Data governance regimes in China

By Alfredo Montufar-Helu, Beijing Director

On 2 September 2021, I hosted a breakfast briefing to discuss the changes to China’s data regulatory framework and what this means for business, including the actions companies can take to mitigate disruption. 

What motivated me to host this briefing is that, while China’s regulatory framework may have been characterized by its high degree of flexibility and numerous grey areas in the past, things are changing. The events over the past months suggest that authorities are intent on establishing a more formalized rules-based governance geared towards achieving the goals outlined under ‘Xi Jinping Thought,’ which has continued evolving since its inception to include concepts such as ‘dual circulation strategy’ and ‘common prosperity.’ No wonder then that, as authorities move to enforce such an expansive regulatory framework, the operating landscape in China is being disrupted significantly. 

Two of the areas where this is seen more clearly are data security and privacy. And as one of our guest speakers mentioned when talking about what has happened over the past months to some of the most emblematic Chinese firms in tech and e-commerce: authorities’ message is clear: it’s all about “compliance, compliance, compliance.”

All in all, it was a very insightful discussion, and I left with a number of key takeaways which I share below in two sections: 1.1) recent regulatory developments; and 1.2) implications for businesses.

1.1 Recent regulatory developments

  • The coming into effect of China’s Cybersecurity Law (CSL) in 2017 marked the beginning of a series of regulatory changes which accelerated over the past couple of years, giving form to its data regulatory framework. This includes the Data Security Law (DSL), which became effective on 1 September 2021, and the Personal Information Protection Law (PIPL), which will become effective in November. 
  • With the release of the PIPL and DSL, China’s data regulatory framework now covers all data handling activities – i.e. collection, processing, use, storage, transmission, provision and disclosure of data – and not only applies to companies operating in China, but also to companies that do not have a presence in China if: (i) they sell products and services to the Chinese market and collect data and personal information from China; and (ii) assess and analyze the behaviors of individuals in China – e.g. data processing companies.
  • The coming months will see a series of implementation measures as authorities move to enforce this new regulatory framework. Various ministries and government agencies will participate in this process, including the Cyberspace Administration of China (CAC), which will have a central role in formulating implementation guidelines, and will also coordinate other regulators; the Ministry of Industry and Information Technology (MIIT), which is in charge of telecom and industrial sectors such as automotive; the Ministry of Public Security, which has become increasingly active in enforcing cybersecurity standards; as well as industry-specific regulators, such as the People’s Bank of China (PBOC) for financial data.
  • One of the most relevant aspects of the DSL is that it reaffirms the multi-layer protection scheme (MLPS) which was initially required under the CSL. This is a framework that ranks companies into five levels based on the perceived security risk of their information and operations technology systems. Level five is highest and reserved for sensitive government facilities. Those classified as level 2 or above require their systems to be assessed by a specialized Chinese audit firm, while level three users and above are required to use indigenous intellectual property in their core IT systems (see more here). 
  • MNCs that are already compliant with EU’s GDPR may find it easier to comply with the requirements of the PIPL, as there are various similarities between the two frameworks. However, the PIPL has its own characteristics: 
    • The PIPL is very broad, covering all information related to an identified or identifiable natural person. But there are types of information that are regarded as more sensitive than others, and which are subject to enhanced compliance requirements, e.g. financial data, health information, data generated by children below 14 years old (which is likely to disrupt further the gaming industry)
    • One of its key characteristics is the centrality of people’s consent to access and process personal data. In fact, the major difference when compared to the GDPR, is that the PIPL does not consider ‘legitimate interest’ as a legal basis for companies to process personal data without the need to obtain consent.  
    • Having said this, the PIPL does allow for five exceptions to access and process personal data without obtaining consent: signing or performance of contracts, performance of statutory obligations, emergency response, new reporting or for public interest and publicized information
  • Another important point relates to Critical Information Infrastructure (CII), a notion started by the CSL. This law identifies the financial, energy, telecom and information, infrastructure, e-government sectors as CII; and requires operators in these sectors to store personal and ‘important’ data in China. This data can only be transferred overseas after satisfying a number of requirements and obtaining the approval of relevant authorities.

1.2 Implications for businesses

  • The panel discussion revealed a number of ways in which companies will be impacted: 
    • For instance, the more complex value chains a company has, the more work will be required to understand where to collect data and under what premises in order to be compliant with the new laws. This is because value chains cover aspects such as R&D, production, working with dealers and also dealing with customers. 
    • As well, to collect data companies will have to use processes which are 100% compliant with the new laws and regulations. Existing systems will have to be adjusted or replaced by new ones. All this will push up costs. 
    • For MNCs with operations in China and other countries with their own data regulatory requirements, how will complying with both sets of regulatory requirements play out? What if for instance a company is required to disclose certain information under EU’s GDPR, which however is also considered as ‘important’ by Chinese laws? 
    • Related to the above, one question I asked to the panel is whether the need to comply with different sets of regulations across geographies impact companies’ data and go-to-market strategies. Our panelists mentioned that MNCs have been dealing with regulatory disruption for many years already. Specifically with respect to data, one panelist mentioned that the particularities of China’s digital ecosystem have meant that companies may have to tailor their data strategies to market specifics while at the same time maintaining global values.
    • Finally, there are still several questions unanswered which will make compliance a cumbersome process. For instance, there is still a lack of clarity which respect to what constitutes ‘important data’ and ‘national security’. And it is not clear the type of security assessment that needs to be undertaken, according to which standards, and by which authority. It is also not clear how the extraterritorial provisions will play out.
  • Despite this, there are a number of actions companies can undertake to diminish the risk of disruption:
    • First of all, a lot more rules and regulations are currently being drafted, so companies need to pay close attention to future developments to prepare for and offset future disruption.
    • As companies seek to assess what these new requirements mean for their industries in general, and their operations in particular, a good practice is to talk with Chinese authorities. This in order to understand the different perspectives underlying these new regulatory moves, and the objectives they want to achieve. 
    • To understand what specific actions they need to take, companies should start by doing a ‘health check’ to map data processes and systems to understand where they are in terms of data collection, processing, transference, etc. This exercise needs to include both employee and commercial data. Based on this health check, they can perform a gap analysis to compare where they are against where they need to be to comply with China’s new legal requirements. 
    • For those companies with operations in China and overseas, it will be important to undertake risk analysis for cross-border data transfers in order to account for different legal requirements across geographies.