U.S. companies should worry about increasingly complicated requirements under the Chinese Network Security Law. Are there any lessons for India?
The Cyberspace Administration of China has published a set of draft rules establishing a network security review committee responsible for assessing the security of network equipment and services under the new Network Security Law.
The security review has several motivations. For example, it aims to reduce the risks that network equipment or services may be controlled, interfered or interrupted, or network users’ personal information may be illegally collected, stored, processed and used.
Under the draft rules, no political office or critical information infrastructure operator (CIIO) in China can purchase any network equipment or service that has not passed the scrutiny of the committee. CIIOs are broadly defined, including infrastructure used by the public communications, information services and public utility sectors.
The CIIOs also include any other infrastructure that if damaged or malfunctioning could significantly jeopardise China’s national security or public interests. As public information service providers, data centres and cloud service providers are likely subject to these restrictions.
It is not yet clear whether U.S. equity interests will have adverse impacts in obtaining permission from the committee to transact with CIIOs. U.S. companies interested in the Chinese market should get prepared for the increasingly complicated compliance requirements under the Network Security Law.
For example, the law, which takes effect July 1, requires that all CIIOs enter into security and confidentiality agreements with suppliers when purchasing network products or services.
Currently, there is no restriction on foreign ownership of network equipment companies in China. Many U.S. network equipment companies have established wholly owned subsidiaries there.
However, the Chinese government has always been sceptical of foreign ownership of Internet service providers. Foreign investment is strictly prohibited in the operation of data centres.
Although it is legally possible for a foreign invested company to obtain an Internet content provider licence or an Internet service provider licence, the chance of approval is slim. Most non-Chinese companies chose to go through a variable interest entity (VIE) structure for indirect control of a local company with such license.
The VIE structure is certainly not a perfect solution. It could be rendered void by a Chinese court as an intentional circumvention of the Chinese regulations, which has happened in a number of cases.
In order to operate cloud services in China, Amazon and Microsoft had to enter into contractual arrangements with local licensed data centres. The legality of such arrangements is not yet completely clear, especially in light of the recent denouncements of “sublicensing” of authorised Internet service providers by the Ministry of Industry and Information Technology of China.
There are related issues worth noting with U.S. authorities, too. On February 4, a U.S. judge ordered Google to hand over emails stored outside the U.S. to the FBI as part of a domestic fraud investigation. It reversed a previous decision in which Microsoft was not forced to hand over emails stored on a server in Dublin.
The order, if upheld, could give the U.S. government agencies, such as the FBI, access to information around the globe controlled and retained by a U.S. company. It could also give the to-be-formed network security review committee one more reason to reject U.S. companies’ applications to get the necessary permission to transact with CIIOs in China.
This article first appeared on EE Times U.S.