China’s first cybersecurity law takes effect today, and experts are rattled about what it all means.
China’s new cybersecurity law takes effect today, and experts are rattled about what it all means.
The law has been largely touted by Beijing as a milestone in data privacy regulations, but critics say authorities haven’t provided enough information about how the wide-reaching law will be implemented. That’s a big concern, as failure to comply carries fines that could hit 1 million yuan (about $150,000) and potential criminal charges.
What’s more, the law is expected to make it even harder to do business in China by increasing costs to foreign firms, exposing multinationals to cyber-espionage, and giving domestic companies an unfair edge. And it’s adding to the already tough environment: The World Bank currently ranks the world’s second-largest economy 78 out of about 190 countries in terms of ease of doing business, only a few notches above Qatar, Guatemala and Saudi Arabia.
Here’s what you need to know about the law now:
The law focuses on protecting personal information and individual privacy, and standardizes the collection and usage of personal information. As such, companies will now be required to introduce data protection measures, and sensitive data — for instance, information on Chinese citizens or relating to national security — must be stored on domestic servers. In some cases, firms will need to undergo a security review before moving data out of China. One of the challenges, however, is that the government has been unclear on what would be considered important or sensitive data.
Unauthorized collection, disclosure and receipt of a citizen’s personal information now constitutes a criminal offense, according to Scott Thiel, a partner at law firm DLA Piper. Sanctions would take into account the degree of harm, and the amount of illegal gains — fines could go up to five times the amount of those ill-gotten gains.