The Internet Security Law of the People’s Republic of China puts proprietary information of companies that conduct business in China, or that hire Chinese citizens, at risk – or at least that is what is being reported by international media and U.S. Government agencies. On the face of it this new law is clearly designed to help China implement cybersecurity best practices, albeit in a heavy-handed way. However, if you squint your eyes a little and tilt your head just right you may see that several of the articles in this new legislation could easily be interpreted so as to provide the Chinese government unfetter access to proprietary information stored within their country or under the control of its citizens.
The Recorded Future Blog reports “On June 1, 2017, after years of domestic and international debate, China’s national cybersecurity law finally went into effect. Much of the law focused on the protection of Chinese users’ data, while assessments of the law emphasized the potential negative impacts to foreign companies and technologies and the difficulties in complying with the onerous, vague, and broad new legal requirements.”
So here’s one point of concern, Article 35 of this new law says “Where an operator of a key information infrastructure purchases a network of products and services that may affect the security of the State, it shall adopt a national security review organized by the State Network Department in conjunction with the relevant departments of the State Council.” Essentially this gives the Chinese government the authority to poke around in private networks looking for information that they think may affect the security of the State. If you are a U.S. company with proprietary information that resides on a Chinese network you can say goodbye to the protection of that data, so goes the fear. The law apparently requires a security examination be conducted by Chinese government officials before companies can transfer large amounts of private data abroad and reviewing officials can optionally demand that encrypted data be decrypted as part of a mandatory security exam. Even of greater concern is the potential that the law will be interpreted to require Chinese nationals, even if they have no affiliation with the Chinese government, to cooperate with China’s security services. This would mean that Chinese citizens and businesses, including those in the United States, could be required to provide data, information, and technological support that relate to national security; the relevance of information to national security is entirely up to the discretion of China’s intelligence and security services.
The FBI reports that “China’s first cybersecurity law potentially sets the conditions for the theft of intellectual property belonging to foreign-based companies doing business in China.” It is feared that China’s cybersecurity law provides government regulators broad authorities that could enable Chinese security services access to source code and other types of sensitive or proprietary information.
While it is still unclear how some of the articles in this new law will be interpreted and enforced, prudence would dictate that any company doing business in China, or that employs Chinese nationals in sensitive corporate or security-related positions, will seek legal counsel regarding the protection of their data.