Foreign companies across a number of sectors, including financial services, will likely bear the brunt of a cybersecurity law coming into effect in China on June 1.
The Cyberspace Administration of China, said the new law, unveiled in November 2016, aims to safeguard China's sovereignty in cyberspace and protect the data of individuals and organizations. Among other requirements, companies operating in China must now host their data on Chinese servers and seek the regulator's permission to transfer data offshore.
"[The law] has much to do with information sovereignty, to control information within the jurisdiction, promoting and developing the local industry and know-how," Scott Thiel, partner at law firm DLA Piper in Hong Kong, told S&P Global Market Intelligence.
The data transfer rules apply to companies operating in China in sectors categorized as "critical infrastructure providers," which include finance, energy, communications and infrastructure. While the law applies equally to Chinese institutions, experts say it will mainly affect foreign ones, which are more likely to have data centers outside China.
"The financial sector will be the most affected," said Jenny Zhong, a partner at PwC Legal in China, because financial institutions typically house their databases offshore, either at their headquarters or in regional financial hubs such as Hong Kong or Singapore.
A man stands in front of a display showing a live visualization of online phishing and fraudulent phone calls across China.
Source: Associated Press
Experts at DLA Piper said in a May 26 note: "We see [the offshore data transfer rule] as being one of the most potentially disruptive and involved aspects of the new China data protection/security environment, particularly on international organizations operating in China."
Under the law, any offshore transmission of personal data collected within China — such as individual's names and contact information — must gain the consent of owners of the personal data before taking any action. The law also mandates that authorities conduct a security assessment on data larger than 1,000 gigabytes and containing the personal information of more than 500,000 individuals.
However, according to media reports May 31, the implementation of the law pertaining to cross-border data transfer has been postponed to December 2018. No explanations were provided for the postponement, The Associated Press reported, noting that the decision came after several business groups called on the law to be consistent with World Trade Organization regulations.
Meanwhile, the Cyberspace Administration of China will review and certify companies' software and equipment, the new regulations set out.
"Financial institutions that use in-house technology for key parts of their services may fear that regulators inspecting this equipment on the pretense of cybersecurity in fact [are] doing so in order to pass trade secrets to Chinese enterprises," Stuart Hargreaves, a law professor at the Chinese University of Hong Kong, wrote in an email.
Furthermore, he said banks and other financial institutions "may incur large costs if they are forced to transition to domestic hardware [or] software providers in order to remain in compliance."
"A lot of the law coming out now is a restatement of the law that is already in place in China. Many are not taking those rules seriously because there's been no enforcement," said Thiel.
Before the law was enacted in November 2016, China had regulations in place that focused on tackling computer viruses and protecting information online. For the first time, the new cybersecurity law raises the concept of safeguarding cyberspace sovereignty, according to a KPMG report.
"The overall driver is China's desire to maintain sovereignty over the internet and control over flows of information within its borders," Hargreaves said.