Home Editors' Pick How will China’s new data protection laws affect your business?

How will China’s new data protection laws affect your business?

by Joe Cash
0 comment

UK companies operating in China are beholden to an increasing number of cybersecurity regulations influencing a raft of business activities, including the ease with which a Chinese subsidiary of a multinational company can share customer or R&D data with other parts of the business and how businesses store data

Two new regulations making their way into law, the Personal Information Protection Law (PIPL) and the Data Security Law (DSL), are predicted to add to the compliance burden of companies needing to move data to and from China. Together with the 2017 Cyber Security Law, these laws form the backbone of China’s cybersecurity regulation.

launchpad CBBC

Data Security Law

Passed on 10 June and coming into effect on 1 September 2021, the DSL governs how data is collected, used, stored, and protected in China, including tightened restrictions on the transfer of data outside of China.

One important element of the law is a grading system that will define and establish a hierarchy of what they consider important data, based on which, companies will also have to classify the data they handle. There will also be different levels of fines and penalties for data protection violations depending on the importance of the data involved. For example, special permission may be required to collect data related to critical information infrastructure (including, but not limited to sectors such as public communications, energy, finance, and e-government) or any data which, if disclosed, might threaten national security, the national economy, or public interests. However,  beyond these, the classifications of important data have not yet been set.

Read Also
What do changes to China's private education law mean for British schools?

Personal Information Protection Law

Sometimes referred to as China’s answer to the EU’s General Data Protection Regulation (GDPR), the PIPL was passed on 20 August and will be implemented from 1 November.

As Torsten Weller observed in a recent episode of China Business Brief, PIPL does share similarities with GDPR. For example, PIPL has strong consent and personalisation clauses, requiring user consent for the use and sharing of data, as well as an option to opt-out of automated data collection. However, there are some significant differences. For example, PIPL includes a separate clause on what happens to a user’s data after they die, i.e., their close relatives automatically gain the right to manage their data.

For businesses, there are two crucial parts of the law. The first is how data can be transferred outside of China. Companies will have to accept an audit and receive a license — likely from the Ministry of Industry and Information Technology (MIIT) —  in order to transfer data out of China. The other crucial element is the liability clause, which demands that companies have a specific person that supervises data protection policy (can also be external) and who is personally liable for any data violations.

Read Also
How has China’s National Security Law impacted Hong Kong business a year on?

Why have these laws been introduced?

There are two main drivers behind these new laws. The first is growing awareness of consumer data protection. As China’s tech giants like Tencent and Alibaba have grown, there have been increasing numbers of public complaints about misuse of data and user privacy violations. For example, during this year’s 618 shopping festival, several e-commerce companies and telecoms operators were called to a meeting with MIIT over invasive spam marketing text messages. Furthermore, on 18 August, 43 apps, including WeChat, were criticised by MIIT for illegally transferring user data such as contact information and location, and also spamming users with pop-up ads.

The second is national security, as evidenced by the emphasis on “critical information infrastructure” and “core data” in the text of the DSL. This was also made clear when the Cybersecurity Administration of China opened an investigation into Didi just days after its New York IPO, citing the need to “guard against risks to national data security.”

Read Also
The implications of China’s Anti-Foreign Sanctions Law

The impact on businesses

Many are wondering whether these new laws will become a burden for companies operating in China, especially those that are conducting R&D activities that involve significant amounts of data. Companies will potentially have to invest in data storage facilities in China or in hiring extra personal to manage data protection as mentioned above. As Torsten Weller pointed out, it will not really be possible for UK companies to operate in China without storing user data here.

Although to date, no detailed implementation guidelines have been released, companies should start reviewing and assessing their data activities to identify areas that could potentially require compliance with these new laws.

Launchpad membership 2

Related Articles

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More