China’s bewildering new cybersecurity law is keeping foreign tech firms out of the country

The new law passed by Xu Lin’s Cyberspace Administration of China serves as a “no trespassing” sign to overseas businesses.
The new law passed by Xu Lin’s Cyberspace Administration of China serves as a “no trespassing” sign to overseas businesses.
Image: Reuters/China Stringer Network
We may earn a commission from links on this page.

Beijing has a tried-and-true tactic for keeping foreign companies out of China—make its domestic laws so vague that they’re impossible to follow.

Today the Cyberspace Administration of China, which oversees internet governance in the country, passed a broad law that dictates how foreign companies must operate in China. Commonly known as the “Cybersecurity Law,” the document formalizes some practices that foreign technology firms have been following by for years. But like many other regulations from Beijing, its lack of clarity ultimately leaves foreign companies without a proper roadmap for how to abide by the law—which in effect serves as a “no trespassing” sign to overseas businesses.

The law, which passed more than a year after a first draft was issued publicly, generally re-affirms the state’s commitment to controlling what technology is used within China’s borders and how it can collect information. Article 35, for example, states “Personal information and other important business data gathered or produced by critical information infrastructure operators during operations within the mainland territory of the People’s Republic of China, shall store it within mainland China.”

This is generally interpreted to mean that foreign companies must keep servers for Chinese users located within the country’s borders. Many foreign internet companies have already complied with this measure. AirBnB, for example, last week announced it would move its Chinese user data to a domestic location, over a year after it officially entered the market via a joint venture.

But the law does not specify what is meant by “other important business data” (product performance data? Payment data?). Keeping more data inside China costs overseas companies more money, and also heightens the risk that the government will snoop on it.

Article 65, meanwhile, states that “critical information infrastructure providers” (defined in Article 31 as “public communication and information services, power, traffic, water, finance, public service, electronic governance [providers]”) stand to violate the law if they use products or services that “have not had safety inspections or did not pass safety inspections.” Yet the nature of these safety inspections also remains unspecified.

Article 21 also states that “specialized network security products” must meet a set of standards released in a “catalog” by the State Council (the administrative body chaired by Premier Li Keqiang, China’s nominal second-in-command). But the standards in this catalog have yet to be revealed, according to a source familiar with the matter.

“Generally speaking, all companies want to be in compliance. And because the laws are vague, companies don’t know how to be in compliance,” the same source tells Quartz. ”Foreign companies who have the technology and have the impetus to get into the China, or continue servicing their customers [there], they’re not getting the necessary information to do so. And since the information isn’t there, they’re shut out of the market.”

James Zimmerman, chairman of the American Chamber of Commerce in China, argued the law has less to do with cybersecurity than protectionism.

“In terms of improving security, this law is at best a missed opportunity, and some of the measures seem to emphasize protectionism rather than security,” he wrote in a statement. “But one thing is for sure: the more difficult it is for data to travel across the Chinese border, the more difficult it will be for companies inside those borders to innovate, and China risks becoming isolated technologically from the rest of the world.”