China pushes through cybersecurity law heavily criticised by foreign firms on mainland

China has formally adopted a controversial cybersecurity law to exert tighter control over the internet, triggering concerns from foreign businesses and rights organisations.

The law was formally passed on Monday by the standing committee of the national legislature and will come into effect in June next year.

“China is an internet power and as one of the countries that faces the greatest internet security risks, it urgently needs to establish and perfect network security legal systems,” Yang Heqing, an official on the committee, told reporters.

Contentious provisions include requirements for “critical information infrastructure operators”, which includes areas such as the information services sector, energy, transportation and finance, to store personal information and important business data in China, provide unspecified “technical support” to security agencies and to pass national security reviews.

Businesses who store or provide internet data overseas without approval can have their business suspended or shutdown and have their business license revoked.

They are also required by law to provide technical support and assistance to police and national security agencies “safeguarding national security and investigating crimes”.

The demands have raised concern within foreign companies that fear they would have to hand over intellectual property or open back doors within products in order to operate in China’s market.

James Zimmerman, the chairman of the American Chamber of Commerce in China, said the law was a step backwards for innovation in China that would do little to improve security.

Broad restrictions on the flow of cross-border data provide no security benefits but would create barriers to Chinese as well as foreign companies operating in industries where data needs to be shared internationally, he said.

Jacob Parker, vice-president, China Operations of US-China Business Council, said the council is concerned the definition of critical information infrastructure operators has expanded from previous drafts and indicated it could be further expanded if the authority decided to, which relates directly to the types of data and information that need to be localised in China.

Members fear that they be required to disclose source code or to adopt the domestic encryption standard which have not been reviewed by international encryption review bodies, he said.

“All these implications go far beyond foreign companies in China. It affects all players in the market,” Parker said.

The European Chamber of Commerce said in a statement that the overall lack of transparency over the last year surrounding the wide-reaching legislation had created much uncertainty and negativity in the business environment.

“The Chamber remains concerned that the new law will hinder foreign investment and businesses operating in and with China,” the statement said. “The Chamber hopes the law’s application will be limited to what is strictly necessary to ensure cyber security.”

Rights advocates also said the laws would increase restrictions on China’s internet, already subject to the world’s most sophisticated online censorship, known outside the country as the Great Firewall.

Human Rights Watch said elements of the law, such as criminalising the use of the internet to “damage national unity”, would further restrict online freedom.

“Despite widespread international concern from corporations and rights advocates for more than a year, Chinese authorities pressed ahead with this restrictive law without making meaningful changes,” Sophie Richardson, China Director at Human Rights Watch, said.

Why China’s draft cybersecurity law has chilling implications for the internet and multinationals

Business groups slam China’s draft cybersecurity rules

Don’t let China’s outdated cybersecurity laws block cooperation on the digital economy