China's new cybersecurity law went into effect on June 1, subjecting companies to stringent data privacy and protection guidelines, even as key questions linger around how it will be enforced, how easily businesses will be able to comply, and how much compliance will cost.
Among other stipulations, the Cybersecurity Law of the People's Republic of China requires that companies store data pertaining to Chinese citizens on domestic servers only. Companies that cite extenuating circumstances for harboring this data outside of China's borders will be subject to a security assessment. The law also instructs network operators to establish measures to prevent, track and respond to cybersecurity incidents.
In a report on CNBC.com, James Carder, vice president of cybersecurity firm LogRhythm, said that multinational firms will likely in the best position to comply, but "a lot of the small and medium sized companies may not be able to afford to put in the control that the Chinese government is asking for, and if they can't put in those controls, it may actually push them out of that country and that market." Carder also worries that the law may be too vague, according to an email sent to SC Media by a LogRhythm spokesperson.