China Update: New cyber security law in China has major consequences for business

As a part of President Xi Jinping’s greater plan to fasten control and power over the internet, the National People’s Congress Standing Committee today passed controversial new cyber security legislation. The law is expected to be issued publicly this Monday and will come into effect by June 2017. The legislation will have major consequences for any company which conducts business online in China.

Due to heavy pressure from international businesses, specific clauses in the final text of the law have significantly improved since the Chinese government published its first draft in August last year. Much of the regulation now echoes the recently negotiated EU cyber security legislation. However, grave concerns about the scope and the consequences of the Chinese legislation still remain. Vague phrases like “secure and independent control” and requirements for companies to provide “technical support to security agencies” leave room for broad interpretation.

The regulation would require internet companies to register users with their real names and personal information. Instant messaging services and other online companies will also be required to censor content that is “prohibited”. Multinational companies may not be allowed to transfer user data overseas as this will need to be kept on a server in China. The broad wording of the text also leaves questions as to whether intellectual property and other sensitive business information will have to be shared with the Chinese government upon request.

Chinese officials from the Standing Committee (a largely rubber-stamp institution functioning similar to a Parliament)  state the new legislation would not interfere with foreign business interests – and that objections to vague phrases are based upon misinterpretation. According to the officials, phrases like “secure and independent control” do not allude to protectionism but are merely expressions of China’s ambitions to keep out foreign hackers.

Many multinational online companies, such as AirBnB and Alibaba, have already taken significant measures aiming to comply with the new cyber security law. However, the real consequences for business will only become clear in the months leading up to June 2017 and afterwards. Dr2 Consultants will closely monitor the developments on the interpretation of the law and its effect on companies for its clients. To obtain an English translation of the draft regulation, or of the final regulation once published, please contact us.