China has adopted a new cybersecurity law which has been criticized by foreign commenters as worsening the censorship already employed by China. Some companies have also expressed concerned that they will have to deal with unfair restrictions compared to Chinese companies. Improving cybersecurity has been a major goal of Chinese President Xi Jinping since he came into power four years ago. This law is the latest in a series of major laws pushed by Jinping to address security concerns.
A key element of the law that has foreign companies concerned is the requirement that all hardware and software used in critical infrastructure will be subject to security reviews by the Chinese government in order to ensure that they are “secure and reliable.” Areas that are defined in the law as critical infrastructure include telecommunications, energy, transportation, information services and finance. Some foreign companies believe that they will be forced to disclose proprietary source code or other trade secrets during the security reviews.
Early drafts of the law did explicitly require the disclosure of source code, but that requirement was removed after protests from foreign companies. However, the security reviews are vaguely defined and its not clear what they actually entail, which leaves some companies a little worried. Even if companies do not have to reveal their secrets to the Chinese government, there is also a fear that security reviews will be used to give Chinese companies an advantage, by unfairly applying security standards. A spokesman for the Cybersecurity Administration of China dismissed such concerns and stated:
Whenever we bring up secure and reliable…some of our friends, especially our foreign friends, their heads swell up. They see it as synonymous with trade barriers. This is a misunderstanding, a biased view.
Another provision of the law is a requirement that all companies offering critical infrastructure must store their data within China unless they get special permission from the Chinese government. This could seriously impact companies which currently rely on data centers outside of China. Some companies already store data in China to a limited extent. For example, Apple stores user data of customers located in China on servers within the country. However, the law is vague and its not entirely clear what data is required to be stored within the country.
The law also makes censorship a matter of cybersecurity and imposes punishments on companies that allow unapproved content to circulate online. It requires network operators to provide technical support to authorities to assist in criminal investigations. The law also codifies into law some practices which have already been implemented in the past, including the ability of the government to restrict Internet access in specific regions during an emergency.