China will implement a controversial cyber-security law Thursday despite concerns from foreign firms worried about its impact on their ability to do business in the world’s second largest economy.
Passed last November, the law is largely aimed at protecting China’s networks and private user information at a time when the recent WannaCry ransomware attack showed any country can be vulnerable to cyber threats.
But companies have pleaded with the government to delay the legislation’s implementation amid concerns about unclear provisions and how the law would affect personal information and cloud computing.
The government appears to still be scrambling to finalise the rules.
Just two weeks ago, Zhao Zeliang, director of the cyber-security bureau, gathered some 200 representatives from foreign and domestic companies and industry associations at the new headquarters of the Cybersecurity Administration of China (CAC) in Beijing.
The May 19 discussion centred on a draft of the rules for transferring personal data overseas, participants told AFP.
Attendees received an updated version of the document, as well as Zhao’s assurance that regulators would remove some of the language that had received strong objections, they said.
The new document, obtained by AFP, removed a contentious requirement for companies to store customers’ personal data in China.
‘Headaches for companies’
But concerns remain.
“The regulator is unprepared to enforce the law” and it is “very unlikely” anything will happen on June 1, said one participant, who asked for anonymity to discuss the sensitive issue.
That impression was only strengthened a few days after the meeting, when authorities issued 21 new draft documents describing national standards on topics from cloud computing to financial data, noting they would be available for public comment until July 7.
More new drafts, including detailed guidelines on cross-border data transfers, were published Saturday.
It is “crystal clear that the regulatory regime is evolving and does not simply switch on like a light June 1”, said Graham Webster, an expert on Sino-US relations at Yale Law School.
Beijing, he said, is “wrestling with legitimate challenges that every country faces, and … much of the caution and ambiguity comes from a desire to get things right.”
But the process is causing “headaches for companies, Chinese and foreign alike”.
Protecting ‘national honour’
China already has some of the world’s tightest controls over web content, protected by what is called “The Great Firewall”, but even some of its universities and petrol stations were hit by the global ransomware attack in May.
The draft cyber-security rules provided at the CAC meeting address only one part of the sweeping law.
The legislation also bans internet users from publishing a wide variety of information, including anything that damages “national honour”, “disturbs economic or social order” or is aimed at “overthrowing the socialist system”.
Companies are worried that the new law could lock them out of the market.
Paul Triolo, a cyber-security expert at the Eurasia Group, wrote in a research note that regulators will likely introduce “new hurdles for foreign company compliance and operations” in industries, such as cloud computing, where China is actively seeking a competitive advantage.
As a result, “companies with politically well-connected competitors could see their profile raised for things such as cyber-security reviews”.
The European Union Chamber of Commerce, among other groups, has urged Beijing to “delay the implementation of either the law or its relevant articles”.
It “will impose substantial compliance obligations on industry” and “cautious, sound, consistent and fully reasoned supporting mechanisms related to its implementation are essential,” the group said in a statement last week.
The chamber called on policymakers to follow a “transparent” process that will help eliminate “discriminatory market access barriers”.
While there is no indication the law itself will be pushed back, the draft rules distributed at the CAC meeting says companies will have until December 31, 2018 to implement some of its requirements.
“It’s been enormously difficult for our companies to prepare for the implementation of the cyber-security law, because there are so many aspects of the law that are still unclear,” said Jake Parker, vice president of the US-China Business Council.
“There’s not enough information for companies to be able to develop internal compliance practices.”