In September last year the Chinese government introduced a couple of laws that are beginning to impact supply chain operations. The laws relate to how data is collected, stored and accessed by companies within and without China.
In a paper published by the respected US law firm Skadden, Arps, Slate, Meagher & Flom, they summarise the position as…
“Two new Chinese laws dealing with data security and privacy came into force in the fall of 2021 that are likely to have an impact on many multinational companies operating in China or whose operations touch China. These two laws — the Data Security Law and the Personal Information Protection Law — provide more specificity about the data localization, data export and data protection requirements that first appeared in the Chinese Cybersecurity Law in 2017.”
One of the more obvious consequences was seen in the maritime sector from last December (2021) when Chinese AIS data providers turned off access to the data used by shipping lines to identify and track the position of their own and other vessels. The huge number of vessels moving through Chinese littoral waters require detailed monitoring to enable their operators to plan, schedule and then notify shippers when cargos are likely to arrive or depart. Most of the vessels did not stop broadcasting, so some of the AIS data could be picked up by satellite, but the vast majority of signals collected are done so via a network of coastal receiving stations. The operators of these, while collecting AIS data, then decided to stop sharing with international partners.
At the time there was a lot of commentary in the trade press expressing concerns and the likely impact on the fidelity of ship traffic movements. Many lines were concerned this would directly impact their planned schedules – although it’s fair to say that the total lockdowns of entire cities in China in response to the latest Covid strain, had a bigger impact. Especially in the port city of Shanghai.
Perhaps more profound, is the impact on global multinationals that are trying to maintain complex manufacturing and shipping operations that either originate or transit through China. They rely on information systems that inform and direct operations globally, especially supply chain flows. The systems used to run these operations will now have to comply with and be ‘authorised’ by the Chinese government to continue to store and share data as defined by the legislation. The laws apply to all data that falls under a very broad definition of Chinese national and economic security, Citizens welfare and public interest.
Critical Information Infrastructure Operators (CIIO’s), companies that handle data networks and information infrastructure (e.g. Cloud service operators) must ensure that any and all data created in China is stored and made secure in China and can only be sent abroad after a security self assessment procedure has been implemented and agreed by the authorities.
It is expressly forbidden to share any data stored in China to be made available to any foreign government or law enforcement agencies ‘under any circumstances’, without prior approval from the Chinese government. Companies found to be in violation of this will be fined, their operations shut down and the principals facing criminal sanctions. Any third parties involved in intermediary services involving the handling of data into and out of China must provide full transparency about the sources of the data and its use. All parties accessing the data must be verified by the data handlers and identities made available if requested.
These are just the main points, but the implications are clear. Every supply chain or logistics operation that touches China, will fall under this legislation. The good news is that many of the major cloud service providers (e.g. Microsoft, AWS, Google, etc.) were aware of these new laws and had located large data centres inside China to service their clients there. Unfortunately, they operate as separate nodes outside of those companies globally interconnected cloud services. The major logistics service partners and we understand a number of major manufacturers and LSP’s are still trying to work out how they can comply with the legislation and maintain the same level of global visibility and application operations.
There have been various attempts to enact legislation that seeks to control and safeguard data, especially personal data. Unfortunately, much of the legislation is not fit for purpose given how long crafting law usually takes and the pace of technological change and user adoption. It does not help that many of the legislators, while well intentioned, are completely out of their depth in comprehending the technology and unforeseen implications. Europe’s GDPR comes to mind, which did not foresee blockchain technology and the ‘right to be forgotten’.
This legislative package from China has its origins back in 2018 as a response to the US ‘CLOUD’ act that enabled US law enforcement agencies to demand access to data no matter where it is stored around the world. These extraterritorial demands have resulted in the unintended consequence of a huge increase in compliance costs for major companies and uncertainty and risk for smaller organisations.
The present state of affairs is impacting the access to operational applications and supply chain visibility for companies dealing with shipments from China. We believe it will be sometime before the actual implications can be seen and then, more significantly, how to operate efficiently under the new legislation. It may ultimately make sense to design the most efficient operations within regional frameworks rather than existing global networks that fall under multiple conflicting jurisdictions.
Global trade flourished when data could pass easily, increasingly this is no longer the case and bad legislation ensures economies will suffer.
Source: Transport Intelligence, 7th June 2022
Author: Ken Lyon