China’s first cyber security law will increase costs for multinationals, leave them vulnerable to industrial espionage and give Chinese companies an unfair advantage, business representatives and analysts have warned.
企业代表和分析人士警告称,中国首部《网络安全法》将加大跨国公司的成本,使它们易遭商业间谍活动侵害,并赋予中国企业不公平的竞争优势。
Aspects of the measure, which comes into force on Thursday, have been widely welcomed as a milestone in introducing much needed data privacy. But analysts have expressed fears it could help Beijing steal trade secrets or intellectual property from foreign companies.
这部将于本周四起施行的法律的某些方面受到了广泛欢迎,很多人认为它在引入急需的数据隐私保护方面是一座里程碑。但分析人士担心,该法可能有助于中国政府从外国公司窃取商业机密或知识产权。
“The law is both extremely vague and exceptionally wide in scope, potentially putting companies at risk of regulatory enforcement that is not related to cyber security,” said Carly Ramsey, associate director at Control Risks, a risk-management consultancy.
风险管理咨询公司“化险咨询”(Control Risks)副总监卡莉?拉姆齐(Carly Ramsey)说:“这部法律管辖的范围非常模糊、又特别广泛,有可能让企业面临与网络安全无关的监管执法风险。”
Foreign companies had petitioned Beijing to delay the legislation. “It is vitally important that [these measures are] proportionate, consistent, non-discriminatory and formulated in a transparent manner. Regretfully, this is not yet the case,” said Michael Chang, vice-president of the European Chamber of Commerce in Beijing.
外国公司曾请求中国政府推迟此项立法。中国欧盟商会(EU Chamber of Commerce in China)在北京的副主席常疆(Michael Chang)说:“至关重要的是,(这些法律应当是)适当的、自洽的、非歧视的,制定过程要透明。遗憾的是,它还达不到这样的标准。”
The law is part of a drive by Beijing to shield Chinese data from the eyes of foreign governments after US whistleblower Edward Snowden revealed that the US was spying on communications from multinationals, say analysts.
分析人士表示,在美国告密者爱德华?斯诺登(Edward Snowden)爆料称美国监听跨国公司通信之后,这部法律是中国政府为防止中国数据被外国政府窥探而作出的努力的一部分。
“The message is clear that the government will encourage more domestic development of technology, and that it now sees privacy and cyber security as vital national concerns,” said Xun Yang, a lawyer at Simmons & Simmons in Shanghai.
西盟斯律师事务所(Simmons & Simmons)驻上海律师杨迅表示:“此举传达的信息很明确,中国政府将鼓励加大本土科技开发,而且中国如今将隐私和网络安全视为至关重要的国家关切。”
Under the new law, companies must introduce data protection measures — a novelty for many Chinese businesses — and data relating to the country’s citizens or national security must be held on Chinese servers. Companies will have to submit to a review by regulators before transferring large amounts of personal data abroad.
根据这部新颁布的法律,企业必须采取措施保护数据(这对许多中国企业来说都是一件新鲜事),而且与中国公民或国家安全有关的数据必须存储在中国境内的服务器上。在将大量个人数据转移至境外之前,企业必须接受监管机构评估。
However, “critical” companies — a widely drawn definition that encompasses sensitive entities such as power companies or banks but also any company holding data that, if breached, could “harm people’s livelihoods” — will have to store all data collected in China within the country.
然而,“关键”企业——一个宽泛的定义,不仅包括电力公司、银行等敏感实体,任何持有一旦泄露就可能“危害国计民生”的数据的企业也被包括在内——必须将在中国收集的所有数据存储在中国境内。
These companies, and any services bought by them, must go through a “national security review” to ensure they and their data systems are “secure and controllable”.
这些企业及其购买的所有服务都必须通过“国家安全审查”,以确保企业及其数据系统“安全、可控”。
The measure allows Beijing to request computer program source code, which is usually known only by the software developer.
该法让中国政府能够要求获得计算机程序源代码,源代码通常只有软件开发者知晓。
National security reviews may also allow Beijing to delve into companies’ intellectual property, analysts warn.
分析人士警告称,国家安全审查还可能让中国政府得以深入接触企业的知识产权。
Even fast-food delivery companies could be considered critical infrastructure, Shanghai regulators ruled during a pilot run for the law — presumably, analysts suggest, because they hold information on millions of users.
上海的监管机构在试行该法期间判定,连快餐配送公司也可能被视为关键基础设施——分析师认为,这大概是因为这类公司掌握了数百万用户的信息。
Multinationals will be hardest hit, as the data localisation measures prevent them pooling client data in cloud storage databases across the world. The need to store some data on China-based servers and the rest elsewhere will add to fragmentation and cost. ”It’s huge work for foreign companies to restructure their business,” said Mr Yang.
跨国公司受到的冲击将最大,因为数据本地化举措使它们无法将客户数据集中存储在全球各地的云存储数据库中。它们需要将一些数据存储在中国境内服务器上,将其他数据存储在别处,这将加剧割裂,增加成本。“对外资企业来说,重构业务是一项浩大工程,”杨迅说。
Cloud storage companies are also affected. One lawyer said his foreign clients were switching data from Amazon Web Services in Singapore to Alibaba’s China cloud service.
云存储公司也受到了影响。一位律师表示,他的外国客户们正将数据从新加坡的亚马逊网络服务系统(AWS)转移到阿里巴巴(Alibaba)在中国的云服务上。
China’s own technology companies will themselves be hit. The bulk of Alibaba’s ecommerce takes place in China, but it has increasingly been setting up cloud data centres around the globe. “We comply with applicable laws in jurisdictions where we operate,” said Alibaba.
中国国内的科技公司也会遭受冲击。阿里巴巴的电商业务大部分在中国,但阿里巴巴正日益在全球各地建立云数据中心。“我们遵守我们业务所在司法管辖区的适用法律,”阿里巴巴表示。
While the new law is causing angst in foreign boardrooms, the personal data privacy provisions are in line with worldwide practice, said Scott Thiel, partner at law firm DLA Piper in Hong Kong. For example, it accords with Europe’s General Data Protection Regulation, he said.
欧华律师事务所(DLA Piper)驻香港合伙人斯科特?蒂尔(Scott Thiel)表示,尽管这部新法正引起外资企业董事会的焦虑,个人数据隐私条款符合世界各地的惯例。他说,比如,该法与欧洲的《一般数据保护条例》(General Data Protection Regulation)一致。
But analysts suspect enforcement in China might be tinged with political goals.
但分析师怀疑,该法在中国的执行可能受到政治目的的干扰。
A proposed supplementary law on encryption, published in April, allows the government to demand “decryption support” in the interests of national security. Effectively, this means the government can force companies to decode encrypted data.
4月份公布的一部有关密码的补充性法律草案,让中国政府能够以国家安全为由,要求企业提供“解密技术支持”。这实际上意味着政府可以迫使企业破解加密的数据。
“In the US Apple refused to open [the San Bernardino shooter’s] iPhone for the FBI. I cannot imagine that happening in China,” said one lawyer.
“在美国,苹果(Apple)拒绝为联邦调查局(FBI)解锁(圣贝纳迪诺(San Bernardino)枪击案枪手的)iPhone。我无法想象这样的事情会在中国发生。”一名律师说。
Although the law makes no distinction between local and foreign businesses, Chinese companies are less concerned, say lawyers. They are less likely to use cloud services and have a smaller presence abroad, and those with overseas operations tend to send data back to their Chinese headquarters rather than taking any out of the country.
律师们表示,尽管该法未对本土和外资企业进行区分,但中国企业不那么担心这件事。中国企业较少使用云服务,在海外的业务也较小,而那些经营着海外业务的中国企业往往会将数据传送回中国总部,而不是将其带出国门。
Domestic companies are also less bothered by legal vagueness, said Mr Yang. Foreign companies take laws literally, while their Chinese counterparts tend to tease out their overall message — in this case, that they must take cyber security seriously — and wait for specific guidelines to be handed down by their industry regulator.
杨迅说,国内公司也不太担心法律的模糊性。外国公司从字面意思来理解法律,而中国的同行则倾向于找到法律所传达的整体讯息——这一次,讯息是它们必须认真对待网络安全——然后等待行业监管机构下发具体指导方针。
But they also know the law is not designed to cause trouble for local businesses.
但它们也知道,这部法律的目的不是为了找本土企业麻烦。
“The big banks are close to government and know they will be considered in the legislative process,” said Mr Yang. “The same goes for big technology companies like Alibaba.”
“大银行与政府关系密切,知道立法过程会考虑到它们,”杨迅说,“同样的道理也适用于阿里巴巴这样的大科技公司。”