In the tension between enormous market opportunities, a challenging regulatory environment, and growing competition, German and European companies face difficult challenges, especially in the Chinese market. Along with bureaucratic and administrative hurdles, as well as a slow and limited Internet, the new Cyber Security Law, implemented mid-2017, also makes business activities more complex. With this law, which is gradually being specified and supplemented by administrative regulations, the Chinese government has tightened the rules determining the order and security of cyberspace.
The law, consisting of 79 articles and seven chapters, regulates data protection, IT security, and behavior in the Internet. The European General Data Protection Regulation (GDPR), the IT Security Act, the regulations on freedom of expression, or the German Network Enforcement Act contain some similar content, but the Chinese version differs in many respects in its application. The reason for this is a fundamentally different approach. While European lawmakers primarily argue the protection of the citizens’ personal rights, China focuses on the preservation of "sovereignty over cyberspace" and national security. In terms of content, the Chinese law is a mix of various topics. In addition to the data protection aspects (i.e. what data can be collected under what circumstances, when and for how long it may be stored, and how it may be used) it also includes regulations on IT security and behavior in the Internet.
All companies who conduct electronic business in China are affected by the regulations. As the legislation is not available in any European language and contains many vaguely formulated definitions, it is difficult for Western companies to assess what measures they must take to comply with the legal requirements. However, it is clear that affected foreign companies who do not comply with the requirements of the Cyber Security Law and fail to adapt their own corporate structures and IT processes accordingly, risk severe sanctions such having business licenses revoked, or having content, offers, and services blocked by the authorities.
What exactly does the law require, and what are the most important steps for companies active in China?
Every network operator within the meaning of the law – and according to expert assessments, this includes all companies who operate data processing systems in China, and thus almost all companies – must ensure the proper use of data, the provision of a secure IT infrastructure, and the use of legitimate third-party services and products. If they use their own infrastructure, it must be checked for compliance, or they should find a provider who is compliant with the new regulation and can help them implement all the necessary steps. It is important to note that non-compliant behavior, including the use of third-party software that has not been properly certified, is always the responsibility of the company itself and is subject to heavy fines of up to one million yuan (around EUR 133,000).
Especially for SMEs with limited information security capabilities, but also for established multinationals, it can be difficult to conform if they do not know what data is being collected, how the data is being used, or where the data is, and if they are unable to develop a solid foundation for their cyber security measures. With China's Cyber Security Law – as well as the planned increased regulation of the Internet in Russia, giving the Russian government more power – it is becoming even more critical for companies to review their day-to-day operations, especially with regard to data, in order to ensure compliance with local regulations. At the end of the day, you can't follow the right procedures if you don't know the latest regulations or have a suitable partner.
IAM as a Managed Service in China and Russia: a solution approach
Service Layers, part of iC Consult Group, supports customers operating complex IAM infrastructures in a unique way: offering Identity and Access Management (IAM) as a Managed Service, based on products of the market leaders. With new hosting locations in Russia and China, which will be available from the 4th quarter of 2019, the scalable Identity & Access Management platform can be used worldwide and without regional borders. For customers operating in China and/or Russia, the expansion of the IAM Managed Services to these highly regulated economic markets not only supports international roll-outs. Customers no longer have to arrange hosting and operations, nor worry about high latency, but are free to focus on their core business anywhere in the world.
We will be happy to discuss your options and opportunities in a personal conversation.
Contact us at any time by telephone or e-mail at firstname.lastname@example.org, sign up to receive further information free of charge, or register for our free webinar "Scaling CIAM – A Guide for worldwide Success". No strings attached.