Some New Zealand businesses with a presence in China will come within the requirements of China's new cybersecurity regime, which came into effect on 1 June.

But the scope of the China Cybersecurity Law is vague, making compliance difficult and raising questions about the future of trade in the digital age.

The scope of the Law

The Law, China's first 'top level' legislation on network security, aims to protect the privacy of China's 730 million internet users and to enhance national security against cyber-attacks. It applies to "network operators" and to "critical sectors" but both definitions are deliberately broad, meaning that the Law has the potential to catch almost all businesses in China that manage their own email or other data networks.

  • Network operators are defined as owners, administrators and service providers of systems comprised of computers and other information terminals and related equipment that gather, store, transmit and process data.
  • Critical sectors cover businesses involved in communications, information services, energy, transport, water, financial services, public services and electronic government services.

Key provisions

The Law contains a raft of measures, including:

  • Network security measures: network operators in critical sectors must conduct annual cybersecurity assessments, while other network operators will need to follow specified security procedures.
  • Security spot-checks: network operators must comply with Chinese security investigators and allow full access to data and "technical support" upon request.
  • Personal information protections: network operators must obtain consent when collecting personal information and data breaches must be promptly reported to the relevant authorities.

While the personal information protections bring China in line with international best practice, new data localisation requirements are more controversial. These stipulate that, unless alternative permission is obtained, businesses in critical sectors must store within China all "personal" or "important" data gathered in China and relating to Chinese citizens.

To satisfy this requirement, affected firms may need to establish dedicated servers within China, particularly for Human Resources departments. While the Cyberspace Administration Council has clarified that this rule applies only to businesses in critical sectors, draft measures circulated earlier this year suggest it may be extended over time to all network operators.

Chapman Tripp comment

Faced with several new penalties for non-compliance, New Zealand businesses in China should assume they are affected and plan accordingly. The bigger question may be whether this means more than a compliance-induced headache

Last month, in a letter to the Chinese Government, a coalition of 54 global businesses argued that these measures "effectively erect trade barriers along national boundaries" and "are having the effect of excluding foreign competitors who cannot meet them".

If this is digital protectionism from our second largest trading partner, it is a concern for a small and isolated market like New Zealand. As the Ministry for Foreign Affairs and Trade noted in Trade Agenda 2030, "Digital trade is of particular importance to New Zealand as another way to reduce the enduring challenges of distance from markets and small scale. Our negotiating agenda needs to create the frameworks to enable our exporters to take full advantage of this opportunity."

The question, of course, is how. With e-commerce and technical trade barriers potentially on the agenda, negotiations for an upgrade of the NZ-China FTA may prove just the platform.

The information in this article is for informative purposes only and should not be relied on as legal advice. Please contact Chapman Tripp for advice tailored to your situation.