China Internet Security Law


The Cyber Security Law of the People's Republic of China, commonly referred to as the China Internet Security Law, was enacted to increase data protection, data localization, and cybersecurity in the interest of national security.

History

This law was enacted by the Standing Committee of the National People's Congress on November 7, 2016 and was implemented on June 1, 2017. It requires network operators to store select data within China and allows Chinese authorities to conduct spot-checks on a company's network operations.
The Ministry of Industry and Information Technology justified the law as the part of the country's Go Out policy.
Cybersecurity is recognized as a Basic Law. This puts the law on the top of the pyramid-structured legislation on cybersecurity. The law is an evolution of the previously existent cybersecurity rules and regulations from various levels and fields, assimilating them to create a structured law at the macro-level. The law also offers principal norms on certain issues that are not immediately urgent, but are of long-term importance. These norms will serve as a legal reference when new issues arise.

Provision

The law created
The Cybersecurity Law is applicable to network operators and businesses in “critical sectors.” By critical sectors, China roughly divides the domestic businesses into networking businesses that are involved in telecommunications, information services, energy transport, water, financial services, public services, and electronic government services.
These definitions mean the law is applicable to all businesses in China that manage their own email or other data networks. Network operators are expected, among other things, to: clarify cybersecurity responsibilities within their organization, take technical measures to safeguard network operations and prevent data leaks and theft; and report any cybersecurity incidents to both users of the network and the relevant implementing department for that sector.
The law is composed of supportive subdivisions of regulations that specify the purpose of it. For instance, the Core Infrastructure Initiative Security Protection Regulations and Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data. However, the law is yet to be called fixed, since China's government authorities are occupied with defining more contingent laws to better correspond the Cyber Security Law. By incorporating preexisting laws on VPN and data security into the Cyber Security Law, the Chinese government is reinforcing business law in China.
The Cybersecurity Law also provides elaborate regulations and definitions on legal liability. For different types of illegal conduct, the Law sets a variety of punishments, such as fines, suspension for rectification, revocation of permits and business licenses, and others. The Law accordingly grant cybersecurity and administration authorities with rights and guidelines to carry out law enforcement on illegal acts.
Although the censorship affects the whole nation, it does not affect China's special administrative regions such as Hong Kong and Macau. This is because these regions enjoy a high degree of autonomy, as specified in local laws and the "One country, two systems" principle.

Effects

Along with the Great Firewall, restrictions raise concerning voices, especially among foreign companies. Regarding the requirements for spot-checks and certifications, international law firms have warned that companies could be asked to provide source code, encryption, or other crucial information for review by the authorities, increasing the risk of this information being lost, passed on to local competitors, or used by the authorities themselves. The Federal Bureau of Investigation warned that the law could force companies transmitting data through servers in China to submit to data surveillance measures.
The law sparked complaints both internally and internationally due to its wording. Foreign companies and businesses in China expressed concerns that this law might impede future investments in China, because the law now requires them to "store their data on Chinese-law regulated local servers, and cooperate with Chinese national security agencies if asked to," which could potentially compromise business secrets and sensitive information.
To comply with the law, for instance, Apple announced that it would transfer the operation of iCloud in Mainland China to a government-sponsored data company named Guizhou-Cloud Big Data. Meanwhile, online services, including Skype and WhatsApp, refused to store their data locally and were either banned from operating in China or restrained from further expansion.
Article 9 of the cybersecurity law states that “network operators … must obey social norms and commercial ethics, be honest and credible, perform obligations to protect network security, accept supervision from the government and public, and bear social responsibility.” Such vague provision is suspected to increase the government's guard to interpret and assert the need to intervene. Such interventions would include investigations which could disperse into government trade associations requesting spot-checks at the foreign firm.
Foreign firms are now placed between two choices: One, they could invest in new data servers in China to comply with data localization or incur new costs to hire a local server provider, such as Huawei, Tencent, or Alibaba, which have spent billions in recent years establishing domestic data centers as part of Beijing's 12th Five-Year Plan. The substantial investment by these Chinese technology firms in recent years is one of the reasons for which critics believe that the new law is partly designed to bolster the domestic Chinese data management and telecommunications industry against global competitors.
However, an international firm in China reported to PGI that the intention of the law is not to prohibit foreign businesses from operating in China, nor is it to boost Chinese competitiveness. In fact, with regards to a study by Matthias Bauer and Hosuk Lee-Makiyama in 2015, data localization causes minor damage to economic growth due to inefficiencies that arise from data transfer processes and the duplication of data between several jurisdictions. As a matter of fact, the requirement for data localization should instead be seen as a legal move by Beijing — bringing data under Chinese jurisdiction will make it easier to prosecute entities seen as violating China's internet laws.
The president of AmCham South China, Harley Seyedin, claimed that foreign firms are facing “mass concerns” because the law has greatly increased operating costs and has had a big impact on how business is done in China. More specifically, he stated that the cyber security law continues to create “uncertainties within the investment community and it’s resulting in, at the minimum, postponement of some R&D investment.”
The law was widely criticized by social activists for limiting freedom of speech. For example, the law explicitly requires most online services operating in China to collect and verify the identity of their users, and, when required to, surrender such information to law enforcement. Activists claimed that this policy dissuades people from freely expressing their thoughts online.