BEIJING: With a new cybersecurity law due to come into force in a few days, foreign businesses in China are having to consider the potential impact of recent changes to the language which broadens the scope of those affected.
Companies were already unhappy with plans to conduct security reviews of technology products and a requirement to store data collected in China inside the country.
And rewording of the law passed late last year has the potential to bring a much wider range of businesses within its ambit.
The rules limiting the transfer of data outside China's borders originally applied only to "critical information infrastructure operators". But last month that was changed to "network operators," which, the South China Morning Post noted, could mean just about any business.
"Even a small e-business or email system could be considered a network," said Richard Zhang, director of KPMG Advisory in Shanghai.
Another provision is already having an impact, according to Jake Parker, vice-president of the US-China Business Council in Beijing.
That is the one that requires IT hardware and services to undergo inspection and verification as "secure and controllable" before companies can deploy them in China.
"We've heard from our members that domestic banks and SOEs are being much more thoughtful about purchasing domestic technology and shifting away from foreign products, despite the fact that there's no specific requirement for them to do so," he said.
Parker also reported that members were complying with the data storage obligations. "Almost all our companies are making moves to ensure that the majority of the data they collect in China is stored on servers located within China.
"It's not just the technology companies," he added. "It's financial services, semiconductor manufacturers, every sector of business in China, that's impacted."
The law applies to all companies in China, but foreign firms are expected to be most affected as they typically have more need to shift information across borders to overseas data processing centres.
Many of these will also be preparing for the GDPR – the EU regulation that seeks to put control of personal data back in the hands of the individual.
Companies were already unhappy with plans to conduct security reviews of technology products and a requirement to store data collected in China inside the country.
And rewording of the law passed late last year has the potential to bring a much wider range of businesses within its ambit.
The rules limiting the transfer of data outside China's borders originally applied only to "critical information infrastructure operators". But last month that was changed to "network operators," which, the South China Morning Post noted, could mean just about any business.
"Even a small e-business or email system could be considered a network," said Richard Zhang, director of KPMG Advisory in Shanghai.
Another provision is already having an impact, according to Jake Parker, vice-president of the US-China Business Council in Beijing.
That is the one that requires IT hardware and services to undergo inspection and verification as "secure and controllable" before companies can deploy them in China.
"We've heard from our members that domestic banks and SOEs are being much more thoughtful about purchasing domestic technology and shifting away from foreign products, despite the fact that there's no specific requirement for them to do so," he said.
Parker also reported that members were complying with the data storage obligations. "Almost all our companies are making moves to ensure that the majority of the data they collect in China is stored on servers located within China.
"It's not just the technology companies," he added. "It's financial services, semiconductor manufacturers, every sector of business in China, that's impacted."
The law applies to all companies in China, but foreign firms are expected to be most affected as they typically have more need to shift information across borders to overseas data processing centres.
Many of these will also be preparing for the GDPR – the EU regulation that seeks to put control of personal data back in the hands of the individual.
Data sourced from South China Morning Post; additional content by WARC staff
