China's new cybersecurity law takes effect today, and many are confused

China's new cybersecurity law leaves companies with uncertainty
China's new cybersecurity law leaves companies with uncertainty

China's new cybersecurity law takes effect today, and experts are rattled about what it all means.

The law has been largely touted by Beijing as a milestone in data privacy regulations, but critics say authorities haven't provided enough information about how the wide-reaching law will be implemented. That's a big concern, as failure to comply carries fines that could hit 1 million yuan (about $150,000) and potential criminal charges.

What's more, the law is expected to make it even harder to do business in China by increasing costs to foreign firms, exposing multinationals to cyber-espionage, and giving domestic companies an unfair edge. And it's adding to the already tough environment: The World Bank currently ranks the world's second-largest economy 78 out of about 190 countries in terms of ease of doing business, only a few notches above Qatar, Guatemala and Saudi Arabia.

Here's what you need to know about the law now:

What is it?

The law focuses on protecting personal information and individual privacy, and standardizes the collection and usage of personal information. As such, companies will now be required to introduce data protection measures, and sensitive data — for instance, information on Chinese citizens or relating to national security — must be stored on domestic servers. In some cases, firms will need to undergo a security review before moving data out of China. One of the challenges, however, is that the government has been unclear on what would be considered important or sensitive data.

Unauthorized collection, disclosure and receipt of a citizen's personal information now constitutes a criminal offense, according to Scott Thiel, a partner at law firm DLA Piper. Sanctions would take into account the degree of harm, and the amount of illegal gains — fines could go up to five times the amount of those ill-gotten gains.

The law is "not only for the legal protection for the interests of the masses in cyberspace, but also effectively safeguards national cyberspace sovereignty and security," according to a government statement published in state media outlet China Daily.

What does it mean?

For companies in China, the big question is, "what's all this going to cost at the end of the day?" said Benjamin Cavender, a principal at China Market Research Group.

"If you're a company that was previously using services that aren't going to be looked on favorably in China, and you're forced to migrate to a new platform — that gets expensive really quickly," he said.

Plus, being forced to store data domestically could pose a few problems. Firstly, foreign firms normally do need to transfer information outside of China. And secondly, keeping sensitive information on Chinese servers might mean the government can look under the hood whenever it wants, exposing multinationals to industrial espionage.

Along a similar vein, it could potentially allow Beijing to even further track people it deems troublemakers. Still, it should be noted that government censorship and monitoring has long been an issue in China.

"Data security is based on the best available technology internationally, and our companies already have robust IT systems in place to ensure the security of their data and IT systems in the China Market," said Jacob Parker, vice president of the U.S.-China Business Council.

The American Chamber of Commerce in Shanghai has called the data localization and data transfer regulations "unnecessarily onerous," with a potential impact on cross-border trade worth billions of dollars.

Multinationals may be better equipped to take on the cost of compliance, but "a lot of the small and medium sized companies may not be able to afford to put in the control that the Chinese government is asking for, and if they can't put in those controls, it may actually push them out of that country and that market," said James Carder, vice president of cybersecurity firm LogRhythm Labs.

The EU Chamber of Commerce in China has even supported a delay in implementing the law, given what it says is the law's lack of clarity about how different aspects will be defined and enforced.

Why is China doing this?

For Beijing, this is one way to try to protect Chinese data from foreign spying by keeping everything contained onshore.

It's also "part of the government's push to create more white-collar jobs," Cavender said. That's a crucial move as authorities try to maneuver away from the old economic growth model of manufacturing and exports to one powered by services and consumption.

While Chinese firms are also subject to the same data localization and transfer requirements — a potential challenge as many domestic companies are going global — experts said the regulation could help China bolster its domestic tech sector as more companies are forced to store data onshore. But that could mean continued uneven market access for foreign versus Chinese companies, which is also a long-time challenge.

"The asymmetry between the access that Chinese companies enjoy in other markets and the access foreign companies have in China has been growing for some time," said Kenneth Jarrett, the president of the American Chamber in Shanghai.

One example is that Chinese firms usually can fully own and control data centers and cloud-related services around the world without foreign equity restrictions or technology transfer requirements, but foreign cloud companies in China don't enjoy the same environment.

—CNBC's Dan Murphy contributed to this report.