China’s Blurry Cyber Laws Give U.S. Tech Companies No Security
Trade-group survey shows widespread worries about lack of detail on new cyber rules six months since they came into force
Chinese magazines featuring China's President Xi Jinping on the cover are seen at the World Internet Conference in Wuzhen, China, Dec. 3. PHOTO: REUTERS
Six months after it went into force, China’s tough new cybersecurity law is still troubling U.S. technology executives who fear that it will put the intellectual property of their companies and the data they collect in jeopardy.
The cybersecurity law was the focus of a two-hour, closed-door session on the sidelines of this week’s state-sponsored World Internet Conference in Wuzhen, according to people familiar with the situation.
The high-level session coincided with a new survey by the U.S.-China Business Council that highlighted widespread worries about the law. The trade group said 82% of respondents “are concerned about the impact of China’s cyber and data regulations.”
Cyber Worries
China's cyber and data regulations are a pressing concern for most U.S. companies.
Source: U.S.-ChinaChina Business Council 2017 survey of about 100 member companies
At the session in Wuzhen on Tuesday, about 60 representatives of foreign technology companies, business trade groups and others met Zhao Zeliang, who heads the Cyberspace Administration of China’s cybersecurity bureau, the people said.
Several participants expressed frustration that, while the law went into effect June 1, the Chinese government is still drafting specific implementation rules. Those rules will determine which companies and industries must comply with provisions on matters such as the storing of data in China and security reviews of network equipment.
At the end of the session, the people said Mr. Zhao promised that his agency would be more transparent in drafting the implementation rules, and that the cybersecurity law was intended to ensure the privacy and security of data—not a means to steal foreign intellectual property.
He also said the government would work to narrow the definition of businesses considered to have “critical information infrastructure” that are subject to the most intensive security measures under the new law.
Uncertainty about who must comply with the law is one of the biggest complaints by foreign tech companies, said Paul Triolo of political-risk consultancy Eurasia Group.
“And the question is, how long can that go on before it becomes a real problem?” Mr. Triolo said.
China says ‘critical information infrastructure’ companies include those with computer-network operations in telecommunications, energy, transportation, information services and finance. Foreign business groups say the definition is vague and too broad.
Confusion about the cyberspace law has triggered higher operating costs for American firms doing business in China, said Jake Parker, vice president for the U.S.-China Business Council. Many companies have had to undergo expensive internal audits to comply with current draft rules and change their global procurement policies, Mr. Parker said.
Despite those uncertainties, some companies are already moving ahead with implementation. Apple Inc. said it would begin storing all cloud data for its China customers with a government-owned company to comply with the new rules. Apple and other companies have also stopped offering virtual private network apps that enable people to get around China’s internet restrictions.
The U.S.-China Business Council’s new survey, released Wednesday, underscores the depth of concern about China’s tightening cyberspace rules. The trade group represents about 200 companies with operations in China, including Apple, Amazon.com Inc. and Microsoft Corp. In the survey, completed by about half its member companies, 51% of respondents said they were concerned about the theft of intellectual property and 53% said they were concerned about the theft of consumer or company data.
It also said 65% of respondents were concerned about restrictions on cross-border data flows, an issue that has gained new prominence with the adoption of the cybersecurity law.
Beyond cyberspace issues, the survey found that the three major challenges for U.S. companies doing business in China were: competition with Chinese companies, getting business licenses and government approvals, and barriers to investment.
The survey also detected increasing pessimism about the business environment. It said 48% of respondents were less optimistic about the business climate than they were three years ago, while 11% were more optimistic. It cited as the primary reason the lack of tangible changes from reforms announced four years ago to encourage economic development.
Three-fourths of respondents expect revenue to increase this year, up from 62% last year, helped by solid consumer spending and government stimulus policies, according to the survey.
