In August, business groups around the world petitioned China to rethink a proposed cybersecurity law that they said would hurt foreign companies and further separate the country from the internet.
On Monday, China passed that law — a sign that when it comes to the internet, China will go its own way.
The new rules, which were approved by the country’s rubber-stamp Parliament and will go into effect next summer, are part of a broader effort to better define how the internet is managed inside China’s borders.
Officials say the rules will help stop cyberattacks and help prevent acts of terrorism, while critics say they will further erode internet freedom. Business groups worry that parts of the law — such as required security checks on companies in industries like finance and communications, and mandatory in-country data storage — will make foreign operations more expensive or lock them out altogether. Individual users will have to register their real names to use messaging services in China.
Restrictions on the flow of data across borders “provide no security benefits but will create barriers to Chinese as well as foreign companies operating in industries where data needs to be shared internationally,” James Zimmerman, chairman of the American Chamber of Commerce in China, wrote in an emailed statement.
He added that by creating such restrictions, China risked isolating itself technologically from the rest of the world.
But in many ways, the regulations are not likely to have a major impact on much about how business is done. Most of the rules are already in effect, but not codified. Other parts are vague enough that the government will determine their meaning on the fly.
The law, however, is an important statement from Beijing on how the internet should be run: with tighter controls over companies and better tracking of individual citizens.
Calling it a “basic law,” Chen Jihong, a partner at the Zhong Lun law firm in Beijing, said the rules were set up to deal with the growing number of legal issues regarding the Chinese internet and to seek to strike a balance between privacy and security.
“The law only stipulates principles; it would take follow-up laws or interpretations to specify the standards,” he said.
Human Rights Watch said on Monday that it was concerned about several aspects of the law, including that it calls for real-name registration for users of Chinese instant messaging services.
“The already heavily censored internet in China needs more freedom, not less,” the group’s China director, Sophie Richardson, wrote in a statement. “Despite widespread international concern from corporations and rights advocates for more than a year, Chinese authorities pressed ahead with this restrictive law without making meaningful changes.”
The final law did soften a few elements. In particular, a second draft of the law said foreign businesses did not need to keep all of their data inside China — just important business data collected within China or about Chinese consumers.
For years the government has been working to ensure that people’s real names are linked to their online activities. Beijing has also long restricted many types of online content, from pornography to political discussion.
Foreign companies have at times dealt with the controls detailed in the new law. For example, during the past two years, American tech companies have had products subjected to government security reviews that target encryption and data storage. Beijing also distributed a pledge to American companies last year asking them to vow to respect Chinese national security and to store data within the country.
The law is also part of a broader set of policy steps to streamline regulation of the internet. Analysts say the regulations seem to indicate that the Cyberspace Administration of China, a relatively new regulatory body created during President Xi Jinping’s tenure, ultimately is in charge of setting the agenda.
Last year China passed a national security law that called for technology that supports crucial sectors of the economy and government to be “secure and controllable.” Industry groups say that language means companies can be forced to allow third-party access to their networks, provide encryption keys or hand over source code.
After the state news media announced the law’s passage, comments on Chinese news and social media sites were largely censored.
On one news app run by the internet company Tencent, some users applauded the law as a way for China to crack down on internet fraudsters and the less savory parts of the web. Others wondered what the cost of that security would be.
“I hope this won’t be a law that does more to limit freedom of speech,” wrote one user under the screen name Leisa Wenzhou.
Find out how to protect yourself and business from cyber attacks: http://cyber.aspida.org