China’s legislature approved a cybersecurity law on Monday that human rights activists warn will tighten political controls and foreign companies say might hamper access to Chinese technology markets.
Chinese authorities say the law is required to prevent crime and terrorism. It also prohibits activity aimed at “overthrowing the socialist system,” a reference to challenges to the ruling Communist Party’s monopoly on power.
Chinese leaders promote internet use for business and education but try to block access to material deemed subversive or obscene. The country has the biggest population of Internet users at 710 million, according to government data.
The latest measure approved by the National People’s Congress requires companies to enforce censorship and aid in investigations and imposes standards for security technology. It tightens controls on where Chinese citizens’ data can be stored.
Human rights groups complain it will extend controls on a society in which media are controlled by the ruling party and the internet has provided a rare forum for individuals to express themselves to a large audience.
“The new cyber-security law tightens the authorities’ repressive grip on the internet,” said Patrick Poon, a China researcher for Amnesty International, in a statement. “It goes further than ever before in codifying abusive practices, with a near total disregard for the rights to freedom of expression and privacy.”
Passage of the law comes amid a crackdown on dissent under Communist Party leader Xi Jinping in which hundreds of human rights activists and legal professionals have been detained or questioned.
A coalition of business groups warned in August the latest proposed measures might limit access to China’s market for security technology in violation of Beijing’s World Trade Organization commitments. Business groups have complained Beijing increasingly is using regulation to try to squeeze foreign competitors out of promising industries.
“We believe this is a step backwards for innovation in China that won’t do much to improve security,” said James Zimmerman, chairman of the American Chamber of Commerce in China, in a statement. He said it will “create barriers to trade and innovation.”
The law’s requirements for national security reviews and data sharing will “unnecessarily weaken security and potentially expose personal information,” said Zimmerman. He said some measures “seem to emphasize protectionism rather than security.”
Chinese authorities cite the need to protect banks and other industries. But officials of Chinese industry groups quoted in the state press have said previous restrictions on use of foreign security technology also were intended to shield the country’s fledgling providers from competition.
Computer hacking is a chronic source of tension between Beijing and Washington. Foreign security researchers point to China as a major source of hacking attacks aimed at stealing trade secrets. In 2014, American prosecutors charged five Chinese military officers with hacking and economic espionage against six U.S. companies.
Chinese authorities deny they encourage hacking and say their country is a victim of cyberattacks.
On Monday, a Chinese official defended the law and rejected suggestions it was meant to keep out foreign vendors.
“Any company that wants to come in, as long as they obey Chinese laws, serve the interests Chinese consumers, we welcome them to come in, and to prosper together,” said Zhao Zeliang, director-general of the cybersecurity bureau of the Cyberspace Administration of China, at a news conference.
Business groups say a provision requiring security technology to be “secure and controllable” might require providers to tell Chinese authorities how their products work, raising the risk trade secrets might be leaked.
The coalition in August said the proposed measures did nothing to improve security and might weaken data protection.
Zhao tried to quell concern about the “secure and controllable” passage, saying criticism of it was based on “a misunderstanding, a bias.”
“Our requirements have been consistent: Vendors must not use their position as service providers to get user information or data,” he said. “Vendors cannot use their positions to illegally control and damage systems. Vendors must not harm fair competition or consumers.”
Filed Under: Industry regulations, Cybersecurity