This week China's Cybersecurity Law—one of China's most controversial pieces of legislation in recent times—is finally taking effect. Many foreign companies have signalled doubt or concern about this particular piece of legislation, even reportedly leading to a delay in implementation of some of its mandates.
There has been more than enough writing about the potential negative impact this new law may have on foreign businesses in China, from the strict data localization requirements to cybersecurity review requirements for software, hardware, products and services. As the law is now irrevocably coming into force, the question is more what foreign businesses can do to adapt to or mitigate the law's effects.
Part of the answer is that, at a macro-level, the international trade game is rapidly changing. Many current business executives enjoyed their formative experiences during the 1990s, that interesting post-Cold War period where the dissolution of the Soviet Union seemed to herald an age of unbridled globalization. With the ideological adversary out of the way, it seemed businesses could now expand around the globe on a level playing field created by Euro-American dominance in the global trading system. The notion that the national interest could (and even should, in some eyes) prevail over economic efficiency was taboo. Instead, the entire world should be rendered open for business, which often led the way for American businesses to exploit the new economic openness to globalize its value chains.
The Internet, more than any other artifact, symbolizes this interesting – if naïve – epoch. This (largely) American creation rapidly spread around the globe, with U.S. businesses following in its wake. On the information superhighway, information was supposed to circulate freely, without the obsolescent impediment of national borders or influence of “legacy” governments. These new technologies would liberate hitherto subjugated global population, flatten the world for economic exchange and investment, and eliminate authoritarian regimes.
This was, however, a narrative that China resisted. Already very early on, China developed a keen sense that these new technologies were not merely a force for good, however defined. In its own definition of its national interests, in which preservation of the political status quo plays an important part, China's government saw it as a necessity to delineate its own borders in cyberspace and police them as it did its borders in actual space. In its own eyes, the troubled consequences of the Arab Spring and various colour revolutions justify a stronger Chinese approach, which regiments foreign businesses' access to the Chinese market on the basis of domestic needs and objectives. The cybersecurity law does little more than formalize that point: that China now sees the management of cyberspace as a crucial policy objective and is willing to invest heavily to obtain it.
In short, China's political project remains self-generation in all senses of the world, which nearly automatically means limited or controlled engagement with foreign commercial counterparts. Foreign businesses need to understand this in order to position their own potential contribution to that process of development as a path to growth.
Yet at the same time, those issues of high principle do not always inform what occurs in the nitty gritty of policy making. One of the reasons the immediate impact of the Cybersecurity Law will be limited, is that much of the highly complex subordinate regulatory work has not yet been finished. It is one thing to make a diplomatic statement about cybersovereignty, yet quite another task to then design an appropriate regulatory structure for cross-border data flows. It is one thing to announce software and hardware must be secure and controllable, yet quite another to enforce it.
It is here, at the micro-level, that businesses may also have an influence, which may even be more direct that litigation or lobbying of their own government. Contrary to many fears about China's cybergovernance structure, much of its regulatory work is undertaken by experts who often have a rather sophisticated understanding of international best practices. Convergence with international norms is not merely a stated ambition, it is something one finds quite clearly in public standardization documents – even if the topic is somewhat less sexy than regulating cross-border data flows.
That, however, requires that companies relearn the lessons of the past. Boundaries are making a rapid return in cyberspace, and it is difficult to counter this reëmergence of national borders by business tactics that companies have developed in the past few decades. Rather, it will be up to them to directly engage with Chinese regulators in ways that aren't necessarily their chosen worldwide policy, but that do reflect what they can get away with on the Chinese market.