The Abacus

China’s New Cyber-Security Scheme

By: ACBC National
19-12-2019

A new Chinese cyber-security regime will come into effect in January, requiring every business, including foreign-owned companies, to comply with regulations regarding data integrity and data storage on servers across China. This will increase the regulation surrounding the use of encryption in connection with Chinese national security matters.

“It will cover every district, every ministry, every business and other institution, basically covering the whole society. It will also cover all targets that need [cybersecurity] protection, including all networks, information systems, cloud platforms, the internet of things, control systems, big data and mobile internet” explains Guo Qiquan, chief engineer at network security safeguard bureau of the Ministry of Public Security (MPS).  

The scheme ranks the networks and systems that make up China’s critical information infrastructure based on national security. Level five is deemed the most sensitive, and anything at level three or higher will have to meet a number of regulatory requirements.

The new regulatory regime will apply to foreign owned companies in China on the same basis as to all Chinese persons, entities or individuals. No information contained on any server located within China will be exempted from this full coverage program, meaning private messages, online anonymity and accessing foreign networks via VPNs will all be affected.

Accordingly, intra-company VPN systems will no longer be authorised in China by anyone, including foreign companies. All company email and data transfer will be required to use Chinese operated communication systems that are open to China’s Cybersecurity Bureau.

While the Chinese authorities often complained about the use of VPN systems, foreign companies were usually able to claim that their special WFOE status exempted them from Chinese data controls - specifically the use of state-approved VPN providers.

However, the new Foreign Investment Law that goes into effect on January 1, 2020 explicitly eliminates any special status associated with being a WFOE or other foreign invested enterprise. Foreign owned companies will be treated in exactly the same way as Chinese owned companies and will be forced to use VPN services offered by (and compliant with) the Chinese government.

The plan was originally formulated by the Chinese Ministry of Public Security which appointed big data expert Wang Yiwei as the new director of the Cybersecurity Bureau.

What does this mean for Australian business, according to Cyber Law Firm WiseLaw

Australian companies operating in China should seek legal advice and take informed steps in adhering to new requirements under Beijing’s revised cyber security regime. This is particularly important where Australian companies operating in China may soon find themselves heavily inclined to adopting Chinese sourced network products and services, where their MLPS network is rated level 3 or above. Understanding and navigating China’s increasingly complex cyberlaw environment is paramount for companies where managing requests to provide the Chinese government with access to their data – where authorised by the relevant Chinese legislation.

Industries, such as manufacturing and retail, would be included in the cyberspace protection scheme because it covers the vague category called ‘network operators’, which can include anyone who uses an ICT (information and communications technology) system.

According to cyber law firm WiseLaw, from the perspective of a best-case outcome, it is apparent that the new Scheme will result in greater uniformity, transparency and accountability in the development, sale and purchase of digital products within China.

Conversely, a negative outcome would be an increased level of distrust by international businesses in China’s economy, and possibly a reduction in the degree of bilateral cooperation and investment between China and its neighbors – including Australia.

A most likely outcome is that the legislation will be enacted and ideally Beijing will pragmatically allow a grace period in their enforcement against national and international business interests. Historically we have observed that, where governments introduce wide-sweeping changes such as these, legal compliance is improved through cooperation and encouragement from government agencies.

Overall, it is foreseeable that Chinese ICT manufactures, vendors, and professionals across the domestic tech industry will benefit from the legal requirement to own and operate Chinese technology. However, it will be those manufacturers whom can best adapt their sales and marketing to a mixed clientele of domestic and foreign businesses who stand to benefit the most.

WiseLaw is an ACBC member and specialist Australian cyberlaw firm on cyber legal advice, research & education, and responsible cyber security practices.

For more information on China’s cyber legal landscape, please contact WiseLaw solicitor Jonathan Lim at jl@wiselaw.com.au

@AusChinaBC

Post your comments here