Modern China has always been a country with an isolationist ideology, treating privacy with the utmost concern. The Great Firewall is a perfect example, a virtual security gate barring the likes of Google, Facebook, Twitter etc., thus putting itself in the dark. Once again, China hasn’t failed to disappoint, and with the introduction of a new cybersecurity law, businesses around the globe will face a tough time with even more restrictions.
The Cybersecurity law
What seems to be a kneejerk reaction to global information leaks over the past years, China’s law aims to maintain cybersecurity and national integrity. After several draft regulations and deliberations, it was adopted in November 2016. The law came into partial effect on June 1st, 2017. In simple terms, the law revolves around securing Chinese public data.
The law identifies a non-exhaustive list of industries like energy, finance, and public services as critical industries, whose information is regarded as CII (critical information infrastructure). The government laid down rules for these companies which state that data about the country, stays within the country. This means that companies must follow heavy regulations regarding citizen data. Companies outside this umbrella must go through a thorough regulations check from government agencies and, upon approval, will be permitted to export data outside.
Enterprises will have to ensure that all laws are complied with by December 2018. Violating the rules will be met with a fine of USD150,000 per violation and, in the worst case, risking license cancellations and suspension of businesses, websites and operations in China.
Impact on procurement and business
Because it’s extremely lucrative, and with the fastest-growing economy, MNC’s (multi-national companies) certainly see China as a bright spot for investment. However, a law of this order comes with significant cost increases. In the case of process workflows, companies will be hampered by new regulations involving data protection and regulatory compliances. Companies must go through a “national security review” to ensure the security of their databases. Colocation/data centres are areas which store vast amounts of company data, and are spread across the world by huge companies to have fast data access and backup/recovery options. Usually companies invest in one data centre per region, but because data must be kept within the Chinese mainland, companies must invest in colocation/data centres in the country specifically, which means significant cost to businesses. MNCs will be prevented from hosting cloud storage across the world, thus forcing many of them to restructure their data centre infrastructure. This means huge investments in terms of planning architecture, investment in resources, hardware, spaces and time. This is applicable for maintenance as well, which must be done only within China, thus adding another possible conflict in maintenance contracts, which may be provided by third party vendors outside the region.
In terms of the supplier landscape, Chinese companies will be favoured, and data centre vendors and cloud providers like Alibaba will see their businesses grow with demand. Companies may consider additional Chinese providers on top of their existing cloud contracts globally, only to meet with the new compliances.
Industrial espionage is another concern. The new law states that all data being hosted must be provided with a decryption method, so in the case of a request from the government, it can be handed over. On top of that, source codes of software, usually only known to the developer, must be shared with the government if they demand it. This adds significant risk to businesses, as it makes them very vulnerable. Concerns regarding protection of business secrets arise, and it allows China to delve into companies’ intellectual property.
With such a large potential market, shunning China would be an opportunity lost. With the introduction of this law, however, a lot of changes can be expected in business processes, company structure, costings and future investments. With hefty fines and business licences at stake, companies have a tricky task on their hands.