Cybersecurity and “Cyber Sovereignty” in China.
“Without cybersecurity, there is no national security,” according to China’s President Xi Jinping, who in recent years has asserted the country’s “cyber sovereignty” over the operation of the internet within its borders. The Cybersecurity Law of the People’s Republic of China (“CSL”)—“enacted for the purposes of protecting cybersecurity, safeguarding cyberspace sovereignty, [and] national security”—codifies these principles. The CSL came into force on June 1, 2017, and regulates the operation and use of “the network” along with “the supervision and administration of cybersecurity within” China. It has been described as part of “the nation-state’s legislative endeavors to strengthen national security” and “a milestone in China’s laws and policies regarding the internet.” Jyh-An Lee, Hacking into China’s Cybersecurity Law, 53 WAKE FOREST L. REV. 57, 63, 103 (2018). This article discusses some of the CSL’s key provisions and its historical underpinnings in China’s complicated relationship with the West, which are critical to understanding the reach and import of the CSL.
The CSL imposes strict data security and management requirements on various types of businesses operating in China. One of the most important provisions of the CSL is its data localization requirement—itself an extension of China’s “cyber sovereignty” over domestic data. The provision states that “[p]ersonal information and important data” collected and generated by “critical information infrastructure” (“CII”) operators in China must be stored in China. In addition, the CSL and its implementing regulations impose strict limitations on the transmission of such data abroad. The terms “personal information” and “important data” together cover a wide range of information, from basic identifiers such as an individual’s name, date of birth and address, to banking information, biometric information and website browsing logs. A CII operator that violates the data localization requirements for the storage or transmission of personal information and important data faces stiff penalties, including fines and the revocation of its business license.
A vast number of businesses operating over the internet in China could be deemed CII operators. CII operators are a subset of “network operators” (broadly defined as network owners, administrators, or service providers) in “important industries and sectors” such as “public communication and information services,” finance, energy, transportation and public services, or operators of other infrastructures whose destruction, malfunction or data breaches would “result in serious damage” to national security, the economy, or other “public interests.” Draft regulations further indicate that CIIs could include television stations, news agencies, “[i]nformation networks,” and entities providing “cloud computing, big-data and other large-scale public information network services.” The expansive definition of CIIs and the attendant requirements for data storage and management have prompted divergent responses from international companies operating in China. Apple, for example, now maintains its Chinese users’ iCloud data with a state-owned data storage firm and stores the cryptographic keys to those accounts in China to comply with the CSL. By contrast, the Taiwan-based company Asus chose to withdraw entirely from China’s cloud storage market in the wake of the CSL, citing an unwillingness to comply with the country’s data regulations.
To what extent the data localization requirement will impact international commerce and companies’ willingness to do business in China in the long term remains to be seen. In the meantime, given the penalties prescribed for noncompliance, many international companies operating in China will likely choose to conform their operations to the requirements governing CII operators. It is not just the breadth of the law but also the Chinese authorities’ recent enforcement actions that should counsel companies’ compliance irrespective of their size or national origin. Some of the largest and best-known Chinese companies, as well as international companies doing business in China, have been fined for violating the CSL. These enforcement actions and the CSL’s expansive language are best understood against the cultural, historical and political backdrop of modern China. Cybersecurity and data protection are viewed not merely as implicating economic and privacy interests but as matters of sovereignty and national security. This concept has its roots in the founding narrative of modern China—that the PRC has exorcised the influence of foreign nations that violated Chinese sovereignty during the era spanning from the Opium Wars in the mid-19th Century through World War II and the establishment of the PRC in 1949. That narrative is as important to the modern Chinese state as the American narrative of throwing off the yoke of British rule in the 18th Century. And vigilance against threats to the sovereignty and security of the “homeland” are taken as seriously in China as in the U.S. As one commentator has noted, China’s “digital geography . . . is now sacrosanct and will not be violated as was China’s geography physically during the beginning of the 19th century” (Bill Hagestad quoted in John Leyden, China’s cybersecurity law grants government ‘unprecedented’ control over foreign tech, THE REGISTER, September 1, 2017, https://www.theregister.co.uk/2017/09/01/china_cybersecurity_law_analysis).
When placed in historical and political context, it is easier to understand the importance of cybersecurity in Chinese national policy and the seriousness with which major companies doing business in China, whether foreign or domestic, have taken the CSL, just as companies doing business in the U.S. have taken seriously the security measures of the Patriot Act and other post-9/11 laws and regulations aimed at protecting the physical and digital security of the United States.