May 31, 2017 07:48 PM

Foreigners Get Minor Concessions in Cybersecurity Law

(Beijing) – Provisions of China’s new cybersecurity law set to take effect Thursday contain some modifications affecting cross-border data transfers in response to foreign concerns, but are broadly the same as an earlier draft, according to the U.S. Chamber of Commerce.

The law has come under great scrutiny in the run-up to its June 1 implementation, with foreign companies complaining of vague provisions and invasive elements that require them to reveal proprietary product information. China argues the law, a first draft of which was unveiled two years ago, is necessary to protect its cybersecurity.

The Cyberspace Administration of China (CAC) issued a Q&A on Wednesday addressing the reasons for the law and what it will do. It points out the law won’t apply to all data and networks, but only operators who oversee “key information infrastructure.”

“It’s not targeting all data, but personal data and key data,” said the Q&A, which was published on the CAC’s website. “It targets only key data for the country, not for companies or individuals. For data that needs to go abroad, it can still do so after security assessment to ensure it does not hurt national security or public interests.”

A version of the law was officially adopted by the Standing Committee of China’s legislature last November. But an email sent by the Washington-based U.S. Chamber of Commerce to its Asian members last week indicates some relatively minor changes were made since then. The email also indicates implementation of parts of the law’s provisions relating to cross-border data transfers will be delayed until the end of next year.

The U.S. Chamber said that the CAC hosted a meeting with about 100 representatives of foreign embassies, chambers of commerce and trade associations on May 19. During that meeting it released a revised draft of some provisions associated with the law, according to a copy of the U.S. Chamber of Commerce email dated May 24.

“The revised draft measures address some concerning provisions that the Chamber China Center raised in its joint submission with AmCham China, Shanghai, and South China to the CAC,” the U.S. Chamber wrote in the email. “But, overall, the potentially broad scope of the draft revised measures appears largely the same.”

The email detailed a number of changes to the latest draft, which it believes is the likely final version. Those include a revised provision that “internal company data transfers will not be subject to a security review if the company does not use its network to commercialize data externally”; and that “implied consent will be a sufficient standard for processing cross-border data transfers.”

The U.S. Chamber also noted that parts of the law will be subject to a phase-in period.

“The Cybersecurity Law and the revised draft measures both take effect on June 1, 2017. However, cross-border data transfers will not be required to conform to the revised draft measures until December 31, 2018,” the email said.

The AP and Washington Post also reported about the Cyberspace Administration officials briefing the foreign embassies and trade organizations about revisions of the cybersecurity provisions.

Contact reporter Yang Ge (


You've accessed an article available only to subscribers
Share this article
Open WeChat and scan the QR code