A sweeping new Chinese cybersecurity law set to take effect Thursday has U.S. companies operating in the world’s largest market crying foul—and looking to the Trump administration for a forceful response.
The law, passed last year by China’s largely symbolic parliament, is ostensibly meant to protect the privacy of Chinese citizens and increase personal and corporate cybersecurity in China. But American firms say that’s a thinly disguised rationale for policies designed to hamstring foreign companies in favor of their Chinese counterparts.
“Arguments like that are really just proxies for protectionist claims,” said Bijan Madhani, senior policy counsel at the Computer and Communications Industry Association, one of more than 50 high-profile American, European, and Asian trade associations which this month publicly called on the Chinese government to delay the law’s implementation.
The new rules are frustratingly vague, with U.S. companies uncertain over what the most onerous provisions entail even as firms become obligated to comply with them. The law would localize almost all data collected within or related to China through restrictions on cross-border data flows, erect barriers against foreign companies operating in sectors that the government deems “critical,” and require that corporations comply with requests by Chinese law enforcement to access encrypted data.
U.S. tech companies and others say those provisions, if enforced with any degree of rigor, would largely cripple their ability to operate and service clients inside China. But there’s so far been little guidance on how the rules will play out in practice.
Of particular concern is a cryptic requirement that foreign companies operating in China submit themselves to “national security reviews” to ensure that their systems and networks are “secure and controllable.” Aaron Cooper, the vice president of global policy at The Software Alliance, worries that the Chinese government could use such a mandate to detect and steal valuable proprietary information and intellectual property from foreign technology firms.
“There’s a lack of clarity on what it’s going to apply to and how it’s going to apply, and whether there are trade secrets and source codes that our companies keep, whether they will be at risk as a result,” Cooper told National Journal.
That uncertainty means foreign companies will likely learn on the fly whether their cybersecurity practices pass muster under the new rules, which can be interpreted as tightly or loosely as Chinese authorities desire.
“I think there might be a couple of companies that get made examples of,” said Madhani. “There will be one or two companies picked, and a lot of the real meat of that subsequent negotiation will happen between those companies and the government.”
But the law’s unclear final structure also provides an opportunity for the Trump administration to bring pressure to bear on the Chinese. Several U.S. industry representatives mentioned to National Journal the prospect of trade reciprocity, whereby Chinese tech and cloud-computing firms operating in the United States are punished for their home country’s burdensome regulations on foreign firms.
Claude Barfield, an expert on cybersecurity and Chinese trade policy at the conservative American Enterprise Institute, told National Journal that the threat of reciprocity could alone convince the Chinese to water down the new rules.
“I think at this point the best thing to do would be to warn the Chinese privately—and they could even do it publicly—that if this is implemented in a way that discriminates against foreign corporations the United States, is not going to sit by. It will act,” Barfield said.
Such action could include closing U.S. capital markets to Chinese tech companies such as Alibaba and Tencent—retaliation that Barfield says the Trump administration could take while remaining in line with World Trade Organization rules. “[The administration] should make clear that their future will not be happy here if we are discriminated against over there,” Barfield said.
Ari Giovenco, the director of trade and international policy at the D.C.-based Internet Association, told National Journal that the outcome of the ongoing dialogue between the Trump administration and China must include assurances that China will revise its cybersecurity law. “The internet industry urges U.S. negotiators to prioritize achieving China’s commitment to provide national treatment and full market access for American cloud companies as part of the 100-day plan,” Giovenco said in a statement.
But some are skeptical that the White House will ride to the rescue. “If you want help from China on a whole bunch of other geopolitical issues, is it the right decision to make this a priority for your administration?” Madhani said, pointing out the Trump White House’s efforts to cooperate with China on currency manipulation and North Korea. “We can’t really force their hand, because there are always wider geopolitical issues that naturally supersede.”
A White House spokeswoman did not respond to a request for comment.
There are limited signs that the Chinese government is starting to take the complaints of foreign firms seriously. On Wednesday, the Associated Press reported that China would delay the implementation of some restrictions on cross-border data flows until the end of 2018. Still, many remain skeptical that a better deal on data can be struck in the coming months.
“It’s great that there’s a delay, but the underlying framework and approach of the data regulation remains the same—to mandate data localization and restrict data transfer unless you have an approval to do otherwise,” one executive at a major U.S. trade association based in Washington told National Journal. “Whether that goes into effect tomorrow or goes into effect a year from now doesn’t change the approach that China’s taking.”
Even if China does decide to enforce its new cybersecurity law with a relatively light touch, Madhani argues that the rules will continue to hang over small and medium-sized companies like a “sword of Damocles.”
“That might be something that larger companies can stomach—they’ll begin preparing for localization mandates to actually take effect,” said Madhani. “That’s not going to be the case for smaller and medium-sized businesses that are interested in moving into the Chinese market. They can’t stomach that kind of regulatory risk.”