China’s New Cybersecurity Policies: Is the Price of Compliance Worth the Risk of Disclosure?

Tensions recently escalated in the United States and China’s ongoing exchange over online security and technology policies, as China adopted the first in a series of policies it previously approved at the end of last year.  Among other things, the newly adopted regulations require foreign technology companies that sell computer equipment to Chinese banks to submit to obtrusive audits, set up research and development centers in the country, build “back doors” into their hardware and software, and, perhaps most disconcerting, disclose intellectual property to the Chinese government, including proprietary source code.

In addition to the adopted bank rules, China has a draft antiterrorism law that calls for companies to store all user data on servers in China, create methods for monitoring content for terror threats, and provide encryption keys to public security authorities.  These policies could significantly hinder foreign hardware and software companies’ ability to do business in China—a market that is expected to account for 43 percent of worldwide tech-sector growth in 2015, according to research firm IDC.

According to the Chinese government these regulations are intended to strengthen cybersecurity in critical Chinese industries.  However, the regulations are a cause for concern, particularly to Western technology companies.  As reported by the BBC, a letter dated January 28, 2015 was sent from American groups—including the US Chamber of Commerce—to the Central Leading Small Group for Cyberspace Affairs, which is led by the President of China, insisting that these new regulations amount to protectionism.  The letter asked the Chinese government to delay the implementation of the regulations and proposed a discussion among the interested stakeholders and the agencies responsible for the initiatives.

President Obama openly criticized China’s plans to expand its cybersecurity policies during an interview with Reuters:

[China has a couple of laws that] would essentially force all foreign companies, including U.S. companies, to turn over to the Chinese government mechanisms where they can snoop and keep track of all the users of those services. . . .  As you might imagine, tech companies are not going to be willing to do that. . . . We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States.

In addition to the present dissidence over these regulations, one can’t help but wonder about future consequences of complying with China’s policies.  The U.S. Uniform Trade Secrets Act, which has been enacted in nearly all states, defines a trade secret, in part, as something that “derives independent economic value . . . from not being generally known” and requires reasonable efforts be used to maintain secrecy.  U.T.S.A. § 1.  These requirements present some issues for consideration given the apparent lack of restrictions on the Chinese government’s ability to disseminate the information.  Namely, if an American company discloses proprietary source code in compliance with the Chinese regulations, such disclosure may ultimately compromise its trade secret status in the United States.  Only time will tell if and how these laws are put into practice and the repercussions that may arise in the future.