How will China’s GDPR-like Cybersecurity Law impact business?

How will China’s GDPR-like Cybersecurity Law impact business?

China’s new Cybersecurity Law (CSL) might have been a long-time coming, but it’s all set to have a major impact on the way foreign firms do business in the Middle Kingdom. This being China, however, nothing is quite as it first appears. A law ostensibly created to bring China into line with global best practices on cybersecurity could end up having the opposite effect if the government decides to ask for IP, source code and other details as part of ‘national security’ spot-checks.

It could even run the risk of many such firms being shunned in the West and raise concerns that Chinese agents are stockpiling exploits in their products and systems.


Improving security standards

The Cyberspace Security Law of the People's Republic of China, to give it its full title, finally came into force in June this year. On paper, it contains some important best practice provisions for “network operators” to prevent data leaks and breaches and any damage or unauthorised access. These are neatly summarised by the China Law Blog as:

  • Appoint dedicated network security personnel and develop internal security management systems/policies
  • Adopt measures to prevent computer viruses, cyber-attacks, network intrusions etc.
  • Set-up network logs and ensure you retain them for at least six months
  • Classify, back up and encrypt important data

There are also some important new stipulations designed to protect consumer data, some of which overlap with the new EU GDPR:

  • Ensure any collected user data is kept confidential
  • Collect and use such info legally and not beyond its original purpose
  • Disclose purpose, method and scope of collection and use; obtain consent from the individual and don’t collect data irrelevant to the service provided
  • Network operators are forbidden from disclosing altering or destroying personal data
  • If a breach occurs, operators must inform users and report to relevant agencies
  • Individuals have right to request data deletion or correction if it is inaccurate or collected illegally

Critical information Infrastructure (CII) firms must comply with the above, and a whole additional set of more rigorous requirements including an annual security assessment, regular training and assessment of staff, and emergency response plans. CII firms are also mandated to keep within the Great Firewall any data collected or generated in China. Plus, the law states that any procurement of new network products or services that could impact national security will force CII firms to submit to a national security review.

According to the law, almost any firm could be judged to be a “network operator” as long as they operate a network of computers that gather and exchange information. ‘Critical Information Infrastructure’ is similarly vague and could cover as many as 14 industries, as long as a company has enough active users. Cloud providers like AWS and Azure could certainly be judged as CII firms, according to Priscilla Moriuchi, director of strategic threat development at Recorded Future.


An impossible choice

The real challenge for foreign firms lies in what the state can now request of them to help in any investigations: data and ‘technical support’. The wording of the law is deliberately vague, as Asia analyst Jack Wagner of risk management firm PGI Intelligence explains:

“Article 9 of the law states that ‘network operators … must obey social norms and commercial ethics, be honest and credible, perform obligations to protect network security, accept supervision from the government and public, and bear social responsibility.’ The vagueness of this provision, as well as undefined concepts of national security and public interest, increase the government’s grounds to make wide assertions about the need for investigation and reduce a foreign company’s ability to contest a government demand for data access. In addition, the spot-checks can be initiated at the request of the government or a trade association, meaning domestic competitors could request spot-checks on foreign firms.”

That’s not all. A new report from threat intelligence firm Recorded Future warns that the Chinese government could even request source code and other IP as part of ‘national security reviews’ into CII firms. This is particularly dangerous given that one of the bodies likely to conduct such reviews – the China Information Technology Evaluation Center (CNITSEC) – sits inside China’s CIA-equivalent, the Ministry of State Security (MSS). The MSS has already been linked by Recorded Future to threat group APT3. The concern here is that Chinese operatives will be able to use any source code or other info handed over as part of an ‘investigation’ in order to probe systems for vulnerabilities.

Although CNITSEC’s Chief Engineer Wang Jun has claimed any reviews will be conducted by professional and ‘independent’ third parties, CNITSEC itself is a registered reviewer and is certainly not independent in the traditional sense.

“This new law presents foreign firms with a grim choice between giving their proprietary technology and intellectual property to the MSS and being excluded from the mainland Chinese market. The risks for both options are significant and are something each company will have to make based on their unique set of circumstances,” Moriuchi told me.

“Since the law is still so new, it is possible that as the sub-regulations are drafted and the reality of administering this law is realised, that the Chinese government may relax some of the more onerous portions of the law. However, that is not guaranteed to occur and foreign firms need to account for the possibility that they may be forced to make the impossible choice between cooperating with the Chinese government and leaving the Chinese market.”

Ironically, IDC has just released a new report which places Azure and AWS alongside local players Alibaba Cloud, Tencent Cloud, Huawei Cloud and Kingsoft Cloud as among the most secure cloud providers in China. Report author, James Wang, tried to downplay the possible impact of the new law on the risks facing foreign tech firms in China.

“First of all, the China business for AWS and Microsoft is relatively small compared to their worldwide revenue, and also by using local partners, it makes them compliant with the local regulations and will allow them to sell their services in certain industries where overseas providers are forbidden to operate in,” he told me. “Secondly, both Microsoft and AWS run a separate instance of their services in China, so the risks for MNCs in China are kept to a minimum.”

However, for Moriuchi, there are precedents which could signal tough times ahead. One involves Yahoo’s co-operation with Beijing in 2007 when it handed over information connected to the imprisonment of a dissident journalist. It was heavily criticised as “irresponsible” by the House Foreign Affairs Committee and even forced to settle a private lawsuit related to the incident.

“Moving forward, we believe that even more companies will be forced to thread the needle between compliance with Chinese regulations and following Western business ethics to avoid similar difficulties in the future,” she argued.

When coupled with the prospect of being forced to hand over sensitive IP and source code, the CSL could yet herald a major tipping point for Western MNCs in China.


«Edge computing 101: A CIO demystification guide


How business drones can be deployed way beyond delivery»
Phil Muncaster

Phil Muncaster has been writing about technology since joining IT Week as a reporter in 2005. After leaving his post as news editor of online site V3 in 2012, Phil spent over two years covering the Asian tech scene from his base in Hong Kong. Now back in London, he always has one eye on what's happening out East.

  • twt

Recommended for You


How a Washington crackdown on Huawei could backfire for everyone

Phil Muncaster reports on China and beyond


5G is over-hyped and expectations need reining in

Dan Swinhoe casts a critical eye on the future


What can we learn from tech initiatives in the Middle East?

Keri Allan looks at the latest trends and technologies

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?