China’s cybersecurity law is biased and open to abuse, but it may not stop others copying it

Daniel Wagner says critics are right to say the law gives Chinese companies an unfair edge and raises important privacy concerns. The fear is that other countries are more likely to adopt this model than the EU’s more cumbersome one favouring rights protection

Reading Time:4 minutes

Critics worry that China’s cybersecurity law could be a Trojan horse designed to boost China’s policy promoting indigenous innovation, while other foreign technology firms worry that they will eventually be forced to divulge intellectual property to government inspectors. Photo: Shutterstock

Published: 10:00pm, 25 Jun 2018Updated: 12:51am, 26 Jun 2018

As a stark contrast to Europe’s recently implemented General Data Protection Regulation law, which seeks to protect individual rights and rein in the actions of large corporations on the internet, China’s cybersecurity law, implemented a year ago, gives an alternative vision about how nations may choose to apply cybersecurity laws in the future.

China’s law is applicable to almost all businesses that manage their own email or other data networks, and includes “critical sectors” of the Chinese economy, including communications, information services, energy, transport, water, financial services, public services and electronic government services. Any company that is a supplier or partner with firms in these sectors may also be subject to the law.

The law requires network operators to cooperate with Chinese crime or security investigators and allow full access to data upon request. It also imposes mandatory testing and certification of computer equipment for network operators in critical sectors.

These tests and certifications require network operators to formulate internal security management systems and implement network security protections, adopt measures to prevent viruses or unspecified forms of cyberattacks, monitor and record the safety of a network, and undertake data classification, backups of important data and encryption.

On the one hand, these security measures form part of what might be considered “best practice” recommendations for firms that gather and store important company and client data. On the other hand, the law requires network operators in critical sectors to store within China all data that is gathered or produced in the country.