination and spreading violence and obscene information.”
Companies have several months to comply with the new standards as the Cybersecurity Law will not be implemented until June 2017.