Privacy and Internet-Based Business are Challenged in China
I recently enjoyed a trip to China with my family, visiting large cities like Beijing and Shanghai, as well as quieter scenic villages along the Yangtze River. With a staggering population of almost 1.4 billion, I was constantly impressed, at airports and train stations, with the people management skills of this beautiful country. But what I found particularly eerie, is the surveillance state in which the Chinese people live. Our guides raved about the convenience of WeChat for communications and for mobile payments, but there is an unspoken awareness that the Chinese government has full access to WeChat’s servers and monitors its use. Surfing on the Internet in China is also an interesting experience – you can read bits of news but click on an embedded video and you may find it’s blocked. All Google sites and services are deemed by the Chinese government to be inappropriate for public viewing within the country’s walls.
I also became particularly aware of the number of government installed security cameras – they can be seen on highways, in public parks, in elevators, on public buses, really everywhere. In doing a bit of research, I discovered that the government of China has installed over 20 million surveillance cameras across the country. The government routinely uses cameras to monitor its citizens, and many human rights activists say the implications of so much surveillance in the hands of an authoritarian regime, operating without the rule of law, are scary.
In 2011, the Beijing Municipal Science & Technology Commission proposed a mobile phone tracking programme, to be called the Information Platform of Realtime Citizen Movement, which was ostensibly intended to ease traffic flow on the city’s streets. In 2014, the State Administration of Press, Publication, Radio, Film and Television announced that real names would be required of users who wished to upload videos to Chinese web sites – apparently the requirement was meant to prevent the posting of content that could have a negative effect on society.
China’s New Cybersecurity Law
And now, this past summer China’s 2016 Cybersecurity Law went into partial implementation. While Chinese officials say the new rules will help guard against cyberattacks and prevent terrorism, many businesses are concerned. Companies worry that parts of the new law will make their operations in China less secure or more expensive.
One part of the law that has particularly upset foreign tech companies deals with data localization and data export — in other words, where companies can store data and move data. It’s a theme of control often repeated by Chinese authorities, such as for WeChat, China’s most popular messenger.
Article 37 reads (in part):
Personal information and important data collected and generated by critical information infrastructure operators in the People’s Republic of China must be stored domestically.
And it continues:
Where due to business requirements it is truly necessary to provide it [data] outside the mainland, they shall follow the measures jointly formulated by the State network information departments and the relevant departments of the State council to conduct a security assessment…
While the Cyberspace Administration of China, the country’s Internet regulator, has delayed the latter part’s implementation until 2018, companies are rightfully complaining…
Why is keeping data in one place burdensome for foreign companies?
Data collected on-line often flows between borders, and data storage and movement is an important issue for global commerce. China’s law defies the principles of free trade and an open global Internet. For example, when a potential virus is detected on a foreign-made software program on a Chinese computer, data about that virus might be sent to the company’s servers overseas. When a foreign-made medical device malfunctions in China, it’s best for the data to flow to a centralized location for troubleshooting. And when a Chinese user inputs their phone number on a foreign social media app (say WhatsApp, which is not blocked in China), that data might be stored on the company’s servers overseas.
If the flow of information is restricted, as the law proposes, companies are forced to provide duplicative services in China, and need to decide if that is worthwhile from a cost perspective. For many, it is – China is a huge market to tap into. Forcing companies to store data originating from one (very big) country inside its borders can not only get expensive, but can be a logistical nightmare (as it was for Uber that has pulled out of China). Businesses have to make arrangements with cloud service providers in the country, or build their own data centers. From the perspective of most businesses, regardless of where they are located, the question of “Where should data live?” has an easy answer: wherever the business wants.
What about privacy?
In the Chinese government’s view, data originating from China ought to be kept inside China’s borders because it is not safe elsewhere, period. Protecting user privacy is one plausible justification for this view, and on the surface, these concerns seem perfectly valid. This view is held by the EU for example – that is, it’s the government’s responsibility to protect its citizens, in the name of ensuring privacy. And one way to do that is by keeping personal data inside Europe’s borders. The revelations of former national security contractor Edward Snowden showed how many major US tech companies complied with US government requests to enable state-level surveillance.
However, the EU Commission also recognizes that the free transfer of data is critical for free and fair trade. It has worked out agreements on how commercial and personal data originating in one region can be protected when it moves to another. Privacy Shield, for example, is a program that sets standards for data collection, transfer, and disclosure that member US companies must abide by to legally do business in Europe. Indeed, China’s Cybersecurity Law is peppered with references to the importance of user privacy.
Promises to safeguard “privacy” ring hollow in China however – there’s more than enough reason to doubt that the Chinese government’s true motivations lie in protecting its citizens’ privacy. The American Chamber of Commerce in China has stated that despite claims about safeguarding data, “there is little to prevent security authorities from interpreting the law as providing expansive access to private information, trade secrets, intellectual property, or internal business communications.”
The Chinese government clearly has a well-known track record of spying on its citizens, and the new cybersecurity law appears to be part of the government’s wide-ranging efforts to manage the Internet within China’s borders.
China is succeeding in Building Borders for the Internet
For all the hype about the Cybersecurity Law, many Internet companies have already largely complied with China’s policy on domestic data storage because that’s what the Chinese government has always wanted. Here are some examples of companies that announced that they have begun storing data for its Chinese users on servers in China:
This willing compliance is just as worrisome as the law itself, because it sets a precedent for more countries to follow. Other governments, like Russia, have supported similar data localization requirements, but have not been as aggressive as China has toward implementing them. If other authoritarian governments are eager to police the Internet but worried foreign companies won’t comply, they need only look to China to understand the possibilities.
As one of our guides stated after a memorable climb of the Great Wall of China, “Building walls is our strong suit”.
We think of the Internet as borderless, but in fact when the will of the state and the acceptance of its people are strong enough to make data control and public surveillance the norm, new walls become a reality. The costs to business fluidity, and personal privacy affect us all.1