Don’t be caught out by China’s new cybersecurity law

Pursuing business in China is tempting for many UK businesses. The US may currently be the world’s largest economy, but some projections have China catching up by 2024, and being twice as big by 2037. Even if China falls well short of these predictions, many businesses will look to China as a way to grow their customer base — especially for UK businesses given the uncertainties caused by Brexit.

But doing business in China comes with unique hurdles and pitfalls – with unique obstacles to doing business online. There are strict rules about what licenses need to be in place and what content is not acceptable.

These rules have just been updated to be even stricter and introduce more complications for businesses. Websites that break the new cybersecurity law, which came into force in June, could go permanently offline in China — with no way to appeal the decision.

So how do businesses know if they are affected by this new law, plus the existing laws that have been bolstered recently? And what steps can they take to ensure they remain online and trading in this potentially lucrative market? With more than 700 million internet users in China – businesses cannot afford to put their success in this market in jeopardy.

Breaking the law

Getting this right first time is vital. If businesses do not comply with the new law, they risk having their website blocked, and therefore will be unable to do business in the region. The licenses necessary to operate a website in China can be revoked for non-compliance, and re-acquiring these licenses can be very difficult.

Despite the sheer number of websites that exist, it’s still unlikely that a website that breaks the rules will be able to slip by unnoticed. The Chinese government dedicates a lot of resources to maintaining its control of internet within its borders. Thousands of government officials, as well as intelligent algorithms, are continually investigating whether non-Chinese companies meet the requirements of the new legislation. Checks are being carried out to determine whether hosting providers and content delivery networks have the necessary licenses, and these companies are being asked by government officials to make the necessary changes as quickly as possible. If these companies do not comply with the new law quickly, their license may be withdrawn.

Businesses that want to stay online in China need to get up to speed with the demands of this law quickly.

Understanding the laws

The first step to understanding the demands of the new and updated laws is to read them. But with legal texts outlining the law only available in poorly-translated English, this is tricky.

However, one of the most important aspects of the law states that any data that is defined as sensitive, or that contains personal information about Chinese citizens, must be hosted in China - and cannot leave the country unless permission from the government has been granted. Therefore any data about customers in China that is collected and then transmitted outside of China runs the risk of breaking the law, no matter how securely it is held.

The right licenses are vital. An ICP Bei’An is required for any domains delivering content from and within mainland China. It has been a requirement for any website in China for some time, and any website that has been operating in China is likely to have one already. Also required is a “PSB Bei’An”, which despite the similar name is a separate requirement. All domains serviced through the network infrastructure in China must obtain this. There are other licenses that may be required depending on what exactly the website provides.

Also, any domain serviced through the network infrastructure in China may now need to have its origin in China, and draft legislation suggests that domains may need to be registered through a Chinese domain registrar.

The law has a huge impact on network operators and critical information infrastructure operators (CIIOs), as they tend to host web content on behalf of other companies. Many companies turn to network operators or CIIOs to deal with the difficulties in ensuring good web performance in the region.

The law can ultimately impact any business, regardless of industry. Whether it is manufacturing, business services, tourism, media, online advertising, or gaming, if you host web content within China, or if you work with a cloud or infrastructure partner that hosts web content in the region for you, you must adhere to the new regulations – or risk being blacklisted.

Complying with the law

Clearly, ensuring compliance is no simple task. Businesses must firstly, and perhaps most crucially, check where their data is kept and processed. All companies should review if their web services need to be available by a node or server in China. If a company’s own infrastructure is used, it must be checked for conformity. Alternatively, the hosting, cloud or CDN provider engaged by the business must be compliant with the new regulation. And even if the changes to the law mean no change for a business, this is a good opportunity to check if the licences necessary for any domain delivering content from and within mainland China, or using an ISP or CDN in China, are valid and up to date.

It’s tricky for any business without offices and expert personnel in China to make these changes, so working with local experts with the right relationships can help make sure that the right forms are completed and all compliance needs are met.

Going beyond compliance

These rules are not the only hurdles that a business can face when going online in China. The Golden Shield checks for content deemed unsuitable from reaching people in China, and there are also in-country latency issues, where poor connections mean content is slow to load or might not make it all.

Working with a hosting, cloud or CDN provider for the Chinese market will not only ensure compliance, but also accelerate web services to mitigate these delays. Chinese consumers react in exactly the same way to slow-loading websites as consumers around the world – they will abandon the site and look elsewhere.

China is undoubtedly going to be a major target for many businesses around the world looking to grow their customer base and reach a previously untapped market. But one wrong move — a missing license, a domain registered incorrectly, personal data stored outside China, or some other mistake — won’t just lead to a fine and a stern telling off, but will in fact lead to doing business within China becoming next to impossible.

As with many facets of running a business, compliance is everything. But this is not just about taking the necessary steps to adhere to the new rules and regulations. Ongoing compliance of such a complicated web of rules requires working with local experts who can guide your business through every step, including future changes, keeping this lucrative market open.

Chris Townsley, EMEA Director, CDNetworks
Image Credit: Karen Roach / Shutterstock