中國《網絡安全法》衝擊跨國公司
China’s first cyber security law will increase costs for multinationals, leave them vulnerable to industrial espionage and give Chinese companies an unfair advantage, business representatives and analysts have warned.
企業代表和分析人士警告稱,中國首部《網絡安全法》將加大跨國公司的成本,使它們易遭商業間諜活動侵害,並賦予中國企業不公平的競爭優勢。Aspects of the measure, which comes into force on Thursday, have been widely welcomed as a milestone in introducing much needed data privacy. But analysts have expressed fears it could help Beijing steal trade secrets or intellectual property from foreign companies.
這部將於本週四起施行的法律的某些方面受到了廣泛歡迎,很多人認爲它在引入急需的數據隱私保護方面是一座里程碑。但分析人士擔心,該法可能有助於中國政府從外國公司竊取商業機密或知識產權。“The law is both extremely vague and exceptionally wide in scope, potentially putting companies at risk of regulatory enforcement that is not related to cyber security,” said Carly Ramsey, associate director at Control Risks, a risk-management consultancy.
風險管理諮詢公司“化險諮詢”(Control Risks)副總監卡莉?拉姆齊(Carly Ramsey)說:“這部法律管轄的範圍非常模糊、又特別廣泛,有可能讓企業面臨與網絡安全無關的監管執法風險。”
Foreign companies had petitioned Beijing to delay the legislation. “It is vitally important that [these measures are] proportionate, consistent, non-discriminatory and formulated in a transparent manner. Regretfully, this is not yet the case,” said Michael Chang, vice-president of the European Chamber of Commerce in Beijing.
外國公司曾請求中國政府推遲此項立法。中國歐盟商會(EU Chamber of Commerce in China)在北京的副主席常疆(Michael Chang)說:“至關重要的是,(這些法律應當是)適當的、自洽的、非歧視的,制定過程要透明。遺憾的是,它還達不到這樣的標準。”The law is part of a drive by Beijing to shield Chinese data from the eyes of foreign governments after US whistleblower Edward Snowden revealed that the US was spying on communications from multinationals, say analysts.
分析人士表示,在美國告密者愛德華?斯諾登(Edward Snowden)爆料稱美國監聽跨國公司通信之後,這部法律是中國政府爲防止中國數據被外國政府窺探而作出的努力的一部分。“The message is clear that the government will encourage more domestic development of technology, and that it now sees privacy and cyber security as vital national concerns,” said Xun Yang, a lawyer at Simmons & Simmons in Shanghai.
西盟斯律師事務所(Simmons & Simmons)駐上海律師楊迅表示:“此舉傳達的信息很明確,中國政府將鼓勵加大本土科技開發,而且中國如今將隱私和網絡安全視爲至關重要的國家關切。”Under the new law, companies must introduce data protection measures — a novelty for many Chinese businesses — and data relating to the country’s citizens or national security must be held on Chinese servers. Companies will have to submit to a review by regulators before transferring large amounts of personal data abroad.
根據這部新頒佈的法律,企業必須採取措施保護數據(這對許多中國企業來說都是一件新鮮事),而且與中國公民或國家安全有關的數據必須存儲在中國境內的服務器上。在將大量個人數據轉移至境外之前,企業必須接受監管機構評估。However, “critical” companies — a widely drawn definition that encompasses sensitive entities such as power companies or banks but also any company holding data that, if breached, could “harm people’s livelihoods” — will have to store all data collected in China within the country.
然而,“關鍵”企業——一個寬泛的定義,不僅包括電力公司、銀行等敏感實體,任何持有一旦泄露就可能“危害國計民生”的數據的企業也被包括在內——必須將在中國收集的所有數據存儲在中國境內。These companies, and any services bought by them, must go through a “national security review” to ensure they and their data systems are “secure and controllable”.
這些企業及其購買的所有服務都必須通過“國家安全審查”,以確保企業及其數據系統“安全、可控”。The measure allows Beijing to request computer program source code, which is usually known only by the software developer.
該法讓中國政府能夠要求獲得計算機程序源代碼,源代碼通常只有軟件開發者知曉。National security reviews may also allow Beijing to delve into companies’ intellectual property, analysts warn.
分析人士警告稱,國家安全審查還可能讓中國政府得以深入接觸企業的知識產權。Even fast-food delivery companies could be considered critical infrastructure, Shanghai regulators ruled during a pilot run for the law — presumably, analysts suggest, because they hold information on millions of users.
上海的監管機構在試行該法期間判定,連快餐配送公司也可能被視爲關鍵基礎設施——分析師認爲,這大概是因爲這類公司掌握了數百萬用戶的信息。Multinationals will be hardest hit, as the data localisation measures prevent them pooling client data in cloud storage databases across the world. The need to store some data on China-based servers and the rest elsewhere will add to fragmentation and cost. ”It’s huge work for foreign companies to restructure their business,” said Mr Yang.
跨國公司受到的衝擊將最大,因爲數據本地化舉措使它們無法將客戶數據集中存儲在全球各地的雲存儲數據庫中。它們需要將一些數據存儲在中國境內服務器上,將其他數據存儲在別處,這將加劇割裂,增加成本。“對外資企業來說,重構業務是一項浩大工程,”楊迅說。Cloud storage companies are also affected. One lawyer said his foreign clients were switching data from Amazon Web Services in Singapore to Alibaba’s China cloud service.
雲存儲公司也受到了影響。一位律師表示,他的外國客戶們正將數據從新加坡的亞馬遜網絡服務系統(AWS)轉移到阿里巴巴(Alibaba)在中國的雲服務上。China’s own technology companies will themselves be hit. The bulk of Alibaba’s ecommerce takes place in China, but it has increasingly been setting up cloud data centres around the globe. “We comply with applicable laws in jurisdictions where we operate,” said Alibaba.
中國國內的科技公司也會遭受衝擊。阿里巴巴的電商業務大部分在中國,但阿里巴巴正日益在全球各地建立雲數據中心。“我們遵守我們業務所在司法管轄區的適用法律,”阿里巴巴表示。While the new law is causing angst in foreign boardrooms, the personal data privacy provisions are in line with worldwide practice, said Scott Thiel, partner at law firm DLA Piper in Hong Kong. For example, it accords with Europe’s General Data Protection Regulation, he said.
歐華律師事務所(DLA Piper)駐香港合夥人斯科特?蒂爾(Scott Thiel)表示,儘管這部新法正引起外資企業董事會的焦慮,個人數據隱私條款符合世界各地的慣例。他說,比如,該法與歐洲的《一般數據保護條例》(General Data Protection Regulation)一致。But analysts suspect enforcement in China might be tinged with political goals.
但分析師懷疑,該法在中國的執行可能受到政治目的的干擾。A proposed supplementary law on encryption, published in April, allows the government to demand “decryption support” in the interests of national security. Effectively, this means the government can force companies to decode encrypted data.
4月份公佈的一部有關密碼的補充性法律草案,讓中國政府能夠以國家安全爲由,要求企業提供“解密技術支持”。這實際上意味着政府可以迫使企業破解加密的數據。“In the US Apple refused to open [the San Bernardino shooter’s] iPhone for the FBI. I cannot imagine that happening in China,” said one lawyer.
“在美國,蘋果(Apple)拒絕爲聯邦調查局(FBI)解鎖(聖貝納迪諾(San Bernardino)槍擊案槍手的)iPhone。我無法想象這樣的事情會在中國發生。”一名律師說。Although the law makes no distinction between local and foreign businesses, Chinese companies are less concerned, say lawyers. They are less likely to use cloud services and have a smaller presence abroad, and those with overseas operations tend to send data back to their Chinese headquarters rather than taking any out of the country.
律師們表示,儘管該法未對本土和外資企業進行區分,但中國企業不那麼擔心這件事。中國企業較少使用雲服務,在海外的業務也較小,而那些經營着海外業務的中國企業往往會將數據傳送回中國總部,而不是將其帶出國門。Domestic companies are also less bothered by legal vagueness, said Mr Yang. Foreign companies take laws literally, while their Chinese counterparts tend to tease out their overall message — in this case, that they must take cyber security seriously — and wait for specific guidelines to be handed down by their industry regulator.
楊迅說,國內公司也不太擔心法律的模糊性。外國公司從字面意思來理解法律,而中國的同行則傾向於找到法律所傳達的整體訊息——這一次,訊息是它們必須認真對待網絡安全——然後等待行業監管機構下發具體指導方針。
But they also know the law is not designed to cause trouble for local businesses.
但它們也知道,這部法律的目的不是爲了找本土企業麻煩。“The big banks are close to government and know they will be considered in the legislative process,” said Mr Yang. “The same goes for big technology companies like Alibaba.”
“大銀行與政府關係密切,知道立法過程會考慮到它們,”楊迅說,“同樣的道理也適用於阿里巴巴這樣的大科技公司。”
