App Association Member Update: China’s New Cybersecurity Law Taking Effect June 1, 2017

Many of our member companies view access to the Chinese market as a great opportunity to grow their customer base and expand their businesses to support more jobs in the United States. While this market undoubtedly represents great potential, companies must have an accurate understanding of the legal and regulatory challenges that come with entering it. This blog post gives ACT | The App Association members a timely update on some key cybersecurity policy developments in China, and how they may impact market entrants.

In November 2016, China’s Standing Committee of the National People’s Congress passed final legislation imposing new cybersecurity data governance requirements on companies doing business in China. The law applies to both “network operators,” defined essentially as anyone owning or operating a computer system network, and “suppliers of network products and services.” The law will take effective on June 1, 2017.

The new Cyber Security Law is the first of its kind in China, addressing a comprehensive array of privacy and security regulations. The Chinese government has stated that this law is intended to protect national security by better safeguarding Chinese citizens’ data and giving law enforcement more access to technological systems when needed.

Possibly the most concerning aspect of this new cybersecurity law is the vagueness of its text. While overly-prescriptive laws can stifle innovation, China’s Cyber Security Law does not provide many details, breeding ambiguity and uncertainty about its scope and application.

Despite the vague language about the scope of the law, it certainly applies to all foreign technology companies conducting business in China, carrying with it some serious requirements. For example, the law requires foreign technology and data companies to build or maintain servers inside of China, so that the data of all Chinese citizens will be stored exclusively within China. This protectionist demand effectively means that technology companies, including many of the App Association’s members, may be simply priced out of doing business in the Chinese market.

In addition, under this new law, Chinese law enforcement will have a strengthened ability to access a technology company’s private system in certain situations. This section is worded much like the rest of the law — broad enough to allow a liberal interpretation by law enforcement in many different situations. This requirement leaves technology companies uncertain as to when the Chinese government may demand access to data it holds, including proprietary information such as source code and trade secrets.

Finally, the law mandates that companies provide “technical support” to Chinese law enforcement during an investigation, but it does not clearly define what that entails. In some cases, technical support to law enforcement could consist of a “backdoor” to the technical protection mechanisms (such as encryption) on which software companies heavily rely to maintain customer trust. If companies are required to create such a “backdoor” in the process of an investigation, they face the possibility of an eroded global customer base.

Without question, this new law will affect App Association members doing business in (or considering doing business in) China, and it will require a new evaluation to see if entry into the market is worth the hefty price of admission. App Association staff actively advocates to governments around the world to ensure that barriers to market entry are mitigated. We will continue to work with our members across the ecosystem who are looking to expand into new markets, and we urge you to contact us to learn more.

Written with Emily Baker

By | 2017-03-17T11:21:05+00:00 March 17th, 2017|