China Cyber Security Law Prompts Fears of Chilling Effect on Foreign Tech

New restrictions on exporting data, and greater government access into source code and other intellectual property are fueling concerns about the law’s impact on foreign multinationals.

Aldrin Brown, Editor-in-Chief

May 30, 2017

2 Min Read
China Cyber Security Law Prompts Fears of Chilling Effect on Foreign Tech
Shanghai at sunrise.

Doing business as a technology company in China is going to get a whole lot more difficult starting Thursday.

That’s when a sweeping new cyber security law takes effect, saddling firms that handle Chinese data with a host of intrusive regulations that experts say will make multinational companies more vulnerable to theft of their intellectual property, and increase the complexity and costs of doing business.

Among the more onerous provisions of the Cyber Security Law (CSL), companies designated as “critical infrastructure” are forbidden from exporting data collected inside China.

The definition of critical infrastructure companies was drawn so broadly as to include any company that – if breached – could “harm people’s livelihoods.”

One example included a fast-food restaurant that accesses the personal payment information of a large number of Chinese citizens.

“The law is both extremely vague and exceptionally wide in scope, potentially putting companies at risk of regulatory enforcement that is not related to cyber security,” Carly Ramsey, associate director at the risk-management consultancy, Control Risks, told the Financial Times.

Parts of the country’s first national digital security regulatory regime – like mandating development of data privacy rules – are being welcomed by some observers as long overdue.

But other components are fueling fears about their intrusiveness.

One provision of the rule requires that critical infrastructure designees, and any services they engage, must undergo “national security reviews” during which state regulators can ask to see source code or other proprietary information.  

“The CSL gives broad authority to the Cyberspace Administration of China, China’s powerful cyberspace watchdog, and other industry regulators to conduct these reviews,” said in a separate article penned by Ramsey and Ben Wootliff, also of Control Risks.

Companies seeking to export data of more than 500,000 Chinese individuals must also undergo a national security review to ensure their systems are “secure and controllable.”

In addition to making it more difficult to move Chinese data out of the country for storage in cloud data centers around the world, the new rules could limit the ability of organizations to include data from China for worldwide analysis.

“Regulators will likely focus on whether companies have any data that could contradict official numbers, such as industry or population health statistics,” the Forbes piece said.

Experts recommend that any company whose business relies on managing Chinese data assess the specific impact to their firms and respond accordingly.

And responsible businesses should anticipate that the law could be applied in ways that have nothing to do with cyber security.

“Companies should also be aware that the CSL potentially provides the government with the legal ability to obtain intellectual property and a view into an organization’s cyber gaps and vulnerabilities,” Ramsey and Wootliff explained. “The operational costs and risks of localizing data to China are likely to be significant for most (multinational corporations), particularly the loss of the ability to conduct global big data analytics if the China data has to be housed separately.”


Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like