Why China’s New Cybersecurity Law is a Threat to International Businesses and Innovation
Georges Haour, Professor of Technology and Innovation Management at IMD business school: China has the world’s largest market for digital shopping, mobile payments, and Internet-enabled financial services. Close to 400 million people in China do most of their payments using their smartphones. China’s overall business in information technology is a market of well above $300…
Georges Haour, Professor of Technology and Innovation Management at IMD business school:
China has the world’s largest market for digital shopping, mobile payments, and Internet-enabled financial services. Close to 400 million people in China do most of their payments using their smartphones. China’s overall business in information technology is a market of well above $300 billion, and it is estimated that more than 700 million Chinese have access to Internet. So any law impacting the online space—cybersecurity included—will make ripples in the way China does business.
That’s why its new cybersecurity law—due to take effect in June of next year—is particularly alarming. It is part of an ongoing government program to reinforce China’s cybersecurity, and arguably targets non-Chinese hackers. But it comes amidst continuous tensions between the US and China, not just in terms of cybersecurity (each country has accused the other of hacking), but with trade, the economy, and, of course, the US election, which will inevitably change how business is done between the two nations. The law appears to be counterproductive in several ways.
First, as the law sets forward, important network equipment and software will have to receive government certifications. This means that specific pieces of intellectual property or technical features will have to be divulged, which could easily be passed on to Chinese companies by the regulators behind cybersecurity. It shouldn’t be forgotten that the state in China has tremendous power and plays a critical role in economic plans. Government interference is much more prevalent than in Western nations. And under the veil of cybersecurity, regulators will have access to proprietary information that could benefit Chinese firms at the expense of foreign business.
The type of businesses most at risk will be those with special hardware and systems for network management. But it could even include data from and for ATMs. New generation ATMs have a much higher level of connectivity with mobile integration and face recognition. This makes them more vulnerable to hacking and means confidential devices and information will have to be used for protection. And under this law, that creates a big entry place for government snooping.
This law is also counterproductive because companies gathering data in so-called “critical areas” will have to store that data inside China. At this stage, the definition of “critical” is worryingly broad. Complying with this requirement will force international firms to make expensive investments to build duplicate facilities within China. This is in total contradiction with the free flow of data, expected to swell in 2020 after the introduction of 5G.
International companies will have to weigh this risk against the opportunity to do business in China. China has had a long reputation for ‘copying’ without getting insider access, and this law could only open the ease to which China’s business sector can review competition. For international companies there is no easy way forward as the choice is black or white. Either foreign companies will comply, knowing China has a way to peek into what previously was private, or they will chose to stand by principles of privacy at the risk of being excluded from the Chinese market. Despite the challenging dilemma, companies are likely to comply and give in to China’s demands. The market is too huge and far too ripe for future growth, especially when compared to more stagnant outlooks in Europe and the US.
In addition to creating barriers for international business in China, this kind of legislative move goes completely against innovation. It could well be considered to be part of what is called “indigenous innovation” in China. This consists in favoring Chinese firms by establishing non-tariff barriers, such as specific standards or regulations on products, in order to prevent non-Chinese firms the access to China’s large and dynamic market. And the impact would be wide-ranging, from consumer electronics to products such as equipment to produce renewable energy, including windmills and solar panels.
Innovation involves a complex process, but it requires a society to be as open as possible and to allow vibrant exchanges between people. While cybersecurity is important, this law will wrap around the free market as it grips security. Within China, entrepreneurs are, by and large, not bothered by their government’s management of the Internet, called the “great firewall”. However, this new law is a new step to tighten the government’s grip on the Internet. Furthermore, far from favoring China’s champions in this very dynamic area, such as Huawei, Lenovo, or Tencent, this law will handicap them in the long term. Maybe the hope is that these companies themselves will fight to alter the law and mitigate the negative implications for China’s Internet landscape.
US companies have already began to strongly lobby against the law, as well as China’s position that the Internet must be managed by authorities. But despite the efforts of any company, Chinese or other, the cybersecurity law is just a piece in a larger ongoing political puzzle that companies will have to deal with. Trump’s stance on trade and is equally, if not more, alarming for business. In the end, agility will be key for companies to succeed in the tense political environment.
Bing Maisog, Partner at law firm Hunton & Williams in China:
China’s new cybersecurity law appears extreme in comparison to legislation we normally see in the US because the problem of cybersecurity is approached from an entirely different angle. Cybersecurity in the US is of the people, by the people, and for the people. In contrast, the drafters of the Chinese cybersecurity law see it as a state-led and state-directed effort in which the government and its regulatory staff know best.
There is more than one particular aspect of this law that make it controversial, but the one that would concern me most is the data localization provision. This means that operators of certain key information have to undergo a security review before transmitting data overseas. It is not clear what will be examined during this review, or what will have to be revealed or proven. That uncertainty is the engine that generates much controversy.
Another controversial provision is the law’s requirement that network operators must provide technical support and assistance to public or national security agencies when they conduct investigations of crimes. This raises the similarly unsettling question of what exactly these enterprises will have to do, or reveal, in the course of supporting or assisting such investigations, and suggests agencies and bodies, rather than elements of civil society, will have the leading role in conducting investigations.
One main long-term cost is that multinational businesses may have to restructure their businesses in China. But ultimately the greatest overall cost may be borne by China itself. By making it more risky to do business there, China may wind up discouraging further investment in it.
(Source: Hunton & Williams)