Last week China’s long gestating 2016 Cybersecurity Law finally went into partial implementation.
At the draft stage and beyond, the law, ostensibly aimed at preventing cyber snooping and guarding data, has caused chaos and confusion in the foreign business community. Companies are scrambling to understand how it will affect their daily business operations, as well as their intellectual property. Many of the accompanying rules that ought to clarify what foreign companies can and can’t do under the law remain vague, leaving businesses of all types in limbo. And some of the accompanying regulations that have been made public aren’t yet the final ones.
One part of the law that has particularly riled foreign tech companies centers around “data localization” and “data export”—in other words, where companies can store data and move data. It’s a theme often repeated by Chinese authorities, and made official just recently.
Article 37 reads in part:
Personal information and important data collected and generated by critical information infrastructure operators in the PRC must be stored domestically.
And it continues:
Where due to business requirements it is truly necessary to provide it [data] outside the mainland, they shall follow the measures jointly formulated by the State network information departments and the relevant departments of the State council to conduct a security assessment…
While the Chinese government has delayed the latter part’s implementation until 2018, companies are already complying with data localization requirements—and in some cases, complaining. That’s because data storage and movement is an important issue for global commerce, and China’s law defies the principles of free trade and an open global internet.
Why is keeping data in one place burdensome for foreign companies?
It’s easy for users to take for granted that data collected online can flow between borders, in part because there are so many different types of data companies can collect and move.
When a potential virus is detected on a foreign-made software program on a Chinese computer, data about that virus might be sent to the company’s servers overseas. When a medical device generates data about a Chinese patient’s health, that data might get sent to the company’s servers overseas. When a Chinese user inputs their phone number on a foreign social media app (say, WhatsApp, which is not blocked in China), that data might be stored on the company’s servers overseas. And when a fast food company keeps a log of its employees in China, that information might be kept on the company’s servers overseas.
From the perspective of most businesses, regardless of where they are located, the question of “Where should data live?” has an easy answer: wherever the business wants.
It often makes sense for data collected all over the world to be “centralized” in one location. Drawing an example, Lester Ross, a partner at WilmerHale law firm in Beijing, says that if a foreign-made medical device malfunctions in China, it’s best for the data to flow to a centralized location for troubleshooting. “If you restrict the flow of that information,” as the law proposes, “how do you operate? Are you forced to provide duplicative services in China, and if you are, is that worthwhile on a cost basis?”
Forcing companies to store data originating from one (very big) country inside its borders can get expensive. Businesses “have to make arrangements with cloud services providers in the country, or build their own data centers,” says Paul Triolo, who researches China and internet governance at Eurasia Group, a New York-based consulting firm. “Either way, there is a cost involved.”
Meanwhile, when it comes to data that businesses must move from one place to another, authorities have yet to clearly state what the “security assessment” referred to in Article 37 actually entails, beyond what looks like an arduous breaucratic procedure. They also haven’t stated what type of data is subject to the assessment, save vague definitions of “personal information,” and “critical data,” which includes “data which is very closely related to national security, economic development and the societal and public interests.”
What about privacy?
Other governments also do not share the view favored by companies that data should live and move wherever they want. Yet the motivations behind these disagreements vary by country, and other regions have taken different approaches to squaring private and corporate attitudes on data.
The EU, for example, has made it clear it believes data belongs to the individual, not to the companies that collect it. It’s therefore the government’s responsibility to protect it, in the name of ensuring privacy. And one way to do that is by keeping it inside Europe’s borders.
However, it also recognizes that the free transfer of data is critical for free and fair trade. It has worked out agreements on how commercial and personal data originating in one region can be protected when it moves to another. Privacy Shield, for example, is a program that sets standards for data collection, transfer, and disclosure that member US companies must abide by to legally do business in Europe.
In China’s view, data originating from China ought to be kept inside China’s borders because it is not safe elsewhere, period.
Protecting user privacy, like the EU, is one plausible justification for this view, and on the surface, these concerns are perfectly valid. The revelations of former national security contractor Edward Snowden showed how many major US companies complied with US government requests to enable state-level surveillance. Indeed, the Cybersecurity Law is peppered with articles and references to the importance of user privacy.
But there’s more than enough reason to doubt that the China’s true motivations lie in protecting its citizens’ privacy.
The Chinese government itself has a well-known track record of spying on its citizens (and increasingly, those outside of its immediate jurisdiction). There have been incidents dating back to the past where companies, both foreign and domestic, have either been asked to hand over personal data to the government, or have been subject to attacks that compromise personal user data. There have also been documented incidents of industrial cyberespionage conducted against US private companies, in attempt to steal trade secrets.
Promises to safeguard “privacy” ring hollow given these circumstances. The American Chamber of Commerce in China writes that despite claims about safeguarding data, “there is little to prevent security authorities from interpreting the law as providing expansive access to private information, trade secrets, intellectual property, or internal business communications.”
China is succeeding in making the internet more closed
For all the fuss about the Cybersecurity Law, many internet companies have already largely complied with China’s policy toward data storage.
Last December, AirBnB made an unusually public announcement stating that it had begun storing data for its Chinese users on domestic Chinese servers. Uber, Evernote, LinkedIn, and Apple have each done the same, well before the official implementation of the Cybersecurity Law.
This willing compliance is just as worrisome as the law itself, because it sets a precedent for more countries to follow. Other governments, like Russia, have trumpeted similar data localization requirements, but have not been as aggressive as China has toward implementing them.
That could quickly change—last month, WeChat, China’s most popular messenger, was blocked in Russia after failing to comply with certain data localization laws. Tencent, the app’s parent company, said it would make the necessary changes to get back up and running—and days later, it was.
If other authoritarian governments are eager to police the internet but worried foreign companies won’t comply, they need only look to China to gain more confidence.