Companies operating in China will have a new rule book to play by this week.
Starting Wednesday, companies—whether domestic or foreign—that collect data and have operations in mainland China will be subject to the new Data Security Law (DSL), which outlines how corporations should manage their data.
The new law also classifies data according to its relevance to Chinese national security, with harsher punishments—such as heavy fines or criminal liability—for companies that mishandle data deemed to be “important data” and “national core data.”
Yet the data guidelines don’t provide many details about what subjects are protected, leaving businesses in the dark as to how the rules will actually be implemented.
The DSL marks China’s first comprehensive data regulatory regime, one of three key frameworks that underpin the country’s data and cybersecurity governance. The new rules will work in tandem with China’s 2017 Cybersecurity Law, which requires firms to improve the security of their data networks; and the upcoming Personal Information Protection Law to be enforced Nov. 1, which sets new rules for how companies handle consumers’ personal information.
China has now entered a “heavily regulated information age,” says Jim Fitzsimmons, principal for cybersecurity at Control Risks, a consultancy. China’s new data laws come as the government is strengthening its grip on the nation’s Internet firms.
Beijing recently made clear its concerns surrounding data security after it cracked down on homegrown ride-hailing firm Didi, mere days after its blockbuster $4.4 billion NYSE initial public offering. State agencies in early July launched a regulatory assault on the company, initiating a data probe on national security grounds, then ordering China’s mobile stores to remove Didi’s app.
Despite the state’s regulatory commotion on data, the new law remains thin on details. Instead, it is a sweeping panoply of broad principles outlining how companies can and can’t use, store, process, transfer, and manage data—all in the name of national security. While the new law addresses genuine data security concerns that all countries face, it boosts the government’s control over otherwise private companies, says Karman Lucero, fellow at Yale’s Paul Tsai China Center.
China’s new data rules bar any company that manages and stores data in China from transferring data across borders without the prior, explicit approval of the authorities. Both companies and individuals can be fined for failure to comply with the new rules. And yet the law doesn’t outline how companies should obtain this approval or which agency they should approach to do so.
The scope of the DSL also grants the state extraterritorial reach, in theory. It allows regulators to take action if they deem companies’ data processing activities taking place outside the PRC to be a threat to the country’s national security. How this will actually be enforced is not clear.
Analysts say the new rules may leave many foreign companies in an impossible position. “Compliance with a foreign authority’s data access request will lead to a violation of [Chinese] law, while noncompliance…will result in a violation of the relevant foreign laws or court orders,” writes Bird & Bird counsel Clarice Yue.
The law also introduces what China calls the “data classification protection system,” which categorizes data based on its level of importance to—again—the country’s national security and public interest. Companies that mishandle “important data” and “national core data” face tougher punishments, including fines of up to 10 million RMB ($1.5 million) and criminal liability.
The law defines “national core data” as that which relates to issues of national security, public and economic interests, and citizen rights. Lucero adds that data associated with information related to sensitive technologies, trade secrets, maps, geography, and security, like personal information, could all fall under the purview of the two broad categories.
The task of defining “important data” has been left to local and sector regulators, but they’ve yet to do so—with one exception. State agencies have defined the scope of “important data” in the automotive industry; which includes “data such as vehicle flow and logistics that reflects economic operation [and] personal information involving more than 100,000 subjects,” according to the Automotive Data Security regulations.
“Overall, there’s no catalog of definitions yet, only guidelines in a draft form that haven’t been formally released. This is the biggest headache for companies now. Without that clarity [on what ‘important data’ entails], it’s hard to implement [good] corporate governance, oversight, and compliance,” Fitzsimmons says.
Fitzsimmons predicts that more clarifications from the state will come, but it’s unclear how long the process will take. “We’re hoping that after the Chinese New Year [in February 2022], more guidance will be released, though the process is very opaque,” he adds.
Similar to the U.S., China’s implementation of data protection rules will rely on local actors. In the U.S., “courts and local agencies don’t generally follow the prerogatives of a centralized mandate…Courts can invalidate actions of the federal government. But in China, courts generally won’t act in a way that undermines the policy goals of the central government,” says Lucero.
Thus a key danger for entities operating in China is that the ambiguous language of the law could enable the government to “retroactively decide that certain information falls under one of these categories, or that a particular use of information violates the law,” he adds.
Compliance has now become a strategic function, experts say. All corporations will need to develop strong information governance processes and try to mitigate the known risks. This could include documenting the data they hold and updating compliance policies and procedures, says Fitzsimmons. Those classified as “critical information infrastructure” operators—such as telecoms, financial service businesses, and Internet platforms—are extra vulnerable.
The new data rules will also affect Chinese companies seeking initial public offerings in the U.S. Such firms will have to “seek the same challenging balance—between the competing disclosure requirements of China’s new DSL, plus U.S. listing rules” which are also becoming more stringent, says Winston Wenyan Ma, adjunct professor at the NYU School of Law and author of The Digital War: How China’s Tech Power Shapes the Future of A.I., Blockchain, and Cyberspace.
Fitzsimmons says the new data law is an important milestone in information regulation globally. But the ambiguity of the new data rules could ultimately “incentivize overcompliance…and give the government the power to punish companies for capricious reasons should the need arise,” says Lucero.
Subscribe to Eastworld for insight on what’s dominating business in Asia, delivered free to your inbox.