China’s controversial new cybersecurity law came into effect Thursday in the face of criticism and confusion from international companies.
The new law is meant to strengthen the protection of personal information and combat online fraud. But some experts say it’s vague and leaves foreign businesses, especially tech firms, confused about how it will affect their operations.
For one thing, Chinese lawmakers approved the law late last year, but left many of the details regarding rules and implementation to regulators like the Cyber Administration of China, the country’s internet regulator.
“The legislators kicked the can on some of the more difficult aspects,” said Paul McKenzie, a managing partner at law firm Morrison & Foerster in Beijing.
Related: Global firms to China: Put new cyber rules on hold
While the law has officially taken effect already, the internet regulator says the work of putting in place the new rules and standards isn’t finished yet, according to a transcript of a news conference posted on its website Wednesday.
One of the most contentious parts of the new law involves measures allowing China to conduct security reviews of technology products and services that could affect national security. Critics have slammed the plans as intrusive and trade-inhibiting.
As the law kicks in, it remains unclear what kinds of products fall under the vague “national security” definition and how the reviews will work in practice.
In May, dozens of industry organizations, including the U.S. Chamber of Commerce, lobbied the Chinese government to delay the cybersecurity law, citing concerns over unfair advantages for Chinese companies and trade barriers.
China’s internet regulator did delay one part of the law which requires certain companies to store personal and “significant data” on servers in China.
Related: Critics slam China’s ‘draconian’ new cybersecurity law
Critics had warned that requirement would hinder trade and innovation, as foreign businesses operating in China usually need to transfer information outside the country.
On Thursday, the regulations on data storage were “still murky,” said McKenzie. Companies have now been given a grace period until 2018 to comply.
From a practical perspective, some companies may face an uncomfortable wait until the rules of the new cybersecurity law become more clearly defined. Penalties for businesses that run afoul of the law can be steep.
Failing to comply with the requirement to keep data in China, for example, could cost companies anywhere from 50,000 to 500,000 yuan ($7,350 to $73,500).