Huawei's EU obstacles stem from regulatory uncertainty back home

24 April 2019 12:56pm

23 April 2019. By Cynthia Kroet and Xu Yuan.

Huawei’s battle for acceptance in Europe can be traced back to regulatory uncertainty in an unexpected place — its home market of China.

The Chinese telecom company has already been barred from participating in the rollout of fifth-generation mobile Internet in the US and Australia due to cybersecurity fears. Its fate in the EU market hangs in the balance — despite its market-leading offering and its existing role in 4G networks.

Premier Li Keqiang directly rebutted accusations that the Chinese state might put pressure on its companies to facilitate espionage, at this month’s EU-China summit. Huawei’s founder, Ren Zhengfei, has said the same. And yet the allegations still swirl, and Huawei could yet be banned by individual EU countries or the bloc as a whole.

The abundance of caution is due in part to the importance of 5G Internet, which will power the next generation of digital technologies including artificial intelligence, virtual reality, connected vehicles — and perhaps also automated weapons and cyberwarfare. As a strategic asset, it could be compared to the rail network and the power grid.

But there’s also the question of what Huawei can legally be called upon to do on behalf of the Chinese state. And right now, that’s not exactly clear.

Foreign data transfers

Western policymakers’ fears center on China’s Cybersecurity Law, which came into effect in June 2017.

China’s first comprehensive legislation on cybersecurity covers setting up, operating, maintaining and using networks within the country. But it could also impose restrictions on the cross-border activities of Chinese companies — which raises red flags in Europe.

Even though the law came into force two years ago, there are still additional guidelines upcoming, including detailed principles on data transfers that could create an obligation to store “important data” within China and undergo security reviews to move it abroad.

An agreement on this rule within China has been delayed by domestic controversy, with the government reportedly concerned that it could generate international controversy. As a result, it’s still not clear what will be defined as “important data” — and whether the foreign activities of Chinese companies will be included in its scope.

It is this provision dealing with international data exchanges — Article 7 of the law — which is causing most concern with EU regulators, MLex understands.

In their worst-case scenario, Huawei and other Chinese companies could be obliged to collect user data in foreign markets, including the EU, and transfer it to China.

Faced with this possibility, the US and Australia have decided that it’s better to be safe than sorry, despite the potential hit to their 5G performance or the increase in prices that might be expected from excluding a leading bidder.

Their approach has its adherents in the EU, too. Andrus Ansip, the bloc’s commissioner for the Digital Single Market, echoed US concerns earlier this year and said that Europe should be worried about the Chinese law with regard to 5G deployment.

Chinese law

China’s attempts to codify its cybersecurity policy come as its high-tech companies grow more impressive on the world stage. Businesses that would once have copied western designs for cars or smartphones — legally or otherwise — are often now leading the way and bidding competitively for contracts in western countries.

But to win the trust of regulators, they must prove that they won’t abuse personal or commercial data gathered in western countries. That’s not easy when they’re based in a country that operates an extensive surveillance system at home, and whose companies have long been accused of widespread intellectual-property violations.

China’s Cybersecurity Law is intended, in part, to address these concerns. By setting out clear guidelines, China can show that it’s a mature and accountable player in the digital economy, ready to take part in global standard-setting.

But it also gives the country’s police an unprecedented level of involvement in the daily operations of businesses in a wide range of sectors  — showing a fundamental difference in philosophy from western countries.

Still, all of this does not mean that the government has carte blanche to control businesses. Under the rules, authorities are prohibited from misusing data collected during enforcement, and may themselves face penalties for abuse of power.

EU uncertainty

European businesses, meanwhile, are still waiting for clarity. The European Commission has asked countries to submit 5G cybersecurity risk assessments by June 30 to inform its policymaking. Only by late 2020 will national governments and the EU executive assess whether further action is required.

Deutsche Telekom, which is already partnering with Huawei in 5G trials, told MLex that it takes the global discussion about the security of network elements “very seriously,” and that it is currently re-evaluating its procurement strategy.

Global mobile operators association GSMA, which represents the likes of Ericsson, Orange, LG and Nokia, said in a statement that the EU shouldn't hinder the plans of telecom operators to roll out 5G, and should think carefully about the consequences of its future cybersecurity policy.

GDPR