China may delay full implementation of controversial new cyber security rules, giving companies more time to prepare, two people who attended a meeting on Friday between the country’s internet regulator, businesses and diplomats told Reuters.
The Cyberspace Administration of China (CAC) called the meeting – with around 100 participants, including representatives from global technology firms – to present last-minute changes to implementation rules for China’s new Cyber Security Law which is due to come into effect on June 1.
One of those changes was a new 18-month phase-in period from June, two attendees said, suggesting the law would not be fully implemented until the end of 2018.
The new law aims to meet growing threats such as terrorism and hacking. Chinese officials say the law applies equally to both domestic and foreign companies.
The CAC did not immediately respond to a faxed request seeking comment on what was a closed-door meeting.
Business groups have lobbied Beijing to delay or water down the law mandating strict data surveillance and storage for firms working in China. Concerns are that the law would lead to uncertainties and compliance risks.
In a letter to the CAC earlier this week, seen by Reuters, more than 50 industry bodies covering 11 countries and sectors from financial services to healthcare said there were significant concerns the new law could negatively impact billions of dollars in cross-border trade.
Some attendees said Chinese officials had made some concessions, but Reuters was unable to ascertain specifics.
“They have made some revisions, and most are positive. But there are still some issues,” said a third person who attended the meeting, which lasted around three hours.
The second attendee said the changes were “modest” and the law was “still plagued by overreach”.
China’s data industry has been governed by loosely defined laws, but no overarching data protection framework. The new law codifies much stricter controls than in Europe and the United States.
On top of internationally common standards, such as requiring user consent before moving data beyond country borders, China’s new cyber law also mandates companies store all data within China and pass security reviews.
This fits China’s ethos of “cyber sovereignty” – the idea that states should be permitted to govern and monitor their own cyberspace, controlling incoming and outgoing data flows.
The meeting, arranged in recent days, was led by Zhao Zeliang, the director general of the CAC’s cybersecurity bureau, and included people from companies, business groups and diplomats, including some from the United States.
Last week, Beijing and Washington touted the first results of 100 days of trade talks that began in April after a summit between Presidents Donald Trump and Xi Jinping, which included openings for U.S. financial firms and beef.
Some U.S. critics complained the results were mostly low hanging fruit that ignored structural issues in bilateral trade and Chinese industrial policies targeting advanced industries, such as semiconductors and internet services.
U.S. business had been concerned that there was little political pressure from Washington on Beijing to make changes to the cyber law.
The European Union Chamber of Commerce in China wrote to the CAC last week saying the new rules were “fraught with weaknesses.” In early May, a group of U.S. senators sent a letter to the Trump administration urging it to press China on restrictions on U.S. cloud service providers.
Michael Clauss, German Ambassador to China, told Reuters on Friday the “law in its current form and without clear implementation guidelines narrowing its scope will most likely obstruct cooperation” in the market.
“Indiscriminately requiring businesses to hand over source codes has caused widespread alarm among European companies that business secrets and customer data might no longer be safe,” he said.