Key things to know about China's Cybersecurity Law

Just a few days ago, state-owned Norwegian news outlet NRKBeta reported that an undisclosed number of Nokia 7 Plus units sent user data to a server in China.

HMD Global, the owner of the Nokia brand, later admitted that they mistakenly included a China-specific software in units that were shipped to other markets.

Although the data was never processed, as the firm claims, the incident provided the world some insight into China’s cybersecurity law, which has been a cause of concern for foreign businesses operating in the country.

Here are the some key things to know about the law.

What is it?

In November of 2016, the National People’s Congress of China passed a cybersecurity law that was meant to safeguard the private information of the country’s users and networks.

The law required network operators and service providers to store select data within China and submit themselves to spot-checks from authorities when necessary.

It was met with widespread criticism from foreign businesses, especially tech firms, who said that it could increase the risk of local competition or even authorities stealing intellectual property, trade secrets, and private information.

They also called into question the vague language and terminologies used by the Cyber Administration of China, the country’s internet regulator, who were said to be in charge of working out the details for the law’s new rules and standards.

The law was officially enforced in June of 2017, but an 18-month phase-in period was given for firms to prepare.

Who does it apply to?

The law applies to all network operators and businesses in critical sectors, as pointed out by The Diplomat.

Network operators are defined as network owners and providers of computer systems or equipment that deal with information.

Critical sectors, on the other hand, apply to business involved in communications, energy, transport, and information services, among a few others. This includes any partner or supplier of firms belonging to the aforementioned sectors.

What is under it?

An article from the law requires network operators in critical sectors to locally store data they collect within China. Business and personal information of Chinese citizens must be stored in local servers. The data cannot be transferred outside of the country without permission.

Apple, to comply, officially transferred its Chinese iCloud operations to a local firm called Guizhou-Cloud Big Data (GCBD).

Another article requires network operators to provide technical support and assistance to government agencies for national security investigation purposes. In line with this, they must be willing to cooperate with authorities and allow full access to their data if asked to do so.

The authorities also have the right to shut down or limit network connectivity when they think an entity is compromising national security.


Unlike Apple, some platforms were not so eager to comply with the requirements of the law.

For instance, Skype was removed from Apple’s app store in China sometime in October of 2017 for failing to comply with the law, as pointed out by an Apple spokesperson.

Meanwhile, Federal Bureau of Investigation (FBI) Director Christopher Wray last January warned the cybersecurity law grants the Chinese authorities access to the data of Chinese telecommunication companies such as Huawei, which he claims undermines US national security.

Huawei has in numerous occasions stated that they operate independently and are free from any form of government influence or control.

“Huawei has not and will never plant backdoors,” rotating chairman Guo Ping said at the 2019 Mobile World Congress in Barcelona last February. “And we will never allow anyone else to do so in our equipment.” –