China's New Cybersecurity Law Carries Death Penalty For Some Offenses
China's latest cybersecurity law came into force last week and the sky did not fall and companies have not shuttered.
After months of haranguing by foreign chambers of commerce, symposiums about draft versions of the law, and many news stories, the Cybersecurity Law went into effect. The law lists the death penalty as one of the worst penalties related to the state secrets provision in the law.
The law also requires critical information infrastructure operators to protect "important information", though the law does dot clearly delineate what information is important. The consensus is this important information refers to state secrets, intellectual property, and consumers' personal information.
The most significant change is that Chinese citizens' "personal information" and "important data" must now be stored on servers within China. Any companies claiming an exception that is "truly necessary" must undergo a security assessment before information can be released.
So this will affect marketing companies and those whose databases may contain Chinese users' domestic information. For example, if a marketing company has a global database of dentists, and 20% of that database contains records of dentists inside China, then those Chinese dentists' records must ostensibly be placed on servers inside China and not transmitted outside of China unless the company undergoes a security assessment.
Especially in cloud computing environments, where data may easily flow from a server in one national jurisdiction to another, this law will impact how businesses do business. If a small business in Shanghai wants to backup its servers and data offsite to a data center in Singapore or Seoul, the law now prohibits this type of data transfer.
But it can also affect Chinese companies who wish to expand overseas. If a company has a distributed application with a content distribution network service that assists the application to run faster for users around the world, the use of the CDN on offshore services appears to be prohibited by the new law. So how can Chinese companies legally now serve data from their base in Beijing to a user in Germany? It is still unclear and still a sign that technology is outpacing even the newest laws and regulations.