Yesterday, China introduced its new Cybersecurity Law, a long debated law that will impose tough regulations, introduce serious uncertainties, and possibly prevent market access for American companies conducting business in China. This law is particularly toxic for ACT | The App Association’s app developer and small business members seeking access to digital markets and consumers in China. Frustratingly, the law includes onerous data localization requirements and uses extraordinarily vague language when outlining important provisions, such as when Chinese law enforcement bodies may access a business’s data or servers or how often a business must perform demanding safety assessments. Legal certainty is vital to our app developers’ operations and their ability to maintain their customers’ trust and protection of their data. The broad, vague language used throughout China’s Cybersecurity Law leaves businesses without clear guidelines or expectations about how the law will be applied, and jeopardizes their opportunity to succeed in an important market.
The App Association has been advocating on behalf of innovative American app developers who do, or look to do, business in China, and we recently filed detailed comments with the Cybersecurity Administration of China (CAC), in both English and Chinese. The App Association also joined many other global tech associations in a letter reiterating these concerns. The comments filed to the CAC argue against data localization requirements, which deter digital trade and discourage the use of efficient cloud-based services. The comments identify numerous areas where the law uses overly-prescriptive and technically and/or economically infeasible mandates to address public safety goals. These mandates include self-regulation of data flows, risk assessments, and keeping data within China’s borders.
The App Association also addressed problems related to the vague definition of “network operator,” as the “owner of the network, network managers and service providers.” This can be interpreted to include app developers, despite most small business innovators operating on a larger platform or network that they do not manage. Broadly including small app and software businesses within this definition brings along loosely-defined cybersecurity responsibilities attributed to parties that fit that title. Separately, we also contributed English and Chinese comments on the CAC’s implementation of the law’s restrictive policies on data transfers across Chinese borders.
The App Association’s small businesses members, in their efforts to grow their business and create more jobs by entering the Chinese market, simply do not have the resources to comply with these stringent regulations and may be subsequently excluded from the market. Without American app developers’ participation in the market all parties lose, including Chinese consumers who will not benefit from the competition and ingenuity of the $143 billion app ecosystem.
As governments grapple with how to address cybersecurity threats and consumer safety, their approaches should embrace the global digital economy’s potential to revolutionize new consumer and enterprise segments of the economy. The App Association is committed to working with governments around the world to craft balanced and reasonable approaches within new or updated laws to protect the public from cyber threats.
In consultations with the CAC following our filing comments on the draft Cybersecurity Law, we learned that few amendments would be made. However, due to our advocacy, some particularly onerous provisions, like the law’s data localization requirement, will not go into effect until the end of 2018 and may only apply to “critical information infrastructure.” However, the devil is always in the details, and we unfortunately have few. China’s new law runs counter to many of the App Association’s well-established principles that balance the protection of the public interest with encouragement of the app economy’s innovation. The law doesn’t simply create challenges for American innovators or Chinese consumers; China’s Cybersecurity Law jeopardizes the ability for the global digital marketplace to flourish in one of the world’s biggest economies.
Moving forward, the App Association will continue to work to help our members access new markets, grow, and create more jobs. While the App Association’s advocacy has helped delay the implementation of some debilitating provisions, our members will inevitably have to make a stark assessment about whether it is viable to enter the Chinese market. We will be vigilant in responding to new rulemakings implementing this law, such as the new proposed definition of data covered by data export security reviews, and we will keep our members informed and engaged.