China's leading domestic internet companies should be taking umbrage at Beijing's new cybersecurity law, which will further isolate the domestic internet from the rest of the world. The biggest impact will be felt by companies such as Tencent Holdings and Alibaba Group Holding, which will find it harder to expand overseas.
Chinese companies also risk getting caught in a regulatory backlash as other countries enforce similar protectionist policies in the name of national security, personal privacy or reciprocity.
International companies with a serious China internet development strategy should not have been surprised by the new law, nor by its vagueness. Both aspects are consistent with China's policy stance on the security of its internet economy and on the role that private companies should play in its development.
The new cybersecurity law, approved in 2016, took effect on June 1, although the Cyberspace Administration of China, Beijing's oversight bureau, has delayed implementation of some elements until 2018. The law sets up guidelines for companies handling and housing data in China or transferring data assets outside the country. The last provision is of most concern to the international business community.
The law has been widely criticized for its ambiguity and its over-reaching concern with the identification and location of data relating to people and organizations in China, although its stated focus is on combatting cyberespionage.
News reports of companies scrambling to deal with the implications of the law, or being forced to divide their domestic information technology infrastructure from their global networks, reveal either a naivete about the Chinese internet economy, or a tremendous unfamiliarity with it, or both.
The so-called Great Firewall has long meant that companies active in China have had to maintain parallel IT infrastructure for their domestic and global operations, which complicates the integration of China-based networks and data centers with resources elsewhere in the world.
Hong Kong's data center industry, involving more than 50 operators providing data hosting and cloud services for multinational corporations, generated revenues of more than $700 million in 2016, according to industry analysts Structure Research. This was in large part driven by the conditions created by China's internet insularity.
The new law's most onerous provision is Article 37, which requires "personal information and important data collected and generated" by operators in China to be physically stored in the country. Data localization measures should be familiar to technology and e-commerce companies with international operations; the past four years have seen an increasing number of jurisdictions enacting legislation that restricts the physical location of personal data relating to its citizens or prohibits its export to other countries.
This includes markets considered hostile to internet freedom such as Russia and Vietnam, as well as those seen to be progressive internet economies, such as Australia and the European Union.
This is not to suggest that China's cybersecurity law has no new negative ramifications for global companies looking to grow their business in its internet-dependent sectors. But China has been the world's largest internet economy for several years and has been relatively closed for nearly a quarter century. Any company caught unawares by the new law has not made a serious attempt to assess and mitigate the persistent systemic risk in China's internet sector, nor has it read the growing global data nationalization trend accurately.
Any such companies already present in China's $2 trillion e-commerce market will likely already have extensive experience in maintaining parallel IT universes. This new cybersecurity law is simply an extension of a policy environment that has always been explicitly focused on strengthening state control over what is considered one of China's most precious national assets.
The primary beneficiaries of China's control have always been its domestic internet champions. Domestic players have often been explicitly favored by the state, but may have benefitted indirectly to an even greater degree since China's purposely vague internet regulatory structure is more difficult for international competitors to navigate.
The new law, however, may be just as bad for China's domestic internet champions as for international companies because it potentially strengthens the Great Firewall at a time when they are seeking to climb over it.
It is not clear yet that the law's data localization ordinance will disproportionately affect non-Chinese companies, although the presumption is that it will, since global companies in the age of Big Data will seek to extract their biggest data pools out of China and integrate them into their global operations to enhance their analytic capabilities.
However, the large data pools generated by China's internet population are also a competitive asset that Chinese internet companies will seek to leverage as they expand globally. Tencent's WeChat social media platform has nearly 900 million active users, with less than 10% -- perhaps 70 million -- outside China.
As the "BAT" triopoly of Baidu, Alibaba and Tencent increasingly looks to export its business model and platforms globally, it could be hobbled if China's data localization laws are strictly enforced. Although they have been favored in the past, internet regulators will find it difficult to contrive a system that allows local companies to build businesses abroad that involve the exporting of Chinese citizens' personal data while requiring foreign companies to keep such data within the country's borders.
Moreover, in an increasingly nationalistic global cybereconomy, other nations will probably be spurred to implement "tit-for-tat" punitive regulations in reaction to China's efforts. Certainly the U.S., the world's next-largest internet economy, needs little prompting to find ways to limit the participation of Chinese internet companies in its market further. That China would create such hurdles for its domestic champions is the cybersecurity law's only real surprise.
Ross O'Brien and John Gruetzner are principals with Intercedent, an Asian-focused business advisory company.