As I noted in a previous AEI blog (0), it was clear during my recent visit to Beijing that Chinese leaders strongly believe the April Trump-Xi Jinping summit represented a “turning point” in US-China relations and led the way toward solving a number of pressing bilateral issues during the “100 days” negotiating period the two leaders had laid out for concrete results. My AEI colleagues and I, while not wanting to rain on the parade, did express skepticism over the euphoria and potential for achieving major breakthroughs in that brief time span. And it should be pointed out that in recent days, US Treasury Secretary Steven Mnuchin spoke of (1) both a 100-day plan and a longer term, one-year set of negotiations.
Whatever the original timetable the Trump administration has foreseen — and in spite of the necessity to persuade Beijing to intervene in the erratic and dangerously unstable North Korean regime — the president and his top economic and security advisers should not wait to force a showdown with China over the web of market-closing laws and regulations that are shutting US and other foreign corporations out of China’s high-tech information and internet-related sectors. Most specifically, the administration should immediately confront Chinese leaders over the recently enacted cybersecurity law, which The Economist has warned (2) could well constitute “a Trojan horse designed to promote China’s aggressive policy of indigenous innovation.”
The cybersecurity law
The new cybersecurity law came into legal force on June 1, having been several years in the making over vehement protests of foreign governments and multinational corporations. While some minor revisions occurred during the process and the Chinese Cybersecurity Administration attempted to (3) “calm jittery businesses” and issued a Q&A memo, the dangerously vague but potent assertions of “cyber sovereignty” embodied in the law remain in place.
Here are the most troublesome and potentially unworkable provisions:
- The sweeping terms and lack of definitional detail present huge problems for foreign corporations in attempting to comply with the law. For instance (4), there is no precise enumeration of which sectors constitute “critical information infrastructure,” although the guidelines for “important data” include information that can “influence or harm the government, state, military, economy, culture, society, technology . . . and other national security matters.” Further, there is the infamous dictate that data on the internet be “secure and controllable.”
- Article 17 of the new law mandates that personal information of Chinese citizens be stored in servers located on the Chinese mainland, and exceptions can only be made if a company can prove it is “truly necessary.” If interpreted strictly, this provision could cripple the ability of foreign (and notably, Chinese) multinationals from operating in China and sending data abroad. Chinese regulators seem aware of this impediment to their own companies but still are content to hamper foreign companies by leaving key regulatory questions unanswered.
- The law mandates that (5) companies undergo cybersecurity reviews that will analyze network products and services, focusing on specific security issues and “other risks that could harm national security.” Various sections of the law also dictate that individual products and services could be subject to multiple reviews by different agencies. It is under the security review mandate that the dangers of the dictate that network products be “secure and controllable” come into play. Further, Article 28 requires (6) that companies “assist” public agencies in “protecting national security and investigating crimes.” Does this mean that in the future, companies could be required to hand over key technological processes and programs or source code? There are no answers here.
On June 5, a major US high-tech industry association, the Computer and Communications Industry Association, sent letters to top US government officials strongly protesting (7) the new law (a “raw deal”) and calling on the Trump administration to take decisive action to “head off” this “discriminatory foreign regulation.” More generally, it argued: “China’s technology rules put American technology companies at a disadvantage and also harm the array of US industries that rely on our leading digital products to increase the worldwide productivity and competitiveness.”
The Trump administration should elevate the new Chinese cybersecurity law to top priority in the ongoing “100-day” negotiations mandated at the April Trump-Xi summit. The administration should make it clear that if regulations under the new law damage US companies’ ability to compete in the Chinese market, the United States will not just protest — it will act to institute reciprocal actions that close off the US market to top Chinese technology companies such as Alibaba, Baidu, and Tencent. It may well take such a two-by-four to convince Chinese officials that the US finally means business. “Enough is enough,” as the current phrase in international relations goes.