UK companies operating in China are beholden to an increasing number of cybersecurity regulations influencing a raft of business activities, including the ease with which a Chinese subsidiary of a multinational company can share customer or R&D data with other parts of the business and how businesses store data.
Two new regulations making their way into law, the Personal Information Protection Law (PIPL) and the Data Security Law (DSL), are predicted to add to the compliance burden of companies needing to move data to and from China. Together with the 2017 Cyber Security Law, these laws form the backbone of China’s cybersecurity regulation.
Data Security Law
Passed on 10 June and coming into effect on 1 September 2021, the DSL governs how data is collected, used, stored, and protected in China, including tightened restrictions on the transfer of data outside of China.
One important element of the law is a grading system that will define and establish a hierarchy of what they consider important data, based on which, companies will also have to classify the data they handle. There will also be different levels of fines and penalties for data protection violations depending on the importance of the data involved. For example, special permission may be required to collect data related to critical information infrastructure (including, but not limited to sectors such as public communications, energy, finance, and e-government) or any data which, if disclosed, might threaten national security, the national economy, or public interests. However, beyond these, the classifications of important data have not yet been set.
Personal Information Protection Law
Sometimes referred to as China’s answer to the EU’s General Data Protection Regulation (GDPR), the PIPL was passed on 20 August and will be implemented from 1 November.
As Torsten Weller observed in a recent episode of China Business Brief, PIPL does share similarities with GDPR. For example, PIPL has strong consent and personalisation clauses, requiring user consent for the use and sharing of data, as well as an option to opt-out of automated data collection. However, there are some significant differences. For example, PIPL includes a separate clause on what happens to a user’s data after they die, i.e., their close relatives automatically gain the right to manage their data.
For businesses, there are two crucial parts of the law. The first is how data can be transferred outside of China. Companies will have to accept an audit and receive a license — likely from the Ministry of Industry and Information Technology (MIIT) — in order to transfer data out of China. The other crucial element is the liability clause, which demands that companies have a specific person that supervises data protection policy (can also be external) and who is personally liable for any data violations.
Why have these laws been introduced?
There are two main drivers behind these new laws. The first is growing awareness of consumer data protection. As China’s tech giants like Tencent and Alibaba have grown, there have been increasing numbers of public complaints about misuse of data and user privacy violations. For example, during this year’s 618 shopping festival, several e-commerce companies and telecoms operators were called to a meeting with MIIT over invasive spam marketing text messages. Furthermore, on 18 August, 43 apps, including WeChat, were criticised by MIIT for illegally transferring user data such as contact information and location, and also spamming users with pop-up ads.
The second is national security, as evidenced by the emphasis on “critical information infrastructure” and “core data” in the text of the DSL. This was also made clear when the Cybersecurity Administration of China opened an investigation into Didi just days after its New York IPO, citing the need to “guard against risks to national data security.”
The impact on businesses
Many are wondering whether these new laws will become a burden for companies operating in China, especially those that are conducting R&D activities that involve significant amounts of data. Companies will potentially have to invest in data storage facilities in China or in hiring extra personal to manage data protection as mentioned above. As Torsten Weller pointed out, it will not really be possible for UK companies to operate in China without storing user data here.
Although to date, no detailed implementation guidelines have been released, companies should start reviewing and assessing their data activities to identify areas that could potentially require compliance with these new laws.