China’s New Cybersecurity Program: NO Place to Hide

The Chinese government has been working for several years on a comprehensive Internet security/surveillance program.  This program is based on the Cybersecurity Law adopted on 2016. The plan is vast and includes a number of subsidiary laws and regulations. On December 1, 2018, the Chinese Ministry of Public Security announced it will finally roll-out the full plan.

The core of the plan is for China’s Ministry of Security to fully access the massive amounts of raw data transmitted across Chinese networks and housed on servers in China. Since raw data has little value, the key to the Ministry’s success will be in processing that data. Seeing that this is the key issue, the Ministry has appointed Wang Yingwei to be its new head of the Cybersecurity Bureau. Wang is a noted “big data” expert and he will be tasked with making sense of the raw data that will be gathered under the new system.

The plan for the new system is ambitious and comprehensive. As explained by Guo Qiquan, the chief cheerleader for the plan, the main goal of the new system is to provide “full coverage”.  As explained by Guo, “It will cover every district, every ministry, every business and other institution, basically covering the whole society. It will also cover all targets that need [cybersecurity] protection, including all networks, information systems, cloud platforms, the internet of things, control systems, big data and mobile internet.”

This system will apply to foreign owned companies in China on the same basis as to all Chinese persons, entities or individuals. No information contained on any server located within China will be exempted from this full coverage program. No communication from or to China will be exempted. There will be no secrets. No VPNs. No private or encrypted messages. No anonymous online accounts. No trade secrets. No confidential data. Any and all data will be available and open to the Chinese government. Since the Chinese government is the shareholder in all SOEs and is now exercising de facto control over China’s major private companies as well, all of this information will then be available to those SOEs and Chinese companies. See e.g. China to place government officials inside 100 private companies, including Alibaba. All this information will be available to the Chinese military and military research institutes. The Chinese are being very clear that this is their plan.

In the past, foreign owned companies in China were generally able to avoid the impact of this type of system in two ways. They did this primarily by establishing VPN internet servers in their own offices. These servers used VPN technologies to isolate data from the Chinese controlled networks, allowing for the use of a company intranet that maintained the secrecy of emails and data stored on the company servers in China. As cloud computing has advanced, foreign owned companies typically use the same VPN technologies to isolate their cloud based servers from the Chinese controlled system. Though the Chinese authorities often complained about these VPN systems, foreign companies were usually able to claim that their special WFOE status exempted them from Chinese data controls.

However, with the roll-out of the new system, that will all change. First, the Cybersecurity Law and related laws and regulations are very clear that they apply to all individuals and entities in China without regard to ownership or nationality. There are no exceptions. More important, the new Foreign Investment Law that goes into effect on January 1, 2020 eliminates any special status associated with being a WFOE or other foreign invested enterprise. Foreign owned companies will be treated in exactly the same way as Chinese owned companies. See China’s New Foreign Investment Law Benefits: Like Putting Lipstick on a Pig. This means the Cybersecurity Law will apply to foreign owned companies (WFOEs, joint ventures, and Representative Offices) in the exact same way it applies to Chinese owned companies and individuals. There will be no place for foreign owned companies to hide.

This means intra-company VPN systems will no longer be authorized in China by anyone, including foreign companies. This in turn means all company email and data transfer will be required to use Chinese operated communication systems that are fully open to the China’s Cybersecurity Bureau. All data servers that make any use of Chinese based communications networks will also be required to be open to the Cybersecurity Bureau’s surveillance and monitoring system.

It is important to fully understand what this means. Under the Cybersecurity Law, the Chinese government has the right to obtain from any person or entity in China any information the Chinese government deems has any impact on Chinese security. The Chinese government understands that foreign companies and individuals will be reluctant to simply turn over their information to the Chinese government when asked. For that reason, the Chinese Cybersecurity Bureau does not plan to politely make a formal request for the information. The fundamental premise of the new cybersecurity systems is that the government will use its control of communications to simply take the information without discussing the matter with the user. All data will be open to the Chinese government.

This system of constant and pervasive access to and monitoring of data sets up a fundamental conflict for U.S. and many foreign companies operating in China because U.S. law in many cases mandates much information be kept secret. But Chinese law now requires complete government access to those secrets if those secrets cross the Chinese border for any reason. This conflict puts many U.S. and foreign companies that operate in China in an impossible legal bind. I include foreign companies because foreign companies with U.S. subsidiaries or even certain sorts of relationships with U.S. companies will also be bound or at least impacted by these U.S. secrecy laws.

First, as the scope of what the U.S. government designates as controlled information and technology begins to expand, the restrictions on what cannot be transmitted across the Chinese border increases. See this post on what will likely constitute a restricted “emerging technology” under U.S. law. U.S. companies used to take the position that their information in China is on a private server isolated from the Chinese government and if the Chinese government requests this information, “we will refuse to comply.” This argument will not longer work because the Chinese government will no longer ask for the information, it will simply take it without asking for permission.

Second, much intellectual property is protected as a trade secret rather than because it is registered as a patent. In fact, the value of many U.S. patents lies in its supporting trade secret know-how. Trade secrets are a form of property and as property such trade secrets are protected under U.S. law. However, the general rule for being able to maintain something as a trade secret (under U.S. and China and EU law) is that the holder of the trade secret must take reasonable steps to maintain its secrecy. Once a trade secret has been intentionally or unreasonably revealed by its holder, its protection as trade secret property is terminated. This then leads to the conflict.

Under the new Chinese system, trade secrets are not permitted. This means that U.S. and EU companies operating in China will now need to assume any “secret” they seek to maintain on a server or network in China will automatically become available to the Chinese government and then to all of their Chinese government controlled competitors in China, including the Chinese military. This includes phone calls, emails, WeChat messages and any other form of electronic communication. Since no company can reasonably assume its trade secrets will remain secret once transmitted into China over a Chinese controlled network, they are at great risk of having their trade secret protections outside China evaporating as well.

The U.S. or EU company may have an enforceable agreement with the Chinese recipient of its confidential information. So trade secrecy is protected with respect to that authorized recipient. But if the secret is easily available to the Chinese government, there is no real trade secret protection.

By giving the Chinese government and its cronies full access to its data, the U.S. or EU company may very well be deemed to have illegally exported technology to China and it could face millions of dollars in fines and even prison sentences for some of its officers and directors. There is an inherent conflict between foreign laws mandating a company not transfer its technology and China’s laws which effectively mandate that transfer.

Under China’s new cybersecurity system, there will be no place to hide.

9-30 Update.  The New York Times hasa story today on “the Communist Party’s view of business as a means of control.”