China’s cybersecurity law is biased and open to abuse, but it may not stop others copying it
Daniel Wagner says critics are right to say the law gives Chinese companies an unfair edge and raises important privacy concerns. The fear is that other countries are more likely to adopt this model than the EU’s more cumbersome one favouring rights protection
China’s law is applicable to almost all businesses that manage their own email or other data networks, and includes “critical sectors” of the Chinese economy, including communications, information services, energy, transport, water, financial services, public services and electronic government services. Any company that is a supplier or partner with firms in these sectors may also be subject to the law.
These tests and certifications require network operators to formulate internal security management systems and implement network security protections, adopt measures to prevent viruses or unspecified forms of cyberattacks, monitor and record the safety of a network, and undertake data classification, backups of important data and encryption.
On the one hand, these security measures form part of what might be considered “best practice” recommendations for firms that gather and store important company and client data. On the other hand, the law requires network operators in critical sectors to store within China all data that is gathered or produced in the country.