It is well-recognised that China is a leading power, if not the principal force, behind global technology development. Following president Xi Jingping’s appointment as Head of The Central Leading Group for Cyberspace Affairs in 2014, China’s determination to both pave the footpath for global technological advancements and ‘maintain cybersecurity’ at home have become far more prominent. However, rather than achieve heightened ‘cybersecurity’, through the enhanced safeguarding of professional, personal, and biometric data, wide reaching and vaguely worded cybersecurity laws were introduced which left the door open for data exploitation. The law was praised by some for its comprehensive approach and focus on ensuring basic network security in China; however, within the law were regulations which required technology providers to banks to turn over secret source code, undergo extensive audits and implement encryption algorithms. These laws, implemented in 2017 initially flagged up fears of increased intellectual property theft. Combined with the resurfacing of a 2010 white paper which stated: ‘within Chinese territory, the internet is under the sovereignty of China’, this fuelled suspicions of further, more ruthless, legislation – 2021 saw the cybersecurity laws confirming these fears.
On the 1st of September 2021 an updated cybersecurity law came into effect in China (having been passed in 2020). The law has two main implications: firstly, it expands the jurisdiction of Network Security Law – to data activities which ‘may harm national security or public interests of the PRC’ conducted within, and outside, China. Secondly, the vague wording of the act extends the breadth with which governmental penalties may be applied. The law greatly extends the scope of governmental reach; currently, the Network Security Law only applies to a narrow set of network activities outside of China which ‘attack, infringe, interfere with, or damage critical information infrastructure in the PRC and lead to severe consequences’. Previously, foreign owned companies were able to evade Chinese data controls through the implementation of VPN servers in and between offices (creating separate servers separate from Chinese controlled networks – allowing companies to operate outside of Chinese data regulations as well as maintain privacy during internal communications). The 2021 cybersecurity law largely expands the application of data law. The Government is now able to interpret broadly what constitutes ‘harm’, ‘national security’ and ‘public interests’. Consequently, in line with the tone of the 2010 white paper, the legal understanding of ‘Chinese territory’ has been significantly extended and international companies left fearful of how their data transfers within and across Chinese servers will be handled. Such fears are well founded under the context of penalties within the Act; data mishandling can be fined for up to 10 million yuan and even carry criminal charges. The laws are intolerably vague, especially considering they convey such substantial penalties. Speaking on the matter, Nicholas Bahmanyar (Senior Consultant at LEAF, a Beijing-based law firm) explained how: ‘there is no list, there is no annex, there are no examples… so we’re a little bit in the dark here.’
One of the most glaring discrepancies lies in the new data classification system. Under the laws, there has been a reform of how data is handled domestically as well as data requests from foreign jurisdictions. Data may now be classified as ‘national core data’, ‘personal information’ or ‘important data’. ‘National core data’ and ‘important data’ are deemed the data types with which the Chinese Government takes the most interest, data mishandling offences of these data types carrying the largest penalties. However, the Government has failed to provide supplementary definitions, or examples, of each data type and how companies should be classifying data. As a result, the commercial sector has been left unenlightened about how the law actually applies to them and how they should be conducting data handling. On a fundamental level, this has serious implications as to the rule of law, and right of the public and companies to know the law they are held to, however, it also means that companies may be breaking the law, to any degree of severity, and unaware of this fact (and the offence to which they are liable). This can be seen in practice under the requirement for companies to conduct security assessments on any ‘important data’ they are looking to export abroad. Naturally, if companies are unaware of what actually constitutes ‘important data’, they are unable to complete security assessments at all, let alone comprehensive assessments which relieve their liability. Such difficulties are also combined with the tightening of restrictions regarding the procedural steps, and involvement of government agencies, necessary before data can legally be shared across borders.
Therefore, arguably the most serious consequences of the laws reside in Articles 31 and 36. Article 31 states: ‘data collected and generated by critical information infrastructure operators are bound to be stored within the territory of China by principle. Whenever such data needs to be transferred overseas, a security assessment has to be performed’; and Article 36: ‘Any organisations and individuals in China must obtain the approval of the competent authority when dealing with cross border data submission requests made by foreign judicial or law enforcement authorities’. It is suggested that prior to any type of data being shared, approval from an expert government agency is necessary. However, once again, it is unclear how such requests will be handled by government agencies in practice – all that is stated is the presence of a fine up to 5 million yuan for breaches which have severe implications and a fine of less than 500,000 yuan for related parties responsible for the breach. Such restrictions have also been applied to all foreign judicial or law enforcement (including those under international treaties or agreements, widening the net of corporate consequences and the quantity of commercial actors implicated.
Fundamentally, the laws have produced more questions than answers, leaving international companies and practices in particular, with fears they may be acting illegally without knowing so. The Chinese government have acted in such a way they are able to broadly interpret the statute to gain access to practically any data of their choosing – an act which raises vital concerns regarding morality and the extent to which governments should be able to intervene, and pry, into commercial concerns. Following this, there is little option but to conclude that, in many ways, it is impossible to say for certain what the implications will look like in practice for the commercial sector, given the Chinese government’s failings to provide clear outlines or examples of the law they expect to be implemented. In any case, internationally practicing corporations must act cautiously and prepare for all eventualities.