Foreign business groups push for delay in controversial China cyber law

BEIJING (Reuters) - Overseas business groups are pushing Chinese regulators to delay the June 1 implementation of a controversial cyber law that mandates strict data surveillance and storage for firms working in China, saying the rules would severely hurt business.

Slideshow ( 2 images )

The European Union Chamber of Commerce in China and U.S.-based Business Software Alliance say the law, passed by China’s largely rubber-stamp parliament in November, as well as rules for implementing it, need further review before being rolled out.

The new regulation includes requirements for data to be stored locally as well as contentious security reviews, which critics say could unfairly target foreign firms.

In a letter to the government’s Cyberspace Administration of China dated May 11 and seen by Reuters, the EU Chamber said the new rules were “fraught with weaknesses,” would lead to “great uncertainties and compliance risks” and crimp China’s booming information technology market for both foreign and domestic companies. It recommended delaying the law to “allow sufficient discussion”.

Several foreign business sources have said dozens of leading business associations from Japan, Australia, the United States and Europe are preparing a separate joint letter to Chinese cyber authorities ahead of June 1, asking the government to delay the implementation date.

Lawyers say while lobbying is highly unlikely to stop the government from moving ahead with the rules, authorities probably won’t police the industry too harshly initially.

Up until now, China’s data industry has been governed by loosely defined laws but no overarching data protection framework.

The new law codifies much stricter controls than other regions including Europe and the United States.

On top of internationally common standards, such as requiring user consent before moving data beyond country borders, China’s new cyber law also mandates companies store all data within China and pass security reviews.

The rules align with China’s own ethos of “cyber sovereignty,” the idea that states should be permitted to govern and monitor their own cyberspace, including control of incoming and outgoing data flows.

The Cyberspace Administration of China, the country’s top cyber ministry, did not immediately respond to Reuters’ request for comment.

“It doesn’t look to us like there’s going to be the regulatory clarity necessary for the cybersecurity law to be fully enforced on June 1,” said Jared Ragland, senior director of policy for the Asia-Pacific region at software lobbyist group BSA.

China’s cyber authority said in November that the law is not intended to unfairly target foreign companies, and is a response to increased threats from cyber-terrorism and hacking.

The government has already released rules as part of the new framework that restrict the movement of data outside Chinese borders and require yearly reviews of data by authorities.

“It’s pretty clear that the law will be enforced from June 1... but I don’t think it will be very strictly enforced from day one,” said Barbara Li, a Beijing-based partner with law firm Norton Rose Fulbright.

“The law is going to affect a lot of international companies and also Chinese companies that transfer data for the business across the border.”

Editing by Sam Holmes and Randy Fabi