U.S. Companies Hope China’s New Cybersecurity Law Can Be Stopped

The tech community says new Chinese rules on cybersecurity and privacy will unfairly tilt the playing field and could prevent operations in China altogether. And some are calling on the White House to push back.

FILE - In this Aug. 16, 2016 file photo, a worker is silhouetted against a computer display showing a live visualization of the online phishing and fraudulent phone calls across China during the 4th China Internet Security Conference in Beijing. China's legislature has approved a cybersecurity law on Monday, Nov. 7, 2016 that human rights activists warn will tighten political controls and foreign companies say might isolate Chinese industries. (AP Photo/Ng Han Guan, File)
AP Photo/Ng Han Guan, File
May 31, 2017, 8 p.m.

A sweeping new Chinese cybersecurity law set to take effect Thursday has U.S. companies operating in the world’s largest market crying foul—and looking to the Trump administration for a forceful response.

The law, passed last year by China’s largely symbolic parliament, is ostensibly meant to protect the privacy of Chinese citizens and increase personal and corporate cybersecurity in China. But American firms say that’s a thinly disguised rationale for policies designed to hamstring foreign companies in favor of their Chinese counterparts.

“Arguments like that are really just proxies for protectionist claims,” said Bijan Madhani, senior policy counsel at the Computer and Communications Industry Association, one of more than 50 high-profile American, European, and Asian trade associations which this month publicly called on the Chinese government to delay the law’s implementation.

The new rules are frustratingly vague, with U.S. companies uncertain over what the most onerous provisions entail even as firms become obligated to comply with them. The law would localize almost all data collected within or related to China through restrictions on cross-border data flows, erect barriers against foreign companies operating in sectors that the government deems “critical,” and require that corporations comply with requests by Chinese law enforcement to access encrypted data.

U.S. tech companies and others say those provisions, if enforced with any degree of rigor, would largely cripple their ability to operate and service clients inside China. But there’s so far been little guidance on how the rules will play out in practice.

Of particular concern is a cryptic requirement that foreign companies operating in China submit themselves to “national security reviews” to ensure that their systems and networks are “secure and controllable.” Aaron Cooper, the vice president of global policy at The Software Alliance, worries that the Chinese government could use such a mandate to detect and steal valuable proprietary information and intellectual property from foreign technology firms.

“There’s a lack of clarity on what it’s going to apply to and how it’s going to apply, and whether there are trade secrets and source codes that our companies keep, whether they will be at risk as a result,” Cooper told National Journal.

That uncertainty means foreign companies will likely learn on the fly whether their cybersecurity practices pass muster under the new rules, which can be interpreted as tightly or loosely as Chinese authorities desire.

“I think there might be a couple of companies that get made examples of,” said Madhani. “There will be one or two companies picked, and a lot of the real meat of that subsequent negotiation will happen between those companies and the government.”

But the law’s unclear final structure also provides an opportunity for the Trump administration to bring pressure to bear on the Chinese. Several U.S. industry representatives mentioned to National Journal the prospect of trade reciprocity, whereby Chinese tech and cloud-computing firms operating in the United States are punished for their home country’s burdensome regulations on foreign firms.

Claude Barfield, an expert on cybersecurity and Chinese trade policy at the conservative American Enterprise Institute, told National Journal that the threat of reciprocity could alone convince the Chinese to water down the new rules.

“I think at this point the best thing to do would be to warn the Chinese privately—and they could even do it publicly—that if this is implemented in a way that discriminates against foreign corporations the United States, is not going to sit by. It will act,” Barfield said.

Such action could include closing U.S. capital markets to Chinese tech companies such as Alibaba and Tencent—retaliation that Barfield says the Trump administration could take while remaining in line with World Trade Organization rules. “[The administration] should make clear that their future will not be happy here if we are discriminated against over there,” Barfield said.

Ari Giovenco, the director of trade and international policy at the D.C.-based Internet Association, told National Journal that the outcome of the ongoing dialogue between the Trump administration and China must include assurances that China will revise its cybersecurity law. “The internet industry urges U.S. negotiators to prioritize achieving China’s commitment to provide national treatment and full market access for American cloud companies as part of the 100-day plan,” Giovenco said in a statement.

But some are skeptical that the White House will ride to the rescue. “If you want help from China on a whole bunch of other geopolitical issues, is it the right decision to make this a priority for your administration?” Madhani said, pointing out the Trump White House’s efforts to cooperate with China on currency manipulation and North Korea. “We can’t really force their hand, because there are always wider geopolitical issues that naturally supersede.”

A White House spokeswoman did not respond to a request for comment.

There are limited signs that the Chinese government is starting to take the complaints of foreign firms seriously. On Wednesday, the Associated Press reported that China would delay the implementation of some restrictions on cross-border data flows until the end of 2018. Still, many remain skeptical that a better deal on data can be struck in the coming months.

“It’s great that there’s a delay, but the underlying framework and approach of the data regulation remains the same—to mandate data localization and restrict data transfer unless you have an approval to do otherwise,” one executive at a major U.S. trade association based in Washington told National Journal. “Whether that goes into effect tomorrow or goes into effect a year from now doesn’t change the approach that China’s taking.”

Even if China does decide to enforce its new cybersecurity law with a relatively light touch, Madhani argues that the rules will continue to hang over small and medium-sized companies like a “sword of Damocles.”

“That might be something that larger companies can stomach—they’ll begin preparing for localization mandates to actually take effect,” said Madhani. “That’s not going to be the case for smaller and medium-sized businesses that are interested in moving into the Chinese market. They can’t stomach that kind of regulatory risk.”

What We're Following See More »
Mueller Agrees to Testify, but Only in Private
2 days ago
Trump Loses in Court Again
4 days ago
Trump Pulls the Plug on Infrastructure
4 days ago
Parties Go to Court Today Over Trump Banking Records
4 days ago
Tillerson Talking to House Foreign Affairs
5 days ago

"Former Secretary of State Rex Tillerson was spotted entering a congressional office building on Tuesday morning for what a committee aide told The Daily Beast was a meeting with the leaders of the House Foreign Affairs committee and relevant staff about his time working in the Trump administration. ... Tillerson’s arrival at the Capitol was handled with extreme secrecy. No media advisories or press releases were sent out announcing his appearance. And he took a little noticed route into the building in order to avoid being seen by members of the media."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.