But look no further than Russia for some idea of how US companies will be affected.
China’s new cybersecurity law has a lot of people scratching their heads, trying to figure out how it affects their businesses — if at all.
The gist of the law seems simple enough. The law will ban the collection and sale of user’s personal information. Companies operating in China will also have to store their customer’s data on servers in the country (which has been delayed until the end of 2018 to figure out some kinks), and customers will have the right to have their data erased. At the same time, individuals will have to register with their real names on messaging apps and social networks.
According to the state-run Xinhua news agency, the new law — approved by the country’s “rubber-stamp” parliament — was introduced in response to the growing threat of cyber-terrorism and hacking, which would replace a large patchwork of different, loosely collected laws.
“Those who violate the provisions and infringe on personal information will face hefty fines,” said the news agency, via Reuters.
But there’s the problem. Nobody seems to know exactly how the law works.
The law is set to go into effect Thursday, but “there’s unfortunately a lot of confusion” about how it work or be enforced, according to Michael Chang, a Nokia executive and vice-president of the European Union Chamber of Commerce in China, speaking to The New York Times.
“We still have a lot of unclarified territory that needs to be addressed as soon as possible,” he said, suggesting Beijing had conveyed “less than half” of the law’s specifics.
Many US and European businesses are already reportedly concerned, according to a letter sent to the Chinese regulator in charge of the law’s enforcement, calling it “fraught with weaknesses.”
That’s because many of the same companies, predominantly data-hungry firms — like software and service providers — are concerned it will prevent Western giants from entering the lucrative Chinese market.
The Chinese regulator denied that was the case, saying the new provisions do “not restrict foreign companies or their technology and products entering the Chinese market,” despite the country’s reduced reliance on Western technologies in the wake of the Edward Snowden disclosures into US mass surveillance. Just as the US has been concerned about Chinese espionage, Beijing has pushed away many US tech giants for fear of US snooping.
But there is some hope. China isn’t the first country to want to rein in its citizens’ data — either for their safety or government surveillance, take your pick.
Russia, last year, introduced a similar law under a similar guise of “preventing terrorism” (read, “increasing surveillance” in a region where speech and expression are already heavily restricted).
Companies operating in the country were told to store Russian citizen data on servers within its borders. Those breaking the rules or refusing to comply would be added to a blacklist.
One such company was LinkedIn, according to several reports, which at the time had six million users in Russia. But many other companies largely acquiesced. Hardware and device makers, like Apple and Lenovo, were among the first to comply — not least because it was easier. And other data-hungry companies, like eBay, Facebook, and Google, took longer to transfer data into the region in order to keep operating — though their current status isn’t known. Some firms, like Spotify, have scrapped plans to enter the country altogether, citing conflict with the rules.
Suffice to say, it’s been a mixed bag of reaction, but on the most part accepted the country’s rules.
While the two sets of cybersecurity laws share similarities, China is a bigger market that most Western companies can’t avoid — even if they have yet to break into the region.
With Russia’s case, even though the rules seemed arbitrary, archaic, and generated legal disquietness, they were at least easy to follow.
Beijing has since tried to defuse complaints and concerns by Western firms over possible disruptions.
But with looming threats of fines and a void where there should be clarity, it’s looking like many multinationals could be in for a bumpy few quarters.