China\u2019s legislature approved its\u00a0Cybersecurity Law<\/a>\u00a0this past November, solidifying China\u2019s regulatory regime for cyberspace and potentially disrupting foreign companies that use or provide telecommunications networks in China. The law takes effect June 1, 2017, and reflects China\u2019s desire for \u201ccyber-sovereignty<\/a>\u201d (regulating the Internet in China according to national laws, despite the global nature of the World Wide Web). As the Chinese Communist Party (CCP)\u00a0faces pressure<\/a>\u00a0from slowing economic growth and foreign influence, the Cybersecurity Law is one in a series of laws the Chinese government has implemented recently to uphold state security.<\/p>\n Though the wording of the law is vague, it formalizes many current practices and aims to consolidate cybersecurity authority under the Cybersecurity Administration of China. While the government is expected to offer more clarification on the law through implementation rules, how the law is played out in practice will be the ultimate indicator of the law\u2019s severity. These three aspects of the law have the greatest potential to affect multinational companies (MNCs) doing business in China, according to an NACD analysis:<\/p>\n 1. Data localization:<\/strong>\u00a0Article 37 of the law is one of the most contentious and requires that \u201ccritical information infrastructure\u201d (CII) operators store personal information and other important data they gather or generate in mainland China to be\u00a0stored<\/em>\u00a0in<\/em>\u00a0mainland China. CII operators must have government approval to transfer this data outside the mainland if it\u2019s \u201ctruly necessary.\u201d The definition of CII is a catch-all, including public communication and information services, power, traffic, water, finance, public service, electronic governance, in addition to any CII that would impact national security if data were compromised.<\/p>\n Impact:<\/strong>\u00a0The\u00a0broad applicability<\/a>\u00a0of the CII definition raises the concern that any company using a telecommunications network to operate or provide services in China would be required to store data in mainland China, possibly even affecting those that store data to clouds with servers located outside mainland China.<\/p>\n 2. Support for Chinese security authorities:\u00a0<\/strong>Article 28 requires \u201cnetwork operators\u201d to provide technical support to security authorities for the purposes of upholding national security and conducting criminal investigations. Network operators are broadly defined as those that own or administer computer information networks or are network service providers, which may include\u00a0anyone operating a business<\/a>\u00a0over the Internet or networks.<\/p>\n Impact:\u00a0<\/strong>The loose definition of \u201ctechnical support\u201d creates the concern that MNCs will be required to grant Chinese authorities access to confidential information,\u00a0compromising private information<\/a>\u00a0and intellectual property that may be shared with state-owned competitors. Although not stated in the final version of the law, there is also the possibility that companies may be required to provide\u00a0decryption assistance and backdoor access<\/a>to authorities upon request.<\/p>\n 3. Certified network equipment and products<\/strong>: For network operators, Article 23 indicates that \u201ccritical network equipment\u201d and \u201cspecialized network security products\u201d must meet national standards and pass inspection before they can be sold or supplied in China. A catalogue providing more specification on these types of products will be released by the government administrations handling cybersecurity. Under Article 35, CII operators are also required to undergo a \u201cnational security review\u201d when purchasing network equipment or services that may affect national security.<\/p>\n Impact<\/strong>: Chinese companies and government agencies have historically relied on computer hardware and software manufactured by foreign companies, although this is now shifting in favor of domestic IT products. Opportunities for hacking and espionage put China at risk of losing sensitive information to foreign governments or companies, and China has already started conducting reviews of the IT security products used by the central levels of government. This provision of the Cybersecurity Law demonstrates China\u2019s resolve to mitigate this risk and may pose a\u00a0significant barrier<\/a>\u00a0to foreign IT equipment manufacturers selling products in China.<\/p>\n China\u2019s Cybersecurity Law has been criticized by the\u00a0foreign business community<\/a>, and, depending on the law\u2019s implementation, it may make doing business in China for MNCs not only more complex but also riskier. Tom Manning, a China specialist at the University of Chicago Law School and director of Dun & Bradstreet, CommScope, and Clear Media Limited, advises boards to consider the effect of the Cybersecurity Law in the greater context of China\u2019s rise: \u201cThe Chinese economy is increasingly more self-sufficient. Domestic companies are growing stronger and are more capable, while multinational companies are finding it more difficult to compete.\u201d<\/p>\n Manning suggests boards conduct an overall China risk assessment, with the Cybersecurity Law as the focal point. While some companies may determine the risk of doing business in China is too high, Manning says, others might decide they need to invest more in China to be profitable. Ultimately, creating alliances with domestic firms, who have a greater influence over the government\u2019s implementation of the law, may be key. \u201cLeading domestic companies have a stake in seeing a better definition of the law, and their interests aren\u2019t unaligned with multinational companies,\u201d Manning says. \u201cChinese Internet companies can explain to the government how the law will affect their business models and be more effective in doing so than Western companies.\u201d<\/p>\n Although how the law will be enforced remains to be seen, boards can consider the following questions when evaluating the impact of China\u2019s Cybersecurity Law:<\/p>\n For an English version of China\u2019s Cybersecurity Law,\u00a0<\/em>China Law Translate<\/em><\/a>\u00a0provides a free, unofficial translation.\u00a0<\/em>The Chinese version of the law is located on the website for China\u2019s\u00a0<\/em>National People\u2019s Congress<\/em><\/a>.\u00a0<\/em><\/p>\nSignificant Provisions of the Law<\/h3>\n
How Directors Can Prepare<\/h3>\n
\n