China’s controversial cybersecurity law, which requires international firms to store critical data within the country, has come into effect from today amid complaints from foreign businesses. The Cybersecurity Administration, the government body responsible for overseeing it, said a grace period of 19 months would be given for businesses to comply with cross- border data transfer regulations. The period starts on June 1 and continues until the end of the next year, Hong Kong-based South China Morning Post reported. Online service users will now have rights to ask service providers to delete their information if such information is abused.
The Cybersecurity management staff must also protect information obtained, and are banned from leaking or selling the information, including privacy and commercial secrets. Those who violate the provisions and infringe on personal information will face hefty fines. The law, passed by China’s rubber-stamp parliament in November, made it clear that no one can use the Internet to conduct fraud or sell prohibited goods. One of the biggest concerns is the requirement that all critical data and the data from “critical information infrastructure” be saved on the mainland. Such information also has to be examined and assessed before being transferred out of the country.
However, a state-run Xinhua news agency report quoted an Internet regulator as saying that the law will come into effect from today and it is not aimed at limiting foreign companies’ access to the Chinese market. The law is designed to safeguard China’s cyberspace sovereignty, national security, public interest, as well as the rights and interests of citizens, legal persons and other organisations, the statement of the Cyberspace Administration of China (CAC) said. “It does not restrict foreign companies or their technology and products from entering into the Chinese market, nor does it limit the orderly, free flow of data,” the statement said.
“China is entitled to make laws and rules to regulate its cyberspace sovereignty following international practice,” it said. However, foreign companies and governments complained the law set unfair barriers, ran counter to World Trade Organisation (WTO) rules, and lacked compliance details. Foreign firms grapple with China’s “punitive” cybersecurity laws Michael Chang, vice-president of the EU Chamber of Commerce in China, said some key areas of the law would have a huge impact on the way business was done on the mainland.
“There are [still] uncertainties and unclarified terms,” Chang was quoted by the Post as saying. A draft of the supporting regulations was released for public comment in April, while another draft measure on the definition of “critical information infrastructure” was released on Saturday. It is also unclear how such infrastructure will be protected.
The Cyberspace Administration met international stakeholders on May 19 and discussed the cross-border data movement regulations, offering the grace period, the Post report said. Chen Jihong, a partner at the Beijing-based Zhonglun Law Firm, said the decision to have a grace period might have been prompted by the absence of supporting regulations and the need for internal communication within relevant ministries and government departments; and the companies’ demands for more time to make the necessary changes.
Chen said the supporting regulations, including the cross border data transfer rules, would probably be finalised later this year because Beijing was determined to enforce the law. The Cyberspace Administration said the cross-border data flow measures were not meant to disrupt email, e-commerce or other commercial activity. It also said the requirement that operators must stop transmitting “illegal information” would not jeopardise privacy or freedom of speech.