5 - The Cyber Security Law

Summary

The key provisions of China’s Cyber Security Law relating to data localisation and data exits still allow for competing interpretations by regulators, which makes compliance difficult, even in 2021. The further attempt to include ‘backdoor’ keys to encryption in this law is also noted, although foreign companies have managed to exert some influence on this point and other implementation issues. The Cyber Security Law is an important and high-profile development in Chinese cyber policy history. It created much more controversy than the Anti-Terrorism Law explained in the previous chapter. In recent years, China has gradually adopted a series of laws, regulations and macro policies in the field of cyber security and data protection aimed at turning the country into a ‘cyber superpower’ and boosting its digital economy. The Cyber Security Law, which came into partial effect from 1 June 2017 (with an official 18-month phase-in period for the data localisation provisions), is a milestone in the development of China’s legal framework for cyber security and data protection. The law also provides further evidence of the inherent tensions underlying the innovation policies described in Chapter 3. However, vague regulations allow regulators leeway to adjust their aims in response to broader economic and political trends by means of implementing rules. Finally, clarifying the vaguest provisions in the Cyber Security Law through more transparent rules may provide an opportunity for the Chinese government to decide which way it is heading: towards further innovation or further restriction beyond the ongoing US–China trade war.