China’s National People’s Congress (NPC) concluded its annual legislative session in Beijing last week, covering in part a controversial Anti-Terrorism Law with strict new cybersecurity provisions that could significantly impact operations and profitability of tech firms operating in China. While legislation was ultimately not enacted during this NPC session, the prospect of future adoption is a large concern for many leading foreign technology firms and privacy advocates.
The Chinese government claims growing violent extremism within China and abroad as reasoning for the law, although in reality many cybersecurity provisions have additional security and economic drivers. Former NSA contractor Edward Snowden’s revelations about US government bulk-data collection programs provided the chief security rationale for the bill. Since 2013, China has moved to minimize its susceptibility to espionage by pressuring government officials to use indigenously built computer hardware and software. The new anti-terror bill includes a data localization mandate requiring telecommunications firms and ISPs operating in China to house their servers and keep customers’ data within China’s borders. This legislation echoes calls from as many as twenty other governments, including Brazil and Russia, seeking to shield themselves from NSA surveillance programs. The law also follows recent calls by top US government officials, including the heads of the FBI and NSA, for tech firms to install backdoors in their programming to allow spy agencies to easily access the data of suspected terrorists. China’s mandate would instead require that all tech firms operating in China only use pre-approved password schemas registered with the government and ban all firms who refuse to comply.
Where the Chinese and American cybersecurity regulations diverge is the final aspect of the new law dealing with information monitoring. The anti-terror law would render technology firms as arms of Chinese state intelligence. Telecommunications firms and ISPs would be mandated to monitor the content of information that transits their networks, and to intercept, block, and report all terrorism-related communications.
Business lobbies and high-ranking US government officials have alleged these new cybersecurity provisions are merely the latest in a series of actions by China to bolster its domestic technology industry. Recent anti-trust investigations against major Western corporations and restrictive IT-procurement regulations for Chinese banks have also contributed to an increasingly hostile business environment for foreigners in China.
The NPC Standing Committee, a select group that meets every two months, may still vote to enact the anti-terrorism law later this year. If the new cybersecurity regulations are codified in their present form, leading American technology firms already under pressure may be forced out of the $465 billion China technology market. Technology firms and their customers will also continue to be hurt by the trend toward data localization around the world. This “Balkanization” of the Internet will not only raise costs of physical infrastructure for tech firms, but also reduce data transport efficiency across networks, resulting in slower Internet speeds for users.