With its new cybersecurity law taking effect on June 1, China has pulled a slick legislative sleight of hand. In order to prevent theft or misuse of online personal and corporate data, it has created a regulatory framework guaranteeing that the government will have on-demand access to all of it.
The law, which was approved by the National People’s Congress Standing Committee in November of last year, imposes sweeping new legal obligations on companies, network providers, and individuals using the internet in China. The legislation provoked widespread condemnation, particularly from international business leaders who fear that its expansive scope and vague wording will leave them subject to invasive audits, heavy compliance costs and unpredictable legal consequences.
“We believe this is a step backwards for innovation in China that won’t do much to improve security,” said James Zimmerman, chairman of the American Chamber of Commerce in China, in a statement on the law’s initial ratification. “The Chinese government is right in wanting to ensure the security of digital systems and information here, but this law doesn’t achieve that. What it does do is create barriers to trade and innovation.”
{mosads}In particular, the new rules require businesses to undergo regular review and certification of network equipment, as well as making their products and services fully available to the government to assist in national security or criminal investigations. The Cybersecurity Administration of China (CAC) has thus far provided minimal detail on what types of firms are included in the statute or what form equipment checks will take. Going by the current letter of the law, though, this could mean that corporations will be required to make an onerous choice: allow the Chinese government (hardly known for vigorous protection of intellectual property) unfettered access to proprietary information, or sacrifice operations in a market of nearly 1.4 billion consumers.
In order to “protect the lawful rights and interests of citizens,” the law imposes additional restrictions on the collection and transfer of personal data. Network operators looking to transfer data across China’s borders will be required to submit to a security assessment to determine whether the transaction carries a risk of “leakage, loss, falsification or misuse.” The rules also explicitly prohibit any collection or transfer of personal information, like name, national ID number, or biometric data, without prior consent of the user. In effect, consumer data collected in China must now be stored on servers within the country’s borders, and some multinationals are already changing their business practices to comply.
Though this latter portion looks like a step forward for personal data security, when coupled with the government’s sweeping new powers to corral and observe companies’ online data, the law offers very little in terms of actual privacy protections for individuals.
In fact, Article 24 of the law requires mobile and internet service providers as well as all “information publication or instant messaging services” to collect “real identity” information from all customers at registration. In short, you can’t be anonymous on the Chinese internet, both you and your social media platform could be prosecuted if you try.
This approach to online information – data localization as a substitute for true consumer privacy – is a core component of President Xi Jinping’s push for “internet sovereignty.” The philosophy holds that the government has the same right to patrol its virtual borders as its physical ones, and has a right to control information flows abroad the same way it would cross-border immigration.
“[The cybersecurity law] does not restrict foreign companies or their technology and products from entering the Chinese market, nor does it limit the orderly, free flow of data,” the CAC said in a statement to Xinhua. “China is entitled to make laws and rules to regulate its cyberspace sovereignty following international practice.”
Though China’s notoriously surveilled state is an easy target for privacy advocates, this law comes at a time of shifting legal approaches to individual data security around the world. In April, President Trump signed legislation eliminating proposed guidelines from the Federal Communications Commission that would have required Internet service providers to get explicit consent before sharing customers’ online behavior and other personal information with broadband providers. Privacy standards in the U.S. are currently governed through a patchwork of federal and state agency regulations.
Meanwhile, the EU’s omnibus General Data Protection Regulation (GDPR), adopted a year ago and slated for implementation in May 2018, is widely considered to be the world’s most progressive legal framework for consumer privacy online. It sets heavy penalties – up to 4 percent of annual global turnover – for entities that violate statutes on consumer data protection, access, portability, and, when requested, erasure.
As individuals and corporations navigate new cybersecurity regimes both in China and globally, we’re left with a new look at old questions. In a borderless virtual world, can national governments effectively police individual privacy? And perhaps more importantly, who’s policing the policeman?
Kaelyn Lowmaster (@TheLowmaster) is a senior research analyst at One World Identity, an independent strategy and research company focused on identity.
The views expressed by contributors are their own and are not the views of The Hill.