Data and privacy protection have been some of the most uniquely modern and rapidly evolving global concerns of the 21st Century. Equally sharing this common concern, China is placing a focal point of the government’s work in establishing a uniform and comprehensive cybersecurity policy for the country. As outlined and alluded to in previous articles, data-protection driven regulations such as the Data Security Law (DSL), which has been in effect since September 1st 2021, as well as the Personal Information Protection Law (PIPL), which took effect last November 1st 2021 escalate the compliance requirements from enterprises based in China, with data localisation requirements and increased difficulties in cross-border data transfers as main lines of consideration for European companies.
The New Data Protection Legal Framework
The protection of personal privacy and data security have recently been under the close attention of legislators such as China’s National People’s Congress, resulting to various interconnected forms of legislation in this area promulgated and entered into force within the last five years. In addition, traditional internet giants of the Chinese market have also had to contend with investigations into their conduct and crackdowns on controversial behaviour, namely concerning the mishandling of personal information of users and its impact on the Chinese society’s stability.
By dissecting the two laws, we see that the DSL formulates a more stringent regulation concerning data collection. It places higher burdens on companies to establishing data security systems that protects against data breaches. The law sets different categories for data and aims at setting different regulating frameworks to the governance of such data. The law also limits cross-border data transfer for foreign judicial law enforcement activities and requires these activities to be approved by the related authorities, which may act as a concern for foreign companies in future litigation proceedings.
Meanwhile, the PIPL sets out the parameters for the handling of the personal information of users, the processing of personal information which may be deemed as sensitive, the instances in which it would be required to obtain an individual’s consent for the processing of the information recollected, as well as laying out guidelines for ensuring data protection when personal information is transferred out of China.
How Will it Affect Foreign Investors’ Operations
The European Chamber of Commerce in China has acknowledged both the DSL and the PIPL as significant positive developments in China’s overall cybersecurity regime but since promulgation raised concerns regarding data localisation requirements and cross-border data transfer restrictions as well as noting that the divergence of China’s data protection framework from those in the rest of the world, such as the aforementioned General Data Protection Regulation (GDPR) in the EU, which will make it difficult for companies—both foreign and Chinese—to comply with all relevant obligations.
In fact from the two laws, we firstly see that enterprises engaged in the Chinese market will require a new level of engagement with the cyberspace authorities (e.g., The Cyberspace Administration of China, Ministry of Public Security), as they face increased levels of obligations regarding security assessments, approvals and supervision when processing data from China. Such legislative changes will inevitably pose additional (financial or administrative) burdens to companies in China.
Especially looking from the angle of a foreign SME operating in the mainland, the requirements on data localisation within the territory of China (as they may process data volumes that surpasses a specific number threshold set by their respective sector authority and the cyberspace authority in China) may limit business opportunities or increase localisation costs to said companies. Such IT costs of compliance within China’s data security legislative framework puts an extra strain on the backs of SMEs in an already complicate situation due the new outbreak of COVID 19 and series of lockdown especially in Shanghai.
As data is often referred to as the ‘new gold’, the laws also increase restrictions over cross border data exchanges, and similarly allow for the screening of sensitive personal information prior to such a transfer with the likelihood of the establishment of a direct communications channel between companies and the relevant PRC authorities in order to ensure streamlined approval of cross-border data transfers. In this sense, it is noticeable that the personal information protection law (PIPL) bears a similar logic with the General Data Protection Regulation (GDPR) of the European Union (EU), as comparable provisions concerning the personal data of citizens and the requirement for consent for the processing of certain classes of personal information are evident in both the PIPL and the GDPR, with the latter also enabling extraterritorial reach in its jurisdictional scope.
Compliance Requirements for New & Existing Investors
For both new investors and companies already present within the Chinese market (physically or digitally) conducting an initial cyber security audit is vital in order to best understand the extent to which their business operations fall under the scope of the aforementioned laws (e.g. companies deemed as critical information infrastructure operators face more stringent compliance risks and potential penalties if found to be in breach).
Moreover, all companies which process the personal data concerning their employees, clients, suppliers, distributors etc. should also fully implement, alongside their HR teams, personal information protection impact assessments, in order to ensure that the consent from such individuals are obtained in the correct manner and are adequately informed of the names of the receiving parties, their contact information, processing purposes, means of processing, categories of personal data involved and the ways in which such individuals can enforce their rights under PIPL.
Such measures are advisable to be carried out at the earliest convenience as data processors (companies) will also need to pass a security assessment conducted by the state cyberspace authorities, ensuring that the collection of such data is limited to the minimum level necessary to fulfil a specific purpose, among other thresholds.
Following the introduction of the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), foreign companies operating in China which previously had not introduced privacy policies within their company due to the lack of domestic legislation within this area are now encouraged to do so. Similarly, companies within the Chinese market which previously adopted their privacy policies in order to comply with their requirements with GDPR will also need to revise their approach in order to fit with the requirements of the new laws. These aforementioned laws are an addition to the Chinese digital legal framework which also includes the Cybersecurity law, e-commerce law and a slew of implementing measures, judicial opinions and guidelines either promulgated or in the pipeline for further clarity in this area. One thing is for certain, the race for the control of the “new gold” is truly on and China wants to play a leading role, alongside U.S. and E.U.