Doing business internationally is always difficult, and that is especially true with China. The high language and customs barriers are often matched by completely different understandings of law and sovereignty.
This has proven especially true with the new cyber security law that requires international companies to have data stored in China for inspection. The process for approval has never been made clear and is taking up a lot of time for those companies attempting to comply.
The new law came into effect on June 1, 2017. In many ways, it is a continuation of government policy that the internet is subject to Chinese laws when it is operating in China. The sovereignty of the internet, as the concept is known in China, has been the basis of nearly every policy – including the development of the Great Firewall.
This new law requires all network operators, of any kind, to provide full access to all data upon request. This includes all source code and potentially a lot of private information. It applies to anyone operating a network in China, including a company which has its own e-mail server or any other system in place.
In many ways, it is simply the concept of internet sovereignty meeting international best practices for security. In practice it has proven much more difficult.
Concerns raised immediately
Because of the demands for complete transparency, the new law has raised concerns about data privacy and intellectual property protection. The questions include any data which passes back and forth between China and the rest of the world.
The US has filed a request with the World Trade Organization to ask China to suspend the law based on international agreements involving intellectual property. This request has not been answered. This is not the first time that the internet sovereignty concept of Chinese law and policy has come into conflict with the rest of the world, but it certainly has the biggest reach in terms of commerce.
The biggest concern for businesses operating in China is not the law itself, but how to apply for the required licenses and inspections under it. There is considerable confusion on these topics, starting with who is the right agency to certify compliance with the law as well as how inspections might be carried out.
Without this information, companies operating in China are very confused as to how to best respond to the law and protect their own privacy and property. It has become a significant issue for any business operating a server in China today.
Until the procedures are worked out, this new law will indeed cause nothing but headaches for those trying to comply.