China's parliament earlier this month passed a law aimed at addressing the country's concerns about hacking and terrorism, which has spiked concerns among foreign businesses and human rights advocates.
One interpretation of the new law is that it only codifies China's existing cybersecurity practices. However, 46 global business groups across a variety of industries didn't see it that way. They outlined potential problems in a letter sent to Chinese Premier Li Keqiang this summer, when the measure was pending.
The law would expose foreign companies doing business in China to invasive government security reviews and burdensome requirements for keeping data in the country, the business groups warned.
Their objections appear to have been ignored by Beijing. The new law requires all critical information infrastructure operators to store personal information and important business data in China, as well as to provide technical assistance to security agencies and pass national security reviews.
"In terms of the expanded definition of 'critical information infrastructure' and the requirement for vendors to undergo a national security review, foreign companies are concerned about exposing source code, as well as requirements to use domestic encryption standards not vetted by international standards bodies," explained Erin Ennis, senior vice president of the U.S.-China Business Council.
"The CII issue also ties directly to data localization and restrictions on cross-border data flow, and impacts a wide variety of industries well beyond the tech sector," she told the E-Commerce Times.
"China has never had an open Internet, but this codifies existing requirements and expands them," observed Scott Kennedy, director of the Project on Chinese Business and Political Economy at the Center for Strategic & International Studies
"It will raise the costs of compliance for foreign firms significantly," he told the E-Commerce Times.
Foreign companies now are required to assist Chinese authorities in their investigations of cybercrime and other types of misuse of the Internet.
"That could involve providing the encryption keys to the encryption you use," Kennedy noted.
Being forced to keep data on Chinese citizens in China and not being allowed to export it also could be burdensome for some companies.
"That's an obstacle to companies that want to analyze all their users' data together," Kennedy said. "Chinese companies don't face that obstacle. Ali Baba has servers in Seattle, and they can take data on their American customers and send it to their headquarters in China."
Meanwhile, human rights groups knocked provisions in the law that appear to enhance restrictions on China's Internet, which already is restricted by the Great Firewall, a monument to online censorship in the 21st century.
Those provisions include making it a crime to use the Internet to "damage national unity."
While the Chinese government already imposes strict requirements on online activity, the law takes its stance up a notch.
"What this law does differently is it elevates these requirements into national law for the first time," said Cynthia Wong, a senior Internet researcher at Human Rights Watch.
"A lot of these requirements were informally enforced," she told the E-Commerce Times. "This really signals the Chinese government's seriousness and willingness to really crackdown on these requirements in the future."
When the law was proposed, there was some hope that the government would address the concerns about rights and privacy, but that wasn't the case, Wong noted.
"It doesn't seem like a lot of that feedback was heeded by the government," she said. "The law's downsides still remain in place from the first draft."
Although the new cybersecurity law may appear onerous to some observers, it doesn't much change the existing repressive policies in place, maintained attorney Dan Harris, coauthor of the China Law Blog.
"People who have been dealing in this area for years know it's aleady super restrictive," he told the E-Commerce Times. "This just puts a fine point on that."