Last month, Reuters and the Wall Street Journal announced that AWS was selling its data centers to Beijing Sinnet for $2 billion yuan or $320 million USD. The news triggered breathless predictons that AWS was withdrawing as a cloud provider in China. As it turns out, such predictions were premature. On November 13, AWS clarified that it was selling off its China-based web services to comply with China’s new cybersecurity law, but has every intention of continuing to provide cloud services in partnership with Sinnet.
With this latest move, AWS joins a growing body of multi-national companies that are taking proactive steps to comply with a cybersecurity law that legal experts have characterized as frustratingly vague and overly broad. Under at least one interpretation, individuals with multiple computers could be considered network operators and subject to the strict security requirenents imposed by the new law. AWS and other multinational companies (MNCs) aren’t taking any chances when it comes to compliance. Apple opened a data center in the Guizhou region and Microsoft Azure partners with Chinese partner 21 Vianet Group to offer cloud services. In 2016, Airbnb announced that it was moving its user data to a Chinese location to comply with local data laws and IBM also relies on Chinese data centers.
Moving data to locally-controlled data centers isn’t the only step companies are taking to comply with the law. Both Apple and Sinnet have shut down virtual private networks that would allow users to circumvent the so-called Great Firewall of China. Spurred by economic interests— iPhone sales in China account for 21% of its global sales–Apple has taken things even further, agreeing to remove news apps provided by the New York Times from its Chinese app store. The tech leader has also committed to building two research and development centers in China and investing $1 billion in a Chinese ride-hailing service.
The proactive steps appear to be working. Apple successfully sidestepped a request to install backdoors in its system that would allow governments and other organizations to bypass the company’s encryption of data stored and transmitted via its systems. Apple has also stated that it will retain encryption keys for data stored at the Guizhou center and that its partner, Guizhou-Cloud Big Data, will not have access.
While tech companies are adopting a strategy of preemptive cooperation, the US government has asked China to delay full implementation of the law. In a document presented to the World Trade Organization, the US argued that the law could negatively impact cross-border services provided by MNCs, writing that the impact of the law would “fall disproportionately on foreign service providers operating in China,” because “companies located outside of China supplying services on a cross-border basis . . . must depend on access to data from their customers in China.”
The US paper to the WTO echoes charges of protectionism made by MNCs. However, Chinese legal experts have pushed back, maintaining that the law is less strict than the EU’s General Data Protection Regulation and other data localization laws. Given the global trend toward greater data privacy, the most persuasive argument for loosening the grip China has on cyberseciurity within its borders might be cost. As MNCs grapple with increased expense and loss of efficiency in complying with the law, Chinese consumers will likely bear the brunt of rising fees for cloud services. Still, exerting pressure on China to delay implementation or loosen requirements is a gamble in which China has the best hand. According to Synergy Research Group, Chinese firms account for roughly 80 percent of total cloud services revenue in China, and roughly half of the data center market. Given the economic reality of China’s dominance in the Asian cloud services market, making concessions on data localization and investing in technological innovation is not just a winning strategy, it’s the cost of doing business with an economic powerhouse.