China updates cybersecurity laws and Google contemplates return, as corporations and governments struggle for the cyberspace
“Without cybersecurity, there is no national security,” according to President Xi Jinping. But in China—the world’s largest internet community, with an estimated 772 million users—the line between cybersecurity and national security been increasingly blurred.
At the end of July, public comments closed on the new “Regulation on Cybersecurity Multi-level Protection Scheme,” released by Ministry of Public Security. The aim of this regulation is to classify the importance of certain industries to the nation’s security as defined by the 2016 Cybersecurity Law. Currently, companies are waiting to hear if theirs will be deemed a critical information infrastructure (CII) operator, which will lead to massive regulations.
China’s infamous and all-encompassing Cybersecurity Law has been a source of concern for many since its partial implantation last year in 2017. Some assert that the Cybersecurity Law tackles too many issues and that full compliance may even be impossible—yet lack of compliance (even unwitting) could lead to massive fines, temporary suspension of operation, or even the revocation of a company’s business license.
The Cybersecurity Law has developed a complex set of regulations in terms of data localization and data export for any CII operator within China–both domestic and foreign. (It is widely assumed that CIIs will include the information and communication technology, finance, and healthcare sectors.)
While this may sound technical, “localization” refers to where digital data can be stored on servers. Article 37 of China’s Cybersecurity Law stipulates, “Personal information and important data collected and generated by critical information infrastructure (CII) operators in the PRC must be stored domestically.”
In contrast, “data export” refers to where digital data can be taken, viewed, and used. As of now, the global status quo is that individuals’ data flows freely between countries and continents, particularly as much of it is collected and used by multinational corporations. According to the law, CII operators will need to undergo security assessments by supervisory authorities (which are yet to be determined) in order to get the green light to export Chinese citizens’ personal data outside of China. Foreign critics say that such measures are draconian and will likely have a negative impact on global commerce.
While many foreign firms have balked at the new regulations, most have decided that non-compliance is not worth the risk of losing their China-based business. In 2017, AirBnb, Evernote, and LinkedIn announced that they had already begun storing their data in China. Additionally, Apple has built an entire cloud computing facility in Guizhou province to comply with the data localization requirements, including “the cryptographic keys needed to unlock users’ iCloud accounts.” Some argue that it’s no coincidence that iPhone users have been bombarded with spam via iMessage ever since.
Leaked documents last week show that Google is considering a return to China, apparently with a search engine that fits with China’s strict censorship requirements. Google’s proposed reentry into the Chinese market ought to provoke a discussion about the future of the free and open web.
For years, China has claimed that cyberspace is not “free”: that, instead, the ubiquitous nature of American technology has established international cybersecurity rules and norms that benefit the US. However, Google’s recent fine by the EU for antitrust violations, as well as the EU’s General Data Protection Regulation (GDPR), demonstrate that there are limitations to the US influence over cyberspace.
While China’s Cybersecurity Law is compared to GDPR—both require businesses to inform people if they have their personal data, explain why they have the data, and how the data is collected—few outside China believe the law will protect privacy rights. In fact, as noted by Center for Strategic and International Studies fellow Samm Sacks, the new regulations for storing data on domestic servers may even allow even easier access to citizens’ data by the police.
Yesterday, the state-backed People’s Daily newspaper (briefly) ran an editorial aptly headlined “Google is welcome to return to the mainland, but it must comply to Chinese law.” Google’s re-entry into the market is thus contingent on its compliance to the Cybersecurity Law. If other countries follow China’s example and assert their national sovereignties onto cyberspace, the days of the open web may be numbered.
Cover image from Flickr