The Chinese government signed a new law pertaining to data privacy regulations, and it carries heavy penalties for violations. The name of this new set of regulations is the “Cybersecurity Law” which is a follow-up to the 2016 “Personal Data Protection Law.” This law applies to more than private citizens however, it also deals with organizations and businesses. News outlets are reporting that a failing to comply with these new regulations incurs a fine of 1 Million Yuan, which is roughly $150,000 USD.
The cyber security law puts into law many of the suggestions that were previously only published as part of frameworks and guidelines, which had no legal strength. Now, these security requirements are legal requirements for businesses to operate in China, and they concern the transmission of certain types of data. The personal data of People’s Republic of China (PRC) citizens cannot be sent outside of the PRC, or may only be done so with heavy restrictions. Data pertaining to national security is also affected by this law, but the PRC has yet to set forth any guidance as to what it considers “sensitive” personal or security data.
Any such “sensitive” data is required to be stored on domestic servers located within the PRC. This requirement has become as an issue for foreign companies, because of the increased possibility of data breaches. The PRC has had notoriously lax security in place on their domestic servers, and companies are worried about their proprietary information being stolen. Accessing or sending that data outside of the PRC necessitates a security review by a PRC official before the data can be released. The loss of efficiency from adding this additional step could cost foreign companies billions of dollars, and lowers their ability to compete with China based companies.
Foreign companies are worried about their data being stolen by PRC officials, who would have unrestricted access to anything stored domestically. The PRC sees this as a way to increase their relative cyber security. With all sensitive data required to be stored domestically, and requiring a special review to be used internationally, they feel this will increase their safety. What foreign companies worry about the PRC doing to their data is exactly what the PRC is worried other governments are doing. This law would also bolster the Chinese tech support industry, as massive quantities of servers would be necessary to shift the necessary data within China’s borders.
Not only would there be an economic boon for server companies, but it creates jobs for maintenance technicians and other secondary personnel. It also tilts the playing field more in the direction of home grown China based companies, who will have the distinct advantage of not having to pay for data transmission costs. Not only will their costs be lower, their response time would be quicker as well due to the aforementioned security screening.
This new law would also require anyone wishing to use a messaging app to register using their real personal information. This is to crack down on anonymous messaging services such as WhatsApp which can be used to talk other securely. This would allow the Chinese government to monitor the communications of those using the app, and accurately match them to a real citizen.
Max is a Legal Assistant and author residing in the Philadelphia area He has been writing for AskCyberSecurity.com since early 2017.