On June 1, China’s new Cybersecurity Law went into effect. Before and since there has been intense discussion in international business circles and governments about what that means in practice. In the United States especially, there has been a tendency toward reading the law and related documents in “worst case scenario,” fueling concerns that China’s emerging digital governance regime will systematically disadvantage outside firms and champion domestic tech giants. For example, a September 25 filing by the U.S. Government with a World Trade Organization body reflected a dire interpretation of some of China’s ambiguous language.

However, a close look at what Chinese officials are actually saying suggests healthy debate within the Chinese system. While business groups have been lobbying intensely on specific provisions, often responding to early drafts, the Chinese government is still in the process of developing and issuing the regulations, standards, measures, and guidelines that operationalize the new law’s requirements. Not only is that process subject to international pressure (U.S., European, and other international interests continue to seek delays or even the scrapping of some particularly controversial provisions), it is increasingly clear that there remains a keen debate among Chinese interests on these issues. An important government office said as much late last month. Following the U.S. filing at the WTO, China’s Ministry of Public Security (MPS) Third Research Institute, which researches cybersecurity technologies and policies, issued both a Chinese translation of the U.S. letter and a short response in a WeChat post.

This response should not be taken lightly. It sends a clear message that while some interests and voices in China’s policy discussion favor uncompromising interpretations of China’s data protection measures that would significantly disadvantage global firms, other voices, especially those concerned with Chinese companies’ global expansion plans, see downsides in heavy restrictions on cross-border data transfers.

The rest of this post explores some of the nuances of the ongoing discussion with particular reference to what Chinese policy makers and thinkers are saying about it.

Chinese officials have responded through a variety of channels, calling in foreign information and communication technology (ICT) companies, trade groups, and in some cases embassy officials, for lengthy sessions where Chinese officials, typically from the Cyberspace Administration of China (CAC), present clarifications about particular regulations and take comments, oral and written, from concerned groups.

These CAC efforts to hear and be heard have not been totally successful. Or at least, it is evident that they have not been enough for the U.S. government. In the September 25 WTO filing, the U.S. government noted that although it “has been communicating these concerns directly to high-level officials and relevant authorities in China,” it nonetheless requested that China delay issuing final language or implementing measures related to one specific and complex issue—cross-border transfers of data—until its concerns are addressed. Based on Chinese drafts released for comment, the U.S. filing argued, “The impact of the measures would fall disproportionately on foreign service suppliers operating in China, as these suppliers must routinely transfer data back to headquarters and other affiliates.” In effect, the U.S. government, like so many other concerned parties, faced the uncertainty of an evolving and burdensome regime and has argued for a halt using rhetoric based on worst-case assumptions.

What the U.S. and broader international conversation has missed, however, is that the uncertainty about China’s emerging digital governance regime is not limited to foreign capitals and boardrooms. Indeed, debate and disagreement about how to interpret and implement the key provisions of the Cybersecurity Law thrives within China.

Of course, acknowledging differing views doesn’t mean international firms shouldn’t be concerned; the evolution of this regulatory regime produces tremendous regulatory and political uncertainty in ICT sectors, and that can be costly on its own. Any outcome is likely to pose new challenges for international firms eyeing the Chinese market.

But the live debate within China suggests that the eventual regulatory environment may not be as bleak as worst-case assessments would suggest. Understanding the contours of that debate is a precondition for interested parties to make more effective advocacy and for everyone to better understand the road ahead.

What is driving the concern over China’s new Cybersecurity Law and why does Beijing want a data protection regime with Chinese characteristics?

While there are numerous areas of concern for foreign ICT businesses and their governments, the recent U.S. filing at the WTO provides a good case study. It is primarily concerned with two important regulations, associated with China’s Cybersecurity Law, relating to cross-border data transfers. They are: