China’s new data-transfer mandate prompting multinationals to rethink market strategy

Companies wanting CAC approval to continue these transfers should make their requests as soon as possible to meet the March 1 deadline. Otherwise, they may have to halt the transfers or face potentially stiff penalties.

The ramifications may be more widespread than it might appear at first blush.

As an example, let’s consider a retailer that has no Chinese presence but can be accessed online by Chinese shoppers. Like with any other customer, when a Chinese customer makes a purchase, the retailer collects the personal and financial information it needs to complete the transaction and fulfill the order.

If this retailer handles or processes the data of more than 100,000 customers in China per year, the CBDT will now require it to localize its handling of these transactions. The retailer will need to use a Chinese website host, a Chinese data processor and Chinese customer support personnel, among other changes.

These are changes that stand to affect global business on a massive scale — and very soon. The government has already stepped up PIPL enforcement with significant penalties for companies found in violation.

Many multinational organizations are scrambling to comply within the short time frames. Those that until now have taken a wait-and-see approach to PIPL readiness may soon find themselves pondering changes in their China business model.

Why does the new deadline have companies scrambling?

The CBDT regulation requires government approval for transfers of high-volume or sensitive Chinese personal information (PI) outside the country. The government has been regulating the use of Chinese PI for quite some time, so the CBDT represents an upward tick rather than a sea change.

For organizations deemed Critical Information Infrastructure Operators (CIIO), personal information isn’t the only kind of data at issue. These organizations will need CAC approval to transfer any data deemed “important,” PI or not.

Many multinationals wanting to avoid an interruption in their China business are preparing to submit their CBDT application this fall. Early submission may provide time to resolve any security issues the CAC assessment might find and gain approval before March 1, 2023.

Even so, meeting the CBDT deadlines will be difficult for most multinationals doing business in China. Your most effective course of action may be to lay plans as we describe here and begin taking steps to help reduce or localize your Chinese data processing.

Does your company need to localize?

Most large companies have begun exploring new ways to process Chinese data.

Doing so has ramifications beyond storing and processing Chinese data in China. It also entails using Chinese cloud environments, which will require licenses — and many procedures — to set up.

Many are working to localize their customer relationship management systems that handle customer data, for example.

For human resource information systems that process employee and associate data, they’re focusing on obtaining data owner consent, controlling or reducing the amount of data they collect and store, and backing up data within the country’s borders.

We are not yet seeing peer companies moving to localize research and development applications or ERP platforms.

We expect more guidance from China by year’s end regarding localization. Ideally, companies can prepare to localize but wait to act until more details are announced. Companies can also begin mapping their data and taking inventory of their systems to prepare for their CBDT security assessment.

Localization and a CAC assessment will be a must for:

• CIIOs that transfer any amount of “important” or personal information (PI) out of China
• Entities processing (collecting, storing, using, altering, transmitting, providing, disclosing or erasing) the PI of more than 1 million people
• Entities that have processed PI of 100,000 people or sensitive PI of 10,000 people since January 1 of the previous year — in other words, nearly every multinational with a significant China presence

The PIPL defines PI as “various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding information processed anonymously.” That means you may not need CBDT approval to process anonymized data.

“Sensitive” PI, under the PIPL, refers to

• Biometric data
• Data pertaining to religious beliefs or “specific identities” 
• Medical history
• Financial accounts
• Geographic location

Personal information of people under age 14 also qualifies as “sensitive.”

Which transfers qualify as cross-border?

Sending information from inside China to somewhere outside the country is only one type of data transfer that qualifies as cross border. The term also applies to remote access from outside China to systems hosted in China.

If your US-based retail store collects data from customers who live in China wherever they may transact or buy in the world, that’s cross-border. If your employees remotely process data that’s stored in China, that counts, as well.

Even if your company has no presence in China, you’ll still need to get the Chinese government’s approval for these transfers or find a way to localize. Recent guidance from China states that even Chinese PI sent from a company located outside of China to another company in the same corporation or group also outside China is subject to CBDT regulations.

The added challenge for CIIOs

CIIOs must process not only PI but also “important” Chinese data within the country’s borders, and may not transfer it to any other country. “Important” data, under the law, is that which, if breached or leaked, could potentially cause harm to China’s national or economic interests.

China’s Cyber Security Law defines CIIOs as organizations involved in:

• Public communication and information services
• Energy
• Transport
• Water
• Finance
• Public services
• E-government services
• National defense
• Any important network facilities or information systems that may seriously harm national security, the national economy and people’s livelihoods, or public interest in the event of incapacitation, damage or data leaks

This last category may well include financial services and certain technology companies.

ERP and SOX ripple effects

So many questions have yet to be answered. For instance, what about banks that use enterprise resource planning (ERP) technologies to process non-personal data? If banks are deemed as CIIOs, does all their data including nonpersonal ERP data classify as “important”?

Should China require banks publicly trading in the United States to localize all their ERP data, these organizations would need to implement Sarbanes-Oxley (SOX) controls in China and have their finance executives sign off on those controls. That’s a lot of work. What’s more, they’ll need to find a China-based ERP solution or service.

We should know more in the coming months as companies submit their data-transfer plans for the Chinese government’s approval and as the government issues findings and perhaps more regulations and clarifications.

The domino effect leading to new China business strategies

With all these changes, it’s no surprise that some companies are rethinking their approach to the largest consumer market in the world. 

• The PIPL, Data Security Law (DSL), and Cyber Security Law (CSL) and their related regulations indicate a trend toward more, not fewer, requirements.
• More restrictions means more difficulty processing Chinese data outside the country.
• Bringing data and related business processes inside China often involves expenses in the tens — and even hundreds — of millions of dollars for large multinationals, and it may require new approaches to application architecture, suppliers, facilities and staffing.

Executive leadership teams are asking strategic questions in light of the PIPL developments. 

• Should we double down on the market, leave it or choose a middle path such as a joint venture with a local company? Can we reduce our offerings to what can be localized — without “crown jewels” intellectual property?
• Should we change our legal-entity structure and operating model to a “China for China” approach, or do we keep an APAC operating entity?
• How does PIPL affect our tax, deals, cloud and supply chain strategies?

Penalties for noncompliance

China is already cracking down on cyber and privacy law offenders, starting with its own companies.

Recently, the CAC imposed the largest fine outside the US, amounting to nearly 5% of the company's revenue. It found the China-based company to be in violation of three major Chinese cybersecurity and privacy laws, saying the company had mishandled personal information.

It comes on the heels of three years of escalating enforcement of the Cyber Security Law. Chinese regulators have conducted several sweeps of mobile-app stores and websites, including more than a million mobile apps and hundreds of sites in its scope. Regulators have also contacted hundreds of companies — including large, widely known US brands — requesting evidence of their CSL compliance.

Fines and penalties are not the only enforcement risk for companies falling short of their CSL or PIPL obligations. Companies could lose points in their social credit score, which they would need to report in their CBDT filings. The government could seize their computer equipment, block digital access to their services and, in the worst cases, arrest their company officers.

A path to PIPL readiness

With a thoughtful, planned-out approach to PIPL and CBDT, your organization can better be prepared to meet the government’s demands and continue business with Chinese customers uninterrupted.

Having said that, we recommend building an overall plan first for compliance with the Cyber Security Law, Data Security Law and Personal Information Protection Law. Then proceed with your CBDT, CSL and DSL assessments as well as plans, designs and options for localization.

This is a lot to address before the March 1 compliance deadline. Steps we suggest include:

1. Know your data thoroughly. Which comes from China? Do you need it to do business? Try to reduce or anonymize your data transfers as much as possible to help reduce your likelihood of being tagged for inspection.
   

2. If you think you’ll likely need to localize your Chinese data processing and/or handling, establish a risk-based, accelerated plan.
   

3. Prioritize getting approval for your existing data transfers. Prepare to submit your requests by November.
   

4. Devise a backup plan in the event that your data transfer requests are refused. Add these transfers to your localization list.
   

5. Identify the “tripwires” in China’s political and business environment that might cause a review of your company’s strategy for the market.

Bottom line:

Consider your company’s willingness and ability to take the risks of being out of compliance come March 1. How much risk can you tolerate? The answer may tell you what you need to do next.