Foreign companies have argued the Cyber Security Law (CSL) will make it much more difficult for them to do business in the country
China on Thursday, 1 June, is to bring into force a controversial law that mandates certain companies to hold data within the country and to undergo on-site security reviews.
The Cyber Security Law (CSL) is in line with other countries’ efforts to consolidate its regulations with regard to digital and online security and data protection, according to industry observers, but multinational companies have protested it could make it much more difficult for them to do business in the country.
“Deciphering exactly who is captured and what is covered is leaving companies unsure as to how they will comply with this vague and potentially onerous law,” said analysts Carly Ramsey and Ben Wootliff of London-based strategic consultancy Control Risks in an advisory. “It is very likely that many multinational companies will feel the heat.”
The law, passed in November, broadly governs the use of two types of data, the personal data of Chinese citizens and “important data”, a vaguely defined category that includes information related to national security, economic development and social public interests.
It bans network providers from collecting and selling users’ personal data, and gives users the right to have their information deleted, in cases of abuse.
“Those who violate the provisions and infringe on personal information will face hefty fines,” said the country’s official Xinhua news agency, without giving specific details.
The law requires companies operating networks and those involved in the operation of “critical information infrastructure”, including firms that hold significant amounts of “important” or personal data, to house that data within China and to undergo on-site inspections of cyber-security systems and procedures.
Companies targeted by the regulations are required to carry out a security self-assessment or obtain approval from the relevant regulator before transferring the controlled data abroad.
‘Impossible to be compliant’
“The sheer scope of the CSL is mind-boggling. And, as mentioned, it is also extremely vague,” Ramsey and Wootliff wrote. “This means that it is currently impossible to be ‘compliant’.”
Instead, multinationals will need to focus on how the law is likely to be enforced by regulators, and to be aware it could be used as a competitive tool against them by domestic rivals, or in order to direct the market in ways determined by the government.
“Foreign companies need to be aware that the CSL will be another tool in the enforcement toolbox and could be utilised for reasons only tangential to cyber security,” the analysts wrote. “Companies should also be aware that the CSL potentially provides the government with the legal ability to obtain intellectual property and a view into an organisation’s cyber gaps and vulnerabilities.”
Costs for multinationals
The operational costs and risks associated with localising data to China are likely to be significant for multinationals, in particular the loss of the ability to conduct global data analytics across all the data they hold, Control Risk said.
The law could also be used to shut out foreign technologies to benefit domestic versions, affecting companies that currently rely on them, the firm said.
The companies most likely to be targeted include those critical in keeping certain sectors running, those with significant amounts of personal data on Chinese citizens and those with strong domestic competitors, according to the analysts.
The firm advised such companies to conduct a review of their data, to prepare for data localisation and security reviews, and to engage with government and regulators in order to help mitigate the impact of the law.
Do you know all about security in 2017? Try our quiz!