The UK’s higher education institutions regularly work with important data and process sensitive personal information, but if they are to work in or with China, they need to understand and comply with China’s data protection laws too. Here’s how.
Over the last decade, laws governing the collection, storage, transfer and usage of data have become a cornerstone of the regulatory environment in many markets, including China. Indeed, with China as one of the chief sources of data created worldwide – by 2025, data from China is predicted to account for 27.8% of the total global data created that year – such laws have been among the most high-profile passed there in recent years, attracting attention and commentary from business, legal and administrative communities alike.
Data protection laws are applicable in a wide range of sectors, from e-commerce and the creative industries, to life sciences and healthcare. They are of particular relevance to the education sector though, where those providing services rely upon the accurate and timely collection of various types of data to ensure the quality, suitability, and safety of their offerings. For higher education institutions from the UK, the European Union’s General Data Protection Regulation (GDPR) is likely to be the most familiar. And while an understanding of the GDPR is, by itself, not sufficient to effectively operate within the China market, it remains a useful starting point due to certain similarities between its goals and practices and those of China’s own data protection laws. Succeeding in China generally requires a deeper comprehension of local requirements, however.
The evolution of China’s data protection regime
At the most fundamental level, there are three key laws covering data protection in Mainland China: the Cybersecurity Law (CSL), the Personal Information Protection Law (PIPL), and the Data Security Law (DSL) – all of which were passed in the years since 2017. Together, and alongside various other measures issued by the authorities, they lay out the demands on those handling different types of data. For higher education institutions, meeting these demands involves knowing the differences between Network Operators and Critical Infrastructure Information Operators; the importance of roles such as that of the Personal Information Handler, as well as how these roles can fit into existing institutional infrastructures; and the classification framework that splits data into three categories.
In China, the first major law regulating data was the Cybersecurity Law (CSL) in 2017, which, at the time, had a strong emphasis on national security. Since then, the focus has shifted towards data privacy and personal information. While this is partly due to the vagueness of the initial law – which included only superficial provisions regarding private data – growing consumer concerns over data theft and insufficient privacy protection have added pressure on Chinese policymakers to create a more coherent and comprehensive data protection regime.
The CSL created strong incentives for the Chinese government to establish clear standards for data collection and transfer. Thus, shortly after the CSL came into force, China published its first Personal Information Security Specification, which defined personal data as including biometric information, personal addresses and bank records. The specification was updated in 2020, adding further safeguards against the unauthorised collection of private data: for example by allowing users to opt-out from specific online functions.
Personal Informational Protection Law
Despite the regulatory activism sparked by the CSL in 2017, the legal foundations for individual data protection remained shaky and scattered across several laws. One particular problem was the lack of a uniform definition of the individual’s right to his or her own data, which was compounded by the fact that the exact nature of what constitutes a violation of privacy rules was stipulated in four different laws: the Criminal Law, the General Principles of Civil Law, the CSL, and the new Civil Code.
The passage of the Personal Information Protection Law (PIPL) in August 2021 marked an important milestone as it provided a single, systematic framework for individual data protection. The many similarities between the GDPR and the PIPL have earned the latter the moniker ‘China’s GDPR’, which, despite differences between the two, has brought China’s data protection regime more in line with international standards.
More importantly, the PIPL has shifted the legal focus of China’s data rules away from security and instead in a more consumer– and commercial-orientated direction. This shift has not only allowed for a more open and pragmatic discussion about the challenges any new data regime faces in a continually evolving technological environment, but also raised the possibility for foreign organisations – such as UK higher education institutions – to participate more actively in future legislative processes; an input which was mostly ignored during the early stages of China’s cyber-related rule-making.
Data Security Law
Nonetheless, national security remains important. The Data Security Law (DSL), which came into effect in June 2021, is a strong reminder of this. The DSL affirms that the Chinese Administration for Cyberspace (CAC), a government agency, remains in charge of all data-related regulations. The law also highlights the importance of the two areas which particularly affect foreign institutions: how to manage sensitive personal information and how to conduct cross-border data transfers of such information.
Both above-mentioned issues are subject to evolving regulatory frameworks which have sprung up following the implementation of the CSL in 2017. Sensitive personal information – including biometrical, health, and financial data – is defined by the Personal Information Security Specification. Data which falls into this category is subject to specific rules governing data storage, requirements in case of breaches and leaks, and data transfers
The CBBC View
Success in China is often best rooted in the knowledge that its data protection laws, while complex and at times fragmented, and while perhaps somewhat unfamiliar in comparison with the legal regimes in place in other markets, continue to be refined, deepened and expanded upon. Crucially, there are solutions to the challenges that China’s data protection laws present, and they are solutions that start with a thorough and up-to-date understanding of the history, development, and application of the laws themselves.
Looking ahead to 2023 and beyond, the China opportunity remains vast. More than ever for UK higher education institutions, it an opportunity that they are well placed to grasp as the country continues to build and modernise its data protection infrastructure, while at the same time continuing to refine and adapt their services alongside these changes.