Image of highways over a China city representing China's cybersecurity law driving towards cyber sovereignty
China’s Cybersecurity Law Pushes Cyber Sovereignty Vision

China’s Cybersecurity Law Pushes Cyber Sovereignty Vision

Ever since 2010, China has been advancing its vision for cyber sovereignty. Instead of viewing the Internet as global and borderless, this vision instead calls for China being able to govern, regulate – and perhaps even censor – the Internet as it requires. Recent Chinese initiatives – such as the enactment of China’s Cybersecurity Law in June 2017 – would seem to suggest that China views cyber sovereignty as a way to clamp down on Internet companies within the country, especially foreign network operators.

Most recently, Chinese delegates attending the Beijing-sponsored World Internet Conference in Zhejiang province pushed the cyber sovereignty notion that all nations (not just China) should have the right to regulate the Internet within their own borders. The big question, of course, is what this cyber sovereignty vision implies for the future of the Internet – including data privacy, intellectual property, and cross border data flows.

Why China’s Cybersecurity Law is so controversial

According to the framework of China’s Cybersecurity Law, Chinese authorities have the ability to conduct spot-checks on any company’s network operations at any time. Moreover, China’s Cybersecurity Law includes a provision for data localization, in which sensitive personal data about Chinese citizens would need to be stored within mainland China itself rather than outside its borders.

Already, there has been some pushback from service providers within the foreign community about what these two provisions of China’s Cybersecurity Law could mean for intellectual property and cross border data flow. For example, the intellectual property risk of China’s Cybersecurity Law is that random security assessment spot-checks required by the Chinese authorities could be used to force foreign companies to hand over source code, encryption information or sensitive network security data to the Chinese government. In turn, this intellectual property from information technology companies might eventually find its way into the hands of government-backed corporate rivals.

While these intellectual property risks might be exaggerated, the risks concerning cross-border data flow stemming from China’s Cybersecurity Law are not, because they would fundamentally require companies to re-think how they operate within China, as well as the network products and services they are able to offer.

If a company views the Internet as global and borderless, then it doesn’t matter if the data is stored in Beijing, London or San Francisco. However, if the Internet is subject to China’s cyber sovereignty vision, then the data most assuredly must be stored within China. That would force the world’s largest tech companies operating in China either to outsource domestic data storage to Chinese companies, or to commit to massive new infrastructure costs to ensure compliance with data transfer requirements.

Foreign companies speak out against cyber sovereignty

Interestingly, Apple CEO Tim Cook and Google CEO Sundar Pichai attended the 2017 World Internet Conference in person. This is a clear sign that China’s vision for cyber sovereignty has the ability to reverberate through the hallways of the world’s top tech companies. Both Google and Apple have already had run-ins with the Chinese government before, and it can only be assumed that China’s Cybersecurity Law is only adding to their concerns. For example, as the result of China’s push for cyber sovereignty, Google’s search engine is still blocked within China, while Apple has had to remove apps like Skype from the App Store.

And it’s not just Silicon Valley giants that are concerned by the Chinese Cybersecurity Law and creeping signs of cyber sovereignty. The German Ambassador to China has also raised concerns about the growing restrictions on German companies operating within China. In December 2017, the German ambassador publicly spoke out about Beijing’s new policies, suggesting that German companies are already threatening to pull out of China.

As German companies see it, China is attempting to strengthen its “Great Firewall” to such an extent that it is simply becoming close to impossible to do business in China. When you add in forced technology transfers and evidence of discrimination or obstruction by the Chinese government, then it’s easy to see why foreign companies might be dissuaded from investing further in China.

China defends its new Cybersecurity Law

As China sees it, however, the new Cybersecurity Law is simply an attempt to bring China in line with world norms and standards. Other countries around the world are also struggling with how to regulate the Internet, and China is attempting to lead rather than follow. Chinese president Xi Jinping has expressed on more than one occasion that China’s position is that no country should attempt to carry out a policy of “cyber hegemony.” From China’s perspective, Western governments are working very hard to create a framework for the Internet that will benefit Western companies, possibly to the detriment of citizens across the world.

The most obvious example, of course, is Google. As China sees it, Google is working to advance its vision for a global, borderless Internet solely because that is the regulatory framework that serves Google best as it expands around the world. From China’s perspective, Google is able to collect mounds of data and personal information about Chinese citizens, and then store all that data in Silicon Valley, where it is much easier to analyze it later. At a very minimum, then, China would at least like to have a say in what personal information is collected, and how it is used later by Western companies.

What is the long-term future of the Internet?

The growing trend, both in Asia and in Europe, is for countries to establish their own rights to govern and regulate the Internet as they see fit. In Europe, for example, the controversial new GDPR regulation, set to go into effect in May, is very much at odds with how Silicon Valley companies view the Internet. The GDPR explicitly requires any company doing business in Europe and collecting personal information about EU citizens to comply with European guidelines.

And there’s one more important factor to keep in mind, and that’s China’s growing heft in the Internet economy. By one estimate, 40 percent of the Internet companies worth $1 billion or more (the so-called “Unicorns”) are now Chinese companies. And Silicon Valley companies such as Google and Apple looking to grow their bottom line can no longer count on growth prospects in maturing Western markets – they are very much dependent on nations such as China for their future growth.

This growing power of China might explain the fact why the likes of Google are able to overlook some of the regulatory decisions about Internet governance coming out of Beijing these days, such as the passage and enactment of China’s Cybersecurity Law. For three straight years, China’s Communist Party has used the World Internet Conference to advance its vision for cyber sovereignty. Now it looks like the various ideas and concepts undergirding this vision are starting to be put into effect for China’s Internet, with unknown implications. How this issue is ultimately resolved at the global level is almost certain to have a huge impact on future Internet development.