chevron-down Created with Sketch Beta.

Landslide®

March/April 2024: Beyond the Map

Thriving under Increasing Data Security Scrutiny in China

Elizabeth Chien-Hale

Summary

  • China’s Cybersecurity Law sets required obligations for network operators to safeguard the security and integrity of their networks.
  • The Data Security Law governs the collection, storage, use, processing, transmission, provision, and disclosure of data within China, and extraterritorially if China’s national security and public interest might be impaired.
  • Under the Personal Information Protection Law, companies that do business in China must obtain an individual’s consent before handling their personal information, with few exceptions.
Thriving under Increasing Data Security Scrutiny in China
Weiquan Lin via Getty Images

Jump to:

In a world where data is becoming the hot new commodity for commercialization, China, along with the rest of the world, is rushing to promulgate laws to protect national cybersecurity and to set guidelines on companies’ commercialization of personal data. While China is only one among many actively enacting data and privacy legislation, many China watchers have claimed that these laws as implemented under Chinese President Xi have created a chilling effect on the business environment in China, and that Xi’s policies, including but not limited to a flood of regulations on data security and technology, have indicated his willingness to sacrifice growth to securing the Chinese Communist Party’s control.

This article provides an overview of recently enacted legislation in China in these areas; it also offers compliance suggestions for multinational companies operating in China.

A Series of Interconnected Laws

China has thus far enacted three laws on cybersecurity and data privacy: the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law.

The first of these three laws on cybersecurity and data privacy, the Cybersecurity Law of the People’s Republic of China (CSL, 中华人民共和国网络安全法), was enacted in 2016 and came into effect on June 1, 2017. The CSL offers guiding principles for issues that are of long-term importance for network security and cyberspace activities. According to Article 1, the CSL is formulated to ensure cybersecurity, safeguard cyberspace sovereignty and national security, protect social and public interests, and protect the lawful rights and interests of citizens, legal persons, and other organizations.

As a foundational law in this space, the CSL achieves its goals by setting required obligations for network operators—entities that construct, operate, maintain, or use networks in China—to safeguard the security and integrity of their networks; at the same time, the CSL is structured to allow more cybersecurity legislation to be built on top of it. For example, the term “critical information infrastructure” (CII), referenced in the CSL, became a term of art and is used in subsequent laws and regulations; a “critical information infrastructure operator” (CIIO) is subject to special requirements with respect to cross-border transfer of data of products and services.

Other than the vague language of constructing, operating, maintaining, or using networks in China, the term “network operators” is never clearly defined in the CSL. A glimpse of what a network operator might do is given in Article 24, which cites activities such as handling network access and domain name registration services for users, handling landline or mobile phone network access, or providing users with information publication or instant messaging services. Judging from these functions, and in light of the current restrictions on entry in this type of market in China, most of the burden and scrutiny under the CSL are likely to be shouldered by state-owned enterprises (SOEs) or at least Chinese companies. Furthermore, certainly the CIIOs that are subject to the most stringent requirements under the CSL will be predominantly Chinese SOEs. An SOE, unlike a corporation in the capitalistic system created to serve the economic benefits of its shareholders, is an entity created by a government to partake in commercial activities; however, it is very often driven or supported by nonmarket factors. While SOEs create a different type of international trade concern and the United States has pegged the SOEs in China with trade-distorting effect before the World Trade Organization, it will be the Chinese SOEs, rather than multinational companies operating in China, that will bear most of the direct impact of the enforcement of the CSL.

Next came the Data Security Law (DSL, 中华人民共和国数据安全法) of 2021, which came into effect on September 1, 2021. Building on top of and expanding the scope of the CSL, the DSL governs the collection, storage, use, processing, transmission, provision, and disclosure of data within China, and extraterritorially if the data activities are deemed to impair China’s national security and public interest. The DSL is seen as a response to the U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act), under which U.S. enforcement agencies are given the authority to compel companies falling under U.S. jurisdiction to produce requested data regardless of where the data is stored. The U.S. CLOUD Act can be perceived as a threat to Chinese “data sovereignty,” a stated goal under the Chinese CSL.

The DSL expands cross-border data transfer restrictions beyond CIIOs required by the CSL to include more general data processors. According to Article 31 of the DSL, the provisions of the CSL apply to the outbound security management of important data collected or produced by CIIOs operating within the mainland territory of the People’s Republic of China (PRC); furthermore, other data processors collecting or producing important data within China are to be regulated by outbound security management measures jointly formulated by the national cybersecurity and informatization department and relevant departments of the State Council. The DSL also mentions a category of important data processors, which presumably are data processors who handle important data rather than data processors of special designation. For example, Article 27 of the DSL states that “[i]mportant data processors shall clearly designate persons responsible for data security, and management bodies to implement data security protection responsibilities.” Again in Article 30, important data processors are required to make periodic risk assessments and submit risk assessment reports to the relevant departments in charge.

Curiously, there is no clear definition of what constitutes “important data” in the DSL, even though Article 21 talks about “implementing categorized and graded protection according to the data’s degree of importance in economic and social development, as well as the degree of danger to national security, public interests, or the lawful rights and interests of individuals or organizations.” Article 21 further stipulates that there will be a national data security work coordination mechanism to “comprehensively coordinate relevant departments in formulating catalogs of important data and strengthen the protection of important data.”

Circling back to the theme of data sovereignty, Article 36 stipulates that “the competent authorities of the PRC are to handle foreign justice or law enforcement institution requests for the provision of data, according to relevant laws and treaties or agreements concluded or participated in by the PRC, or in accordance with the principle of equality and reciprocity.” It goes on to say that “[d]omestic organizations and individuals must not provide data stored within the mainland territory of the PRC to the justice or law enforcement institutions of foreign countries without the approval of the competent authorities of the PRC.” This appears to be a general rule applicable to all data stored in China, regardless of the importance level of the data.

The law has significantly impacted Chinese technology companies (and their stock prices) such as Meituan, Alibaba, and DiDi, which may collect or utilize data on Chinese citizens. Not only does the DSL define “data” very broadly as “any record of information in electronic or any other form,” but this law may also apply to data processing activities outside of the territory of the PRC under certain situations. The law prohibits the export of data without first completing a “cybersecurity review,” a procedure that is still being refined. Furthermore, the Chinese government must be a part of handling requests for data made by foreign judicial or law enforcement. Without government approval, organizations or individuals in China may not provide data stored within China to any overseas judicial or law enforcement body.

Finally, the Personal Information Protection Law (PIPL, 中华人民共和国个人信息保护法) became effective on November 1, 2021. China’s PIPL has received wide attention and is sometimes compared to the European Union’s General Data Protection Regulation (GDPR), one of the world’s earliest data privacy and security laws.

Like the GDPR, the PIPL applies to all individuals, organizations, and corporations that handle the personal information of individuals within China’s borders. The PIPL may be seen as stricter than the GDPR. For example, while the GDPR allows companies to process personal data if the data is collected legally and with a justifiable basis, the PIPL does not provide a “legitimate interest” processing basis; the PIPL uses consent as the primary basis for data processing even though there were efforts to include a similar legitimate interest basis for data processing. In other words, companies that do business in China must obtain an individual’s consent before handling their personal information, except for the six exceptions outlined in Article 13, namely:

[1] Where necessary to conclude or fulfill a contract in which the individual is an interested party, or where necessary to conduct human resources management according to lawfully formulated labor rules and structures and lawfully concluded collective contracts;

[2] Where necessary to fulfill statutory duties and responsibilities or statutory obligations;

[3] Where necessary to respond to sudden public health incidents or protect natural persons’ lives and health, or the security of their property, under emergency conditions;

[4] Handling personal information within a reasonable scope to implement news reporting, public opinion supervision, and other such activities for the public interest;

[5] When handling personal information disclosed by persons themselves or otherwise already lawfully disclosed, within a reasonable scope in accordance with the provisions of this Law.

[6] Other circumstances provided in laws and administrative regulations.

Some observers would say that the CSL, DSL, and PIPL were enacted in a period of increasing competition in laws between China and the United States in the areas of trade, intellectual property (IP), and national security, and in the context of the U.S.-China trade war started by the Trump administration. However, ironically, the most famous example of a misstep and resulting punishment imposed under the application of the CSL, DSL, and PIPL is the Chinese tech company DiDi, a Chinese ride-hailing app company similar to Uber. Citing unspecified violations of the cybersecurity, data security, and personal information protection laws, DiDi was ordered to pay a whopping US$1.2 billion fine. DiDi was also forced to delist itself from the U.S. New York Stock Exchange.

Continuing Developments

The PIPL continued to take shape in 2022 when the Cyberspace Administration of China (CAC) issued a wide range of regulations and draft proposals. For example, in January 2022, the CAC issued the Cybersecurity Review Measures in conjunction with various other Chinese authorities; they seek to broaden the scope of circumstances that trigger a cybersecurity review. The measures also specify the nature of cybersecurity reviews.

In July 2022, the CAC also finalized the Measures for Security Assessment for Cross-Border Data Transfers. These measures provide specific circumstances and a catchall situation for mandatory data security assessment. There were welcome signs of easing when the CAC issued proposed draft rules in September 2023 (Provisions on Standardizing and Promoting Cross-Border Data Flows, 规范和促进数据跨境流动规定征求意见稿) to introduce important exemptions from the requirement to go through the mandatory transfer mechanisms for recipients outside of China under the PIPL. The ease indicates that the Chinese government may be willing to accommodate the complaints or actual actions of foreign businesses, such as the recent severance of a well-known international law firm’s Chinese arm.

In addition to the above examples, there are and will be many other regulations issued and revised in these areas, which suggests that the Chinese government is still shaping the principles in the CSL, DSL, and PIPL to suit its development needs.

A problematic trend is that the Chinese government is likely to delegate enforcement and rulemaking powers on a sector-by-sector basis: automotive, telecommunication, health care, etc. This same tendency to delegate powers horizontally and widely has been observed in the IP arena, leading to a complicated enforcement system involving multiple agencies with overlapping jurisdictions, thus creating a difficult system to understand and to utilize.

The Rise of the China Cybersecurity Agency

The CAC is a relatively new agency with about 10 years of history. It was founded with the purpose of formulating and implementing policies related to the internet in China. It has become increasingly active in issuing rules and regulations since 2018, especially with respect to cross-border issues such as data exports or national security issues such as fake news. Most recently, it issued the world’s first set of regulations on platforms that provide generative AI services to the public.

It is interesting to observe that the new initiative of restricting children’s screen time is also falling into the CAC’s jurisdiction, which should come as no surprise since Articles 34 to 45 of the PIPL state the applicability of the PIPL provisions relating to minors. However, not too long ago, it was the National Press and Publication Agency that issued regulations limiting the number of hours minors are allowed to play online video games. Given the recent regulatory initiatives, we can also detect and confirm the maturing of a new agency, which is consolidating powers on all things internet, from international issues such as espionage and cyberattacks to the household use of the internet by minors.

Implications beyond Compliance Hurdles

Multinational organizations should view data protection, privacy, and cybersecurity laws and regulations in the larger context of geopolitics: nations using data protection to assert policies, influence diplomacy, enforce national security, and further economic competitiveness.

Data localization, transportation, and cross-border data flows are challenging activities that require concerted effort and significant investment from a company’s board, executives, and management teams, just as IP protection has been for companies in the past.

Adding to the costs of doing business in China will be the regulatory ambiguity during this period of frequent issuance of new measures, rules, review procedures, and likely inconsistent regulatory enforcement.

Work-Arounds

Companies should build compliance teams to execute and to keep companies up to date with respect to data security, transfer, and localization requirements. At the same time, there are a few channels that may serve as work-arounds for compliance demands:

  1. Strip personal information from the critical or personal data collected (anonymization of data).
  2. As AI tools become increasingly powerful, determine whether commercial projects can be accomplished by synthesized data rather than collected personal data or critical data.
  3. Push the governments to negotiate reciprocal data transfer rights in multilateral or bilateral trade agreements between trade blocks.

©2024. Published in Landslide, Vol. 16, No. 3, March/April 2024, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.

    Author