Online Regulation: Going its Own Way
China's new Cyber-security law overreaches.
“If you want to stay in China, you have to go all in.” So says James Fitzsimmons of Control Risks, a consultancy, of the impact China's new cyber-security law will have on multinational companies (MNCs).
These firms have moaned for months about the law's intrusive and vague provisions and asked for a delay in its implementation, but to no avail.
It came into force on June 1st, and foreign firms are now scrambling to figure out its implications.
Mr Fitzsimmons, for one, is convinced that they must take the costly step of separating their local IT systems from their global networks.
At first blush, the law seems a reasonable effort at tackling two areas of policy in need of reform.
The first is cyber-security.
Companies in industries deemed to be critical must now ensure that their technology systems are “secure and controllable.”
They must store important data locally, and will be subject to audits by official inspectors.
Susan Ning of King & Wood Mallesons, a Chinese law firm, thinks that foreign firms should be familiar with such rules since, on her firm's analysis, European regulations on cyber-security are tighter than those found in the new law.
The other neglected area taken on by this law is data privacy.
Firms in China have long amassed and manipulated consumer data as they have pleased.
And as Ronald Cheng of O'Melveny, an American law firm, observes, online fraud, malware and mobile-phone scams are rife.
Under the new rules, companies must be much more careful with data about, or acquired from, individuals in China.
They are required to maintain such data on local servers, and must obtain permission before sending bulk data abroad.
However reasonable these goals seem, two big worries linger.
First, the law is overly broad and mischievously vague.
It provides little guidance on what constitutes “critical information infrastructure” (though impact on “social or economic well-being” is a criterion) and which firms are “network operators” (so even individuals with multiple computers could fall foul of the law).