TOKYO -- China's tough new cybersecurity legislation is causing headaches for Japanese companies doing business there as authorities demand more protections for customer information and look to keep data within the country.
"There have been a number of cases where Japanese companies' bases in Shanghai or Guangzhou have been raided by authorities," said Li Tianyi, vice president at a Chinese unit of Internet Initiative Japan. Li, a consultant, reports being approached by many businesses for advice on how to manage customer data, for example, after regulators demand an inspection.
The cybersecurity law took effect in June 2017, building on a patchwork of rules governing data protection and beefing up oversight of the internet. Companies must take steps to protect user data and their own systems, with violators punished via fines or orders to suspend operations.
Though the government does not disclose how many violations it finds, businesses are clearly being held to increasingly strict standards.
"More than 11,000 people have been arrested over the past two years on suspicion of violating personal information, which shows that Chinese authorities are making an effort to expose data abuse," said Takafumi Ochiai, an attorney well-versed in Chinese regulation.
This crackdown comes against the backdrop of a broad global trend toward bolstering safeguards for personal information, with the General Data Protection Regulation put into effect by the European Union this May among the most prominent examples. But China's cybersecurity law differs from such measures in several key respects.
For one, it is intended partly to protect national security and "social and public interests." Many provisions reflect this purpose, including a requirement that companies delete and block the spread of information banned from transmission or publication.
The law is also much wider in scope than equivalent measures elsewhere. It regulates "network operators" -- a term defined so broadly as to include any company that owns or manages personal computers or information systems. "It covers many Japanese companies that operate in China regardless of industry," attorney Ippei Hayakawa said.
Beijing investigated Marriott International under this law in January after the U.S. hotel company sent out a survey that listed Tibet, Taiwan, Hong Kong and Macau as separate countries. Marriott was compelled to apologize and had its Chinese website shut down for a week.
The law is written in such general terms that it affords the many bodies involved in its enforcement, including the China Internet Network Information Center along with communications and public security authorities, a great deal of discretion.
The biggest challenge it poses to Japanese companies operating in China, many experts say, is its restrictions on moving data outside the country.
Businesses designated "critical information infrastructure operators" are required to store their data within mainland China. Companies that want to transfer data overseas must undergo a security assessment by regulators -- depending on the type of data and the scale of the transfers -- in part to determine whether doing so is truly necessary.
The law defines critical information infrastructure as services that may endanger national security or the public interest if they break down or suffer data leaks, with finance and electricity among the examples provided. Draft implementation regulations put 27 types of data under this category, including financial, infrastructure-related, health and medical information.
Beijing has also indicated that the data transfer restrictions may be extended to all network operators.
Apple likely sought to comply with these rules when it moved Chinese customers' iCloud data to mainland servers this year.
The localization requirement means that foreign companies "have to consider the possibility that the contents of their data will be viewed by Chinese authorities," Ochiai warned.
The guidelines also include a provision banning companies from transferring personal data abroad without the consent of the person in question.
The Chinese operations of Japanese businesses have "been in a wait-and-see mood on the whole," Internet Initiative's Li said. But with regulators cracking down and implementation guidelines likely on the way, companies can no longer afford to wait.
Regulators often go after businesses out of the blue "on the grounds that they haven't made any move to comply with the law," said Takashi Nomura, a Japanese attorney practicing in China.
Japanese enterprises face an indirect threat as well. If joint-venture partners or other companies they do business with violate the law, that could throw a wrench in their own operations.
Companies "should first start checking the state of data management at their Chinese bases and their business partners," said Kentaro Iemoto, CEO of Japanese consultancy Clara Online.