Development of China’s Data Laws and the Implications for Businesses

Data has become a strategic asset in China’s digital transformation, and it presents huge opportunities as well as compliance challenges for businesses.

China Cybersecurity Law

The China Cybersecurity Law (CSL), which came into force on 1 June 2017, is the cornerstone of China’s cybersecurity and privacy regime. It regulates the construction, operation, maintenance and use of networks as well as the handling of data within the territory of China.

Cybersecurity Requirement

Pursuant to the CSL, network operators, which in practice are widely construed to include companies or businesses that operate or deliver products or services by using or relying on an internet system or telecom network, are required to comply with various cybersecurity obligations, including:

• establishing internal security management systems according to the multi-level protection scheme;
• adopting appropriate technical measures to investigate, prevent and combat cyberattacks;
• verifying the identity of customers when they subscribe for telecom services or internet access services; and
• providing technical support to authorities in the fight against terrorism and crimes.

Protection of Personal Data

The CSL has one chapter setting out privacy requirements, which set out the principles for the collection and use of personal data, network operators’ obligations to notify data subjects of the purpose, means and scope of the collection and use of their personal data and to obtain data subjects’ consent before collecting personal data, and their obligations to safeguard the secrecy and security of the personal data collected and to notify the affected data subjects and the relevant regulators in the event of data breach.

Best Practice for Handling Personal Data

The Personal Information Security Specifications (PSS), the most recent version of which came into effect on 1 October 2020, set out more detailed requirements for data processing and provide more practical guidance. As recommended national standards, the PSS do not have the force of law, but are widely deemed to be best practice and are likely to act as a benchmark when determining compliance with the data protection obligations under the CSL.

Data Localisation

Data localization is likely the most challenging compliance requirement facing international companies under the CSL. According to the CSL, for network operators falling into the category of Critical Information Infrastructure (CII), personal data and important data collected or generated in China shall be stored in China unless cross-border transfer of such data is necessary for business needs and has passed the cybersecurity assessment. However, both CII and important data are not clearly defined under the CSL. Although Chinese authorities have issued multiple draft rules and measures endeavouring to provide the much-needed clarity, the uncertainties are yet to be resolved.

Enforcement and Penalties

Chinese authorities have been active in enforcing the CSL and a considerable number of investigations have been carried out by CAC, MPS and other central and local authorities to “clean up the internet”. Chinese authorities have focused their enforcement efforts on social media operators, e-commerce platforms, healthcare institutions, financial service providers and educational institutions, and maximum administrative fines have been imposed.  In 2019, thousands of mobile apps were removed from app stores for collecting and using personal data in violation of the CSL, failure to adopt a technical mechanism to prevent cyberattacks, and failure to include required content in the privacy policy and consent.

The CSL and the relevant implementing regulations impose administrative, civil and criminal liabilities on companies and individuals that fail to comply with the legal requirements.  Sanctions can range from investigations or dawn raids by authorities, to suspension of business, shutdown of websites, administrative fines, revocation of business licenses or operating permits, civil litigation and even criminal liability in case of severe violation.  Additionally, personnel directly in charge can be individually liable and subject to administrative fines and even criminal detention. 

Implications for Businesses

It is important that companies make efforts to comply with the legal requirements under the CSL and other relevant regulations and standards (for best practice).  Non-compliance of binding rules can lead to severe penalties and also cause reputational damage.  Compliance, however, is not a straightforward exercise because, as stated above, the CSL contains high-level requirements and some articles lack the much-needed clarification or guidance for implementation.  The considerable number of rules, guidelines or standards issued since the CSL came into force in 2017 are not always consistent with each other and some rules or guidelines are yet to be finalized.  The CSL’s data localization requirement presents a special challenge for international companies that need to transfer and share data with their headquarters and affiliates on a global basis. 

Looking Ahead

China will continue to firm up its cybersecurity and privacy regime by passing new laws and formulating new rules and standards. The draft Data Security Law was published for public consultation until 16 August 2020. The draft Personal Information Protection Law has also been released for public comments on 21 October 2020 and the deadline for submission comments is 19 November 2020. These two laws will, once finalised and implemented, become significant building blocks for establishing a more comprehensive cybersecurity and data regime in China, together with the CSL. It is significant that international companies keep close watch on regulatory developments in cybersecurity and data privacy and make appropriate adjustments to their business strategy and operations in China.