(1) According to the claimants’ request, thearticle 37 of China´s Cyber Security Law (CSL) imposes and unfair andunequitable treatment between foreign and national investors in the mainland ofthe Peoples of Republic of China (PR China) and violate the article 2.2 of theBilateral Investment Treaty between China and Korea (BIT).First of all, the BIT agreement does notprohibit China of the right to regulate in its territory even more regarding toits national security issues. It is demonstrably that the purpose of the ChinasCSL is protect the personal data of millions of networks users and prevent thecyber security threats.On the other hand, is well know that everyindividual or corporation who wants to invest and operates in a foreign countrymust follow the laws of the host country in which they operate or reside. TheBIT agreement establish in this line in the article 2, para.
1 that: “Each ContractingParty shall encourage investors of the other Contracting Party to makeinvestments in its territory and admit such investments in accordance with itslaws and regulations.” Also in the article 2, para. 4: “Nationals of one Contracting Party who wish to enter theterritory of the other Contracting Party and to remain therein for the purposeof making investments (…), shall be given sympathetic consideration totheir applications for entry, (…) as well as applications for licenses andpermits to conduct business activities, in the territory of that other ContractingParty in accordance to its national legislation. ” Regarding to the Fair and EquitableTreatment (FET) claimants failed explaining in what sense the article 37 of theCSL violates the FET. We assert that the CSL does not violate the article 2.
2or any principle contained in the BIT. Likewise, regarding to national treatmentand non-discrimination, CSL does not make any distinction between foreign andlocal investors since this law is applicable for every individual or companyregardless of their nationality A well reading of article 37 of CSL is thatall companies -without anydistinction- must undertake a security assessment, made by thegovernment, before moving data out of China only if it contains personalinformation of users or sensitive data that could be affect national securityor social public interests. For China´s government and evidently forevery country, cyber security issue is a public interest and this measurestaken by China is the only, effective and reasonable way that would beappropriately deal with the cyber security risks. For Instance, the requirementfor data localization, bringing data under Chinese jurisdiction make effectiveand efficient the prosecution to entities which are violating China’sinternet laws. (2) In regarding to the objected article 23 of CSL, claimants failinterpreting the article 23 in a wrong way.
What the article 23 estipulate isthat providers can only sell their critical network equipment, products orservices after receiving security certifications. In any way this provisionpoints out that network operators have to disclose their proprietary softwaresecret. What claimants assert isbased in purely suppositions and cannot be considered seriously, additionally,they did not show any factual evidence of their allegations so far.As a general principle ininternational law, the party alleging a violation of international law givenraise to international liability has the burden of prove all the factualelements necessary to support its case. And in the present case, claimantsfailed this requirement in the whole claim request.
(3) This lawis not less favorable than before, simply because this law is the firstapproach of China towards a consolidatedlegal act in data protection and it is in line with th global cyber security norms and best practices. Unlike anincreasing number of countries around the world, China did not have an integraldata protection law. Instead of that, the regulation of privacy and cybersecurity issues were spread in a several number of industry-specific laws, suchas the Practicing Physicians Law, Commercial Banking Law, Postal Law, and theProvisions on the Protection of Personal Information of Telecommunication andInternet Users. (4) Claimantsdoes not know when is the appropriate time to comply the law, China gave them 2years until 31 December 2018 to comply with the law The time given by the Chinese government isreasonable taking into account that the risks of network system are by time totime increasing exponential PR China is aware that the implementationof the law has to be gradually, which will allow companies to better assesstheir obligations. That’s why the Cyberspace Administration of China sets 18-monthphase-in period from June 2017, delaying the full implementation of the law togive companies more time to comply. It has to take into account that the risksgiven by the new technology push the governments to take effective andefficient actions on time, in this way Peoples of Republic of China takesseriously the rights that can be violated by the new technology.