Chinese cyber-security laws raise espionage and censorship fears
The Chinese Government has passed a new law which enforces further restrictions on the internet freedoms of its internet surfing population. While foreign businesses say this shuts them out, the Chinese government has insisted this law is purely to arm its country with stronger cyber-security protections.
Is this good or bad for foreign businesses?
The Chinese Government has passed a new law which enforces further restrictions on the internet freedoms of its country's internet surfing population, upward of 650 million people.
The law has been a hotly contested topic that foreign businesses say threatens to shut them out of one of the world's biggest markets. Likewise many groups have been trying to convince the Chinese government to change the cyber-security law since it was first conceived in 2014.
China's internet censorship rose to fame when it was dubbed outside the country as the Great Firewall. The restrictions proposed by this law go further past what has previously been banned, according to freedom of speech advocates. In August, a global group of more than 40 industry groups expressed their fears in a letter to the country's Premier Li Keqiang.
Sophie Richardson, China director at Human Rights Watch, said in a statement: “The already heavily-censored internet in China needs more freedom, not less.”
“If online speech and privacy are a bellwether of Beijing's attitude toward peaceful criticism, everyone – including netizens in China and major international corporations – is now at risk,” said Richardson. “This law's passage means there are no protections for users against serious charges.”
The third and final reading draft of the law has remained largely unchanged from the initial draft. The final version, which was adopted on Monday 7 November, left what are seen as the most controversial sections intact:
A range of companies will be expected to censor “prohibited” information and restrict online anonymity, including by demanding that companies require users to provide their real name and personal information.
“Critical information infrastructure operators” will be forced to store users' “personal information and other important business data” in China. The final draft narrows the scope to only data that is related to a firm's China operations, but the term “important business data” is undefined, and companies must still submit to a security assessment if they want to transfer data outside the country.
Companies will be required to monitor and report to the government “network security incidents” which are largely undefined as well as provide undefined “technical support” to security agencies to aid in investigations, raising fears of increased surveillance.
The final draft of the law further specifies that network operators must retain network logs for at least six months and accept government supervision; and provides a legal basis for potentially large-scale network shutdowns to respond to “major [public] security incidents.”
The new law is going to come into effect next June when further sections could be added to ban foreign technology as China develops its own systems, products and algorithms.
Jim Zimmerman, The American Chamber of Commerce in China's chairman, said in a statement that the law was “a step backwards for innovation” because it placed restrictions on cross-border data flows and seemed “to emphasise protectionism rather than security”.
Zimmerman asserted that the broad restrictions “provide no security benefits but will create barriers to Chinese as well as foreign companies operating in industries where data needs to be shared internationally.”
Zhao Zeliang, deputy director of the Cyber-space Administration of China said that “we are not setting a trade barrier to foreign internet products, neither are we limiting technologies and products from coming into China.”
Zeliang added: “The goal of the cyber-security law is to protect internet safety, national security and protect interests of the public,” as the Chinese government is focused on preventing service providers from illegally obtaining user information or controlling user devices.