China’s new Cyber Security Law came into force 1 June 2017. Many foreign businesses have been concerned about impact on their operations, given some of the provisions are unclear or broad or waiting to be further explained by regulations.
On 31 May 2017 China’s Cybersecurity Administration gave a grace period for compliance with the new Law for foreign firms, showing the constant complaints and submissions by overseas groups and companies has made some impact. This forms a 19 month extension for foreign corporations to get the house in order. The grace period was likely because the regulations are not yet in place. Also, the regulatory bodies which must cooperate to enforce such laws are probably not yet set up to do so. China’s Cybersecurity Administration has consistently stated the restrictions regarding cross-border data flow were not supposed to disrupt email, commerce and other commercial activity. It is however hard to see how that could not be the case without severe limitations on the scope of the law through guiding regulations. The requirement that critical data and critical information infrastructure be kept in Mainland China is a setback to some cloud computing initiatives. If however analytics systems can be built which the regulators will find acceptable, for many clients some degree of this process can be automated.