Its controversial implementation thus far

China’s Cybersecurity Law, implemented in 2017, has been a topic of intense debate both domestically and internationally. The law aims to protect national security and regulate cyberspace activities within the country. However, it has received pushback for its potential impact on international trade and the overall cross-border digital landscape. Carlo D’Andrea and Shane Farrelly of D’Andrea & Partners Legal Counsel examine the storied implementation of China’s Cybersecurity Law thus far. 

Perceived market access and trade barriers 

Even prior to its promulgation, critics argued that China’s Cybersecurity Law had the potential to be used as a tool to protect domestic industries by erecting trade barriers. The law has been perceived as favouring Chinese competitors by imposing stringent rules and compliance requirements that foreign enterprises may find overly burdensome or costly; in effect, indirectly discouraging foreign investment and potentially stifling innovation and competition. 

One of the market access barriers for foreign-invested enterprises (FIEs) arising from China’s Cybersecurity Law is the much-publicised requirement for data localisation, mandating that certain critical data and ‘important data’ collected by critical information infrastructure operators must be stored on servers within China’s territory. This poses a significant challenge for foreign companies that operate globally and have existing data centres in other countries, as they are now being required to invest in building new infrastructure within China or partner with a local provider, which, again, can be costly and time-consuming. 

Another potential barrier for foreign enterprises looking to comply with the law is the requirement for security assessments and certification. The Cybersecurity Law mandates that certain network products and services—such as routers, switches and servers, antivirus software, and firewalls, to name but a few—undergo security assessments and obtain certification before they can be sold in China. These procedures are carried out by Chinese authorities and can be lengthy and expensive. FIEs, especially technology companies, may find it challenging to meet the stringent requirements set by the authorities.  

Additionally, the Cybersecurity Law empowers the Chinese Government to conduct security reviews of network products and services used in critical information infrastructure (CII) sectors. This provision raises concerns among foreign enterprises, as the security review process lacks transparency and can be used as a tool to target and block FIEs from operating in certain sectors. For example, foreign technology companies providing hardware or software solutions for CII sectors, such as telecommunications or energy, may face prolonged security review processes or even outright bans. This not only hampers market access but also discourages foreign investment in these sectors, limiting competition and stifling innovation. 

Overall, these market access barriers present challenges for foreign enterprises to operate in China’s market and effectively compete with domestic competitors. The perceived favouritism towards Chinese companies and the burden of compliance requirements can discourage foreign investment. 

Ambiguities in interpretation and enforcement 

Additionally, the enforcement of the Cybersecurity Law varies across different regions in China. Some local authorities may implement the law more strictly, while others may have a more relaxed approach. This inconsistency in enforcement practices understandably creates difficulties for companies operating in multiple regions, as they have to navigate and comply with different interpretations and requirements of the law.  

For example, in Shanghai, local authorities have relaxed data localisation requirements for multinational companies (MNCs), allowing them to store data offshore, provided they meet certain conditions. In Beijing, there are well-established mechanisms and local regulations that require platforms to have dedicated content review teams, while smaller regions with fewer resources have a less rigorous approach to monitoring internet content. In Guangdong Province, for example, the local government has introduced additional rules allowing companies to conduct self-assessments on cross-border data transfers, which provides more flexibility to businesses. 

The lack of clarity and consistency in the interpretation and enforcement of China’s Cybersecurity Law adds complexity and challenges for foreign enterprises trying to understand and comply with the law’s requirements. These ambiguities can lead to confusion and potential non-compliance, ultimately hindering foreign companies’ ability to effectively navigate the regulatory landscape in China’s cybersecurity domain. 

Data privacy concerns 

The broad language used in the Cybersecurity Law gives Chinese authorities the power to request and obtain any data from both foreign and domestic companies operating within China. This lack of specificity can create uncertainty for enterprises, especially regarding the types of data that may be accessed and reviewed. 

MNCs, especially those operating in sectors in which trade secrets and customer data protection are critical, worry that Chinese authorities may gain access to their sensitive information, such as proprietary technologies, research and development data, customer databases, and other valuable intellectual property. Unauthorised access to such confidential business information by Chinese authorities could lead to severe competitive disadvantages for foreign enterprises, as their trade secrets may be compromised or even stolen. 

One example of data privacy concerns under the Cybersecurity Law is the case of Apple in China. In February 2018, Apple announced that it would transfer the iCloud data of Chinese customers to a local Chinese company’s servers in order to comply with the Cybersecurity Law. This decision raised concerns about the access Chinese authorities would have to user data, potentially compromising user privacy. 

By handing over control of its servers to a local company, Apple effectively created a scenario in which user data could potentially be accessed or monitored by Chinese authorities without the scrutiny and oversight typically associated with privacy protection. These concerns are particularly significant considering the amount of sensitive information that is often stored in iCloud accounts, including personal communications, photos, documents and more. The fear is that this data could be exploited or misused, potentially leading to violations of privacy and human rights. 

The case of Apple in China serves as a notable example of the data privacy concerns that can arise under the Cybersecurity Law. It highlights the tension between complying with national laws and regulations and upholding global privacy standards, prompting discussions about how to balance data protection with government control and national security. 

Conclusion 

The implementation of China’s Cybersecurity Law has raised concerns over potential trade barriers, enforcement inconsistencies and data privacy issues. 

For foreign enterprises, conducting thorough assessments of their products and services to ensure they meet the security requirements and certifications mandated by the Cybersecurity Law can be a proactive approach that can help streamline the approval process and reduce delays. Chinese legislators should provide clearer guidelines and interpretations of the Cybersecurity Law and homogenise provisions nationally to reduce ambiguity. This will help foreign enterprises better understand and comply with the law’s requirements, ultimately fostering a more predictable regulatory landscape. 

Chinese legislators may also look to work with their international counterparts to develop common cybersecurity standards and practices (for example, the EU’s General Data Protection Regulation (GDPR)). This collaboration can help bridge the gap between domestic and international cybersecurity regulations, and facilitate smoother cross-border operations. 

By considering these solutions, both foreign enterprises and Chinese legislators can work towards a more balanced implementation of the Cybersecurity Law, in order to foster a competitive and innovative digital landscape while ensuring the protection of national security and data privacy. 

D’Andrea & Partners Legal Counsel (DP Group) was founded in 2013 by Carlo Diego D’Andrea and Matteo Hanbin Zhi, both of whom have extensive backgrounds in Chinese and EU law. DP Group currently has four service entities: D’Andrea & Partners Legal Counsel; PHC Tax & Accounting Advisory; EASTANT Communication and Events; and Chance & Better Education Consulting. DP Group has branches around the world, with locations in several major developing economies.