The most disturbing thing for foreign businesses facing China’s new cybersecurity law may just be how vague and broad it is.
Under the new law, adopted on Monday and taking effect next June, it’s possible that any major company working in the country might be subject to “security reviews” from the Chinese government.
Any company involved in telecommunications, information services, finance or any sector “where the loss of data can harm the country’s security” is subject to a possible review. But what these security reviews actually entail isn’t clear in the law.
That vagueness has foreign companies worried. Many have opposed the legislation on the grounds that it would limit their ability to do business in the country.
“We believe this is a step backwards for innovation in China that won’t do much to improve security,” said James Zimmerman, chairman of the American Chamber of Commerce in China, in a statement on Monday.
Fears of Chinese protectionism are nothing new. The country historically has tried to support domestic businesses over foreign ones. But China has been taking a stronger stance on cybersecurity since the 2013 revelations by noted leaked Edward Snowden about secret U.S. surveillance programs.
One of those programs allegedly spied on the Chinese government and companies including networking equipment provider Huawei Technologies.
On Monday, Chinese state media touted the new law as necessary to protect the country’s critical infrastructure and its citizens’ personal data. “Without internet security, there is no security for the nation,” said the Xinhua News Agency.
However, the new law has drawn complaints from more than 40 foreign business associations. A key concern is with the Chinese government-mandated security reviews and whether foreign tech companies will need to hand over sensitive intellectual property, such as a product’s source code.
“The law doesn’t say you must reveal the source code,” said an industry source at one lobbying group. “However, we are concerned that this could end up being the result.”
Although the law is meant to promote cybersecurity, it’s also designed to favor Chinese businesses, he said.
“We think there will be less of a level playing field for foreign companies — that’s the fear,” the industry source said. “I would say the level of concern is quite high.”
China has already shown interest in gaining access to source code from foreign companies. Earlier this year, a lawyer for Apple said the government had asked for such access but the company refused.
China also recently considered regulations for banking providers that would have required they hand over source code and encryption keys. However, it later halted implemention of the rules.
The law announced Monday may be vague, but that’s usually the case with Chinese regulations, said Adam Segal, an expert on China with the Council on Foreign Relations. “Ministries and provinces in the country will interpret the laws differently, until they’re called out by the central government,” he said.
Segal doesn’t expect any foreign businesses to leave China because of the new law. But any demand to see a company’s source code or encryption keys would force that company to make a hard choice.
“A lot of firms are really starting to draw a line and would be unwilling to share that,” he said. “But if other companies do, and there are defections, then that will make the pressure to share more intense.”