Business groups confront Chinese premier over cyber laws

Letter from 46 organisations attacks ‘trade-inhibiting’ data laws, but Beijing says concerns are unnecessary

Cybersecurity measures in pieces of flagship legislation planned for China could damage market entry by overseas firms – and make it harder for companies already there to do business in an efficient way.

That is the message of a letter sent to Chinese premier Li Keqiang by a coalition of 46 business groups from around the world, including Business Europe, the UK’s National Association of Manufacturers and several national chambers of commerce.

According to the signatories, China’s draft Cybersecurity Law – together with changes to key insurance regulations – would place businesses and financial institutions under unacceptable stress, by requiring that personal data collected from Chinese customers should be stored only within China.

The letter warns that, as many multinationals tend to store customer details in regional hubs outside China, the new laws would force firms already doing business there to significantly rework their logistics, and would act as barriers to companies that have been planning to enter the market.

Three main aspects of the Cybersecurity Law and the insurance-sector amendments are highlighted as undesirable for the business community:

1. broad data-residency requirements, which “have no additional security benefits, but would impede economic growth, and create barriers to entry” for both foreign and Chinese companies;
2. trade-inhibiting security reviews and requirements for products and services in the ICT field, which “may weaken security and constitute technical barriers to trade, as defined by the World Trade Organization”; and
3. requirements for data retention and sharing, plus law-enforcement assistance, which “would weaken technical security measures and expose systems and citizens’ personal information to malicious actors”.

With those points in mind, the groups write, “we urge both the [Cybersecurity] Law and the [insurance] Provisions be revised to encourage international policy models that will support China’s development as a global hub for technology and services.”

Such revisions, they argue, would guarantee a legacy of an “innovative, invigorated, interconnected and inclusive” world economy from China’s current presidency of the G20 nations.

Sweeping cybersecurity laws introduced in other world regions in recent months have already attracted their own share of criticism. Last December, President Obama signed into law the US Cybersecurity Information Sharing Act 2015, which urged companies and arms of the federal government to exchange data about potential cyberthreats. However, the Act was scorned by civil liberties groups.

Meanwhile, the EU’s Network and Information Security Directive, passed in July, has been criticised for not having enough provisions to safeguard data privacy.

In a response to the 46 groups, faxed to the Reuters news agency, China’s Foreign Ministry said that the law would not lead to “differential treatment” between native and overseas firms. Neither would it “create obstacles and barriers for international trade and foreign businesses investing in China”.

Indeed, it noted, companies would be permitted to transfer business data outside China upon passing a security-evaluation procedure. “These evaluations,” said the ministry, “are for supervising and guaranteeing that the security of this data accords with China’s security standards.”

The ministry added: “As for the legal requirement for internet operators to provide relevant data in the course of enforcement agencies’ counterterrorism and criminal investigations, this is necessary for safeguarding national security and investigating crimes.

“All countries do this. The concerns of foreign investors and businesses invested in China are unnecessary.”