China's move to strengthen its cybersecurity regime will increase compliance costs for all technology, media and telecommunication companies — local and foreign — operating in China, experts warned.
The new cybersecurity rules, under China's existing "multilevel protection scheme" or MLPS, will go into effect on December 1, 2019. The new standards will expand Chinese authorities' supervision from "basic information systems" to technologies including mobile internet, the internet of things, cloud computing, big data and industrial security systems, according to a May 15 Financial Times report which cites an official document.
In particular, the fortified measures will broaden the technical and management requirements regarding classified cybersecurity protection.
Compliance costs in the form of implementing systems to meet new regulatory reporting requirements and risk control measures will increase, said James Lewis, senior vice president and director of technology policy program at the Center for Strategic and International Studies. Reporting to the multiple regulatory bodies operating in China will also drive up costs, he added.
The Cyberspace Administration of China, the Ministry of State Security and the Ministry of Public Security are all involved in the updated cyberlaw, which was first enforced in 2017. The law gave the Ministry of Public Security responsibility for cybersecurity protection, supervision and management. It was critiqued for its vague provisions regarding how authorities will conduct its reviews.
China's big tech companies, including Baidu Inc., Alibaba Group Holding Ltd., Tencent Holdings Ltd. and Beijing Byte Dance Telecommunications Co. Ltd. will be affected by the upgraded cyberlaw, Zhi Bao, a partner at Baker McKenzie FenXun Joint Operation said in an interview.
"Given the growing popularity and significance of cloud computing and big data-related infrastructures and services in China, it is not surprising that the government is paying more attention to the cybersecurity protection in these areas to reflect the changes in industrial developments," he said.
These Chinese tech giants will likely need to "change their privacy policies and that will increase costs too," according to Dan Harris, managing partner of international law firm Harris Bricken.
The new provisions will also impact foreign TMT companies with operations in China as their businesses will be scrutinized for cybersecurity breaches, the experts say.
International TMT companies will need to factor in practical and operational risks such as whether they operate on a global system that does not have a legal virtual private network, or VPN, or if the content of their websites does not comply with Chinese laws, Carolyn Bigg, a partner at DLA Piper said.
Bigg added that some aspects of the new regime will be more "challenging" for foreign players due to their lack of understanding of the regulatory and enforcement environments in China.
Foreign companies are already reportedly complaining about the lack of clarity surrounding China’s cybersecurity regulations, pointing to concerns of a possible leak of their intellectual property to competitors.
In addition to increasing costs, the strengthened regime will reduce both foreign and Chinese TMT companies' freedom to act, Harris said.
News of the modifications, which analysts say have been in the works for five years, come amid an ongoing trade war between the U.S. and China.
While experts see no direct link between the trade tariffs and the cybersecurity amendments, they say the current geopolitical situation will add to the increasing difficulty businesses operating in China will face.
"Doing business in China is going be to tougher than doing business in Europe," Lewis concluded.