While some minor revisions occurred during that process and the Chinese cybersecurity administration attempted to ‘calm jittery businesses’, the dangerously vague but potent assertions of ‘cyber sovereignty’ embodied in the law remain in place. The Economist has warned that the new law could well constitute ‘a Trojan horse designed to promote China’s aggressive policy of indigenous innovation’.

The sweeping terms and lack of definitional detail present huge problems for foreign corporations attempting to comply with the law. For instance, there is no precise enumeration of which sectors constitute ‘critical information infrastructure’, which require enhanced cybersecurity measures. The guidelines for ‘important data’ are similarly vague, including information that can ‘influence or harm the government, state, military, economy, culture, society, technology … and other national security matters’. Further, there is the infamous dictate that data on the internet be ‘secure and controllable’, without any further explanation.

Article 17 of the new law mandates that personal information of Chinese citizens be stored in servers located on the Chinese mainland, and exceptions can only be made if a company can prove it is ‘truly necessary’. If interpreted strictly, this provision could cripple the ability of foreign (and notably, Chinese) multinationals from operating in China and sending data abroad. Chinese regulators seem aware of this impediment to their own companies, but are still content to hamper foreign companies by leaving key regulatory questions unanswered.

The new law also requires companies to undergo cybersecurity reviews that will analyse network products and services, focusing on specific security issues and ‘other risks that could harm national security’. Various sections of the law dictate that individual products and services could be subject to multiple reviews by different agencies.

Further, Article 28 requires that companies ‘assist’ public agencies in ‘protecting national security and investigating crimes’. Does this mean that in the future, companies could be required to hand over key technological processes and programs or source code? There are no answers here.

On 5 June, a major US high-tech industry association, the Computer and Communications Industry Association (CCIA), sent letters to top US government officials strongly protesting the new law. CCIA President and CEO Ed Black stated the new law was a ‘raw deal’ and called on the Trump administration to take decisive action to ‘head off’ this ‘discriminatory foreign regulation’. More generally, it argued: ‘China’s technology rules put American technology companies at a disadvantage and also harm the array of US industries that rely on our leading digital products to increase worldwide productivity and competitiveness’.

The Trump administration should elevate the new Chinese cybersecurity law to top priority in the ongoing ‘100-day’ negotiations mandated at the April Trump–Xi summit. The Trump administration should make it clear that if regulations under the new law damage US companies’ ability to compete in the Chinese market, the United States will not just protest — it will act to institute reciprocal actions that close off the US market to top Chinese technology companies such as Alibaba, Baidu and Tencent.

It may well take such a two-by-four to convince Chinese officials that the United States finally means business.

The president and his top economic and security advisers should not wait to force a showdown with China over the web of market-closing laws and regulations that are shutting US and other foreign corporations out of China’s high-tech information and internet-related sectors. ‘Enough is enough’, as the current phrase in international relations goes.

Claude Barfield is a Resident Scholar at the American Enterprise Institute, Washington DC.

This article was first posted here on AEI.