BOFIT Weekly Review 2016/46

Foreign firms concerned about China’s new cybersecurity law



China this month approved a new cybersecurity law set to take effect at the beginning of June 2017. Under the new law, firms operating in China are obliged to help officials fight crime and threats to China’s national security. The law requires that firms store certain data on servers in China, get official approval on IT equipment and systems they use and agree to government inspections of their data systems.

Dozens of business organisations around the world have been criticising the bill since summer. They have expressed concerns that the threat of vague IT security inspections and burdensome data storage requirements would ultimately hurt international trade. Even so, the draft law was not significantly revised before its final reading this month. The EU Chamber of Commerce in China is especially unhappy with the strict data storage requirements and restrictions on cross-border data transfer. It says that the law is unclear in its terminology and fails to specify how inspections will be conducted, all of which only add to uncertainty. The US Chamber of Commerce in China says the restrictions on cross-border data transfer will inhibit innovation activity.

Some observers note that it is impossible to avoid current cyber-threats by simply erecting barriers as the law assumes. Officials instead need to focus on international cooperation to deal with these threats. The law is also seen as protectionist, as in practice it is expected to block foreign firms from operating in many parts of China’s technology sector. Some NGOs worry that the law increases China’s online censorship.