China has drafted several security laws over the past year that tighten regulation over suppliers of technological equipment and services.
Chinese officials say the measures are necessary to national security, allowing them to verify that critical equipment isn’t vulnerable to hacking and to help them track down criminals and fight terrorism. But the rules have been criticized by foreign governments and trade groups as onerous and a possible way to discriminate against non-Chinese vendors.
Many of these measures involve the concept of “secure and controllable” technology, a loosely defined term that involves government security checks and data storage within the country.
Here are some of the major cybersecurity laws that have been drafted:
-National Security Law: Passed July 2015. A broad umbrella statute that calls for increased information security, in addition to outlawing threats to China’s government, national unity, economy and other interests.
-Counterterrorism Law: Passed December 2015. Requires internet service providers to help authorities decrypt data and provide “technical means of support” in terrorism cases. A final version was rolled back from draft language requiring local data storage and encryption systems submitted for government review.
-Cybersecurity Law (draft): First reading July 2015, second reading expected this month. The first draft said authorities would be allowed to cut internet access in public-security emergencies, and required data localization and cybersecurity reviews.
-Banking-sector IT guidelines (suspended): China’s banking regulator issued IT security guidelines in Jan. 2015 to financial institutions for implementation by the end of last year. The rules included quotas for new equipment that must be “secure and controllable,” which meant the suppliers must share source code to prove their products’ security. The rules were suspended after pressure from other governments including the U.S.
-Insurance-sector IT guidelines (draft): China’s insurance regulator filed a notice with the World Trade Organization in April saying new IT guidelines could go into effect as early as June. Similarly to the banking guidelines, these would require technology equipment suppliers to insurance firms meet “secure and controllable” standards and store their data locally. U.S. officials are expected to raise the issue in talks with China next week.