China ushered in a tough new cyber security law on Thursday, following years of fierce debate around the controversial legislation that many foreign business groups fear will hit their ability to operate in the country.
The law, passed by China’s rubber-stamp parliament in November, requires local and overseas firms to submit to security checks and store user data within the country.
China’s top cyber authority said on Wednesday it was not targeting foreign firms with the new law, after over 50 overseas companies and business groups lobbied against the legislation that includes stringent data storage and surveillance requirements.
“The purpose is to safeguard (China’s) national cyberspace sovereignty and national security… rather than to restrict foreign enterprises,” the Cyberspace Administration of China (CAC) said in a statement on its website.
The law has sparked fierce push-back by firms and lobby groups who say vague wording of the regulations leaves foreign firms vulnerable to abstract interpretations of the rules.
Earlier this month Reuters reported the CAC met foreign business groups in a closed-door meeting to try to allay these fears, including an 18-month phase-in period for aspects of the regulations, according to attendees.
According to a revised draft of the rules, seen by Reuters, a phase-in period until the end of 2018 would relate to measures affecting cross-border data transfers, which has been one of the most contentious elements of the new law.
The CAC notice on Wednesday made no mention of a phase-in period. It added the law is not designed to hinder international trade or the flow of data across the Chinese border.
Questions Remain
Firms and lobby groups say the late changes to the law, while positive, leave most of the original legislation intact and remain broad. The law’s impact will therefore depend on how Beijing enforces it.
“Much will depend on how the measures are implemented,” the U.S.-China Business Council said in a note to members last month after the CAC meeting.
On top of internationally common standards, such as requiring user consent before moving data beyond country borders, China’s new cyber law also mandates companies store all data within China and pass security reviews.
This fits China’s ethos of “cyber sovereignty” – the idea that states should be permitted to govern and monitor their own cyberspace, controlling incoming and outgoing data flows.
China maintains a strict censorship regime, banning access to foreign news outlets, search engines and social media including Google and Facebook.