China’s cyber security law rattles multinationals

Yuan Yang
Passengers look at smartphones on a subway train on April 6, 2017 in Chengdu, China.
VCG | Getty Images

China's first cyber security law will increase costs for multinationals, leave them vulnerable to industrial espionage and give Chinese companies an unfair advantage, business representatives and analysts have warned.

The measure, which comes into force on Thursday, has been widely welcomed as a milestone in introducing much needed data privacy. But analysts have expressed fears it could help Beijing steal trade secrets or intellectual property from foreign companies.

"The law is both extremely vague and exceptionally wide in scope, potentially putting companies at risk of regulatory enforcement that is not related to cyber security," said Carly Ramsey, associate director at Control Risks, a risk-management consultancy.

More from Financial Times:
Japan's tight labour market surpasses 1990 bubble
Angela Merkel's blunder, Donald Trump and the end of the west
China's shadow banking crackdown shakes markets

Foreign companies had petitioned Beijing to delay the legislation. "It is vitally important that [these measures are] proportionate, consistent, non-discriminatory and formulated in a transparent manner. Regretfully, this is not yet the case," said Michael Chang, vice-president of the European Chamber of Commerce in Beijing.

The law is part of a drive by Beijing to shield Chinese data from the eyes of foreign governments after US whistleblower Edward Snowden revealed that the US was spying on communications from multinationals, say analysts.

"The message is clear that the government will encourage more domestic development of technology, and that it now sees privacy and cyber security as vital national concerns," said Xun Yang, a lawyer at Simmons & Simmons in Shanghai.

Under the new law, companies must introduce data protection measures — a novelty for many Chinese businesses — and data relating to the country's citizens or national security must be held on Chinese servers. Companies will have to submit to a review by regulators before transferring large amounts of personal data abroad.

However, "critical" companies — a widely drawn definition that encompasses sensitive entities such as power companies or banks but also any company holding data that, if breached, could "harm people's livelihoods" — will have to store all data collected in China within the country.

These companies, and any services bought by them, must go through a "national security review" to ensure they and their data systems are "secure and controllable".

The measure allows Beijing torequest computer program source code, which is usually known only by the software developer. National security reviews may also allow Beijing to delve into companies' intellectual property, analysts warn.

Even fast-food delivery companies could be considered critical infrastructure, Shanghai regulators ruled during a pilot run for the law — presumably, analysts suggest, because they hold information on millions of users.

Multinationals will be hardest hit, as the data localisation measures prevent them pooling client data in cloud storage databases across the world. The need to store some data on China-based servers and the rest elsewhere will add to fragmentation and cost. "It's huge work for foreign companies to restructure their business," said Mr Yang.

Cloud storage companies are also affected. One lawyer said his foreign clients were switching data from Amazon Web Services in Singapore to Alibaba's China cloud service.

China's own technology companies will themselves be hit. The bulk of Alibaba's ecommerce takes place in China, but it has increasingly been setting up cloud data centres around the globe. "We comply with applicable laws in jurisdictions where we operate," said Alibaba.

While the new law is causing angst in foreign boardrooms, the personal data privacy provisions are in line with worldwide practice, said Scott Thiel, partner at law firm DLA Piper in Hong Kong. For example, it accords with Europe's General Data Protection Regulation, he said.

But analysts suspect enforcement in China might be tinged with political goals. A proposed supplementary law on encryption, published in April, allows the government to demand "decryption support" in the interests of national security. Effectively, this means the government can force companies to decode encrypted data.

"In the US Apple refused to open [the San Bernardino shooter's] iPhone for the FBI. I cannot imagine that happening in China," said one lawyer.

Although the law makes no distinction between local and foreign businesses, Chinese companies are less concerned, say lawyers. They are less likely to use cloud services and have a smaller presence abroad, and those with overseas operations tend to send data back to their Chinese headquarters rather than taking any out of the country.

Domestic companies are also less bothered by legal vagueness, said Mr Yang. Foreign companies take laws literally, while their Chinese counterparts tend to tease out their overall message — in this case, that they must take cyber security seriously — and wait for specific guidelines to be handed down by their industry regulator.

But they also know the law is not designed to cause trouble for local businesses.

"The big banks are close to government and know they will be considered in the legislative process," said Mr Yang. "The same goes for big technology companies like Alibaba."