Skip to Content

China’s Unprecedented Cyber Law Signals Its Intent to Protect a Precious Commodity: Data

Many aspects of the country’s sweeping new regulation seem to have been left unclear on purpose.

An aggressive new cybersecurity and data protection law in China that goes into effect today will have global ripple effects, and could serve as a model for other governments. But the Chinese government has also left many parts of the law vague—likely an intentional move meant to allow the country to stake out its own sense of “cyber sovereignty” while waiting to see how the U.S., Europe, and others decide to regulate the flow of data across international borders.

The new law is a resounding announcement from China that it intends to be a global player in controlling perhaps the most precious commodity of the digital economy: data. When the country announced the law late last year, it immediately inspired backlash from trade associations and chambers of commerce across the world, who said it would hurt the ability of foreign companies to compete in China.

That may be correct, but it’s hard to know how the law will actually change things because the most controversial aspects of it are so vague.

Among them is a requirement that certain companies submit their products to the government for cybersecurity checks, which may even involve reviewing source code. How often it would be required, and how the government will determine which products must be reviewed is unknown. This could come into play as part of China’s broader regulatory push to expand law enforcement’s power to access data during criminal investigations.

Another vague directive calls for companies to store certain data within the country’s borders, in the interest of safeguarding sensitive information from espionage or other foreign meddling. The government has delayed the implementation of this change until the end of 2018, however.

The reason for the delay seems to be that China wants its laws governing the cross-border flow of data to be “consistent with accepted international practices,” according to the authors of a recent research brief from the Eurasia Group, a political risk consultancy. Those practices include the European Union’s General Data Protection Regulation, set to take effect next year, and the Privacy Shield, a framework that allows for the commercial exchange of data between the United States and European Union in a way that complies with each government’s respective data privacy laws. Like China’s new law, though, these agreements are still works in progress.

“This is the Chinese government's entry into an emerging field that is going to be a huge area of policy development worldwide,” says Graham Webster, an expert in China-U.S. relations at Yale Law School.

Governments around the world, including the U.S. and in Europe, are grappling with uncertainty over how to maintain digital sovereignty and security while still capitalizing on the lucrative global digital marketplace. While the U.S. has taken a relatively hands-off approach, the EU is pursuing relatively strict data protection policies that are more in line with some of the measures in the new Chinese law, says Webster.

Keep Reading

Most Popular

wet market selling fish
wet market selling fish

This scientist now believes covid started in Wuhan’s wet market. Here’s why.

How a veteran virologist found fresh evidence to back up the theory that covid jumped from animals to humans in a notorious Chinese market—rather than emerged from a lab leak.

light and shadow on floor
light and shadow on floor

How Facebook and Google fund global misinformation

The tech giants are paying millions of dollars to the operators of clickbait pages, bankrolling the deterioration of information ecosystems around the world.

masked travellers at Heathrow airport
masked travellers at Heathrow airport

We still don’t know enough about the omicron variant to panic

The variant has caused alarm and immediate border shutdowns—but we still don't know how it will respond to vaccines.

egasus' fortune after macron hack
egasus' fortune after macron hack

NSO was about to sell hacking tools to France. Now it’s in crisis.

French officials were close to buying controversial surveillance tool Pegasus from NSO earlier this year. Now the US has sanctioned the Israeli company, and insiders say it’s on the ropes.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.