Ever since China outlined the shift towards a digital economy as a primary national goal, the government has made concerted efforts to fulfill this vision. One area that is being promoted in full force is a data governance revolution, which aims to streamline data handling methods, as well as safeguard the national and public interests.
The Chinese Data Security Law (DSL), which took effect on September 1st, 2021, is the cornerstone of China’s “data protection” legal framework. The law not only guarantees national standardization in data protection regulations but also covers complementing data protection laws – the Personal Information Protection Law (PIPL) and the Cybersecurity law – under its umbrella. Although these laws are already being enforced across the country, international companies doing business in China are to be mindful that additional, more concrete local regulations are expected to be published soon.
The essence of the law – explained
The DSL makes provisions on how physical and digital data can be collected, used, processed, and protected. The law stipulates that data is to be collected and used lawfully, meaning within the law’s restrictions and only if it is relevant or aligned with the company’s business scope and core activity. In addition, the data must be properly protected. That is to say, companies should form internal mechanisms that restrict access to the data, ensure it is safe under several layers of protection, and specify how to get rid of it when it is no longer of use to that company, for instance, when closing a company in China or when employment in China is terminated.
In order to create a unified regulatory system in the country, the government will establish a “nationwide hierarchical protection catalog”. Simply put, the system categorizes data by type, and grades it based on the degree of sensitivity to national security and public interest. The grading is set by three levels: “general data”, “important data” and “core data”, and it will determine how strict the respective compliance requirements will be (e.g., whether it can be transferred abroad), and the punitive levels in case the data is leaked or compromised.
Since the national agenda is the main determinant of how data is categorized and graded, China’s Five-Year-Plan in fact hints at the catalog’s structure. Industries specified as important/strategic to China’s economic progress are those that will more likely be affected by the more stringent enforcement/security measures.
Practical takeaways for companies in China
Although the law is still very broadly formulated, modifications and local additions are expected to be added in the coming weeks and months. Therefore, we strongly recommend that you keep following the national and local regulatory announcements and start communicating the premises of the law and its implications to your employees in and outside of China. An important point to note is that violations of the new requirements will result in different sanctions, from hefty fines to revocation of your business license in China.
Check out several actions business managers in China can start planning on and execute at this stage:
Put someone in charge
Appoint a data security officer, whose job is to be aware of the mechanisms of these laws, and ensure the company is 100% compliant with all the national and local regulations. It’s advisable that this person be a local employee in China, who can follow the developments more closely and be personally contacted when needed.
Prepare for stricter cross-border data transfer policies
International companies doing business in China regularly engage in data transfers to their overseas headquarters. With the DSL in place, cross-border data flow is becoming much more heavily regulated and is subject to the Chinese Cybersecurity Law and the PIPL. For instance, one roadblock can evolve due to the requirement to perform security assessment for any data transferred out from China.
Choose local business partners and agents carefully
Regardless of which of the parties collects/stores/uses the data, the law stipulates that the responsibility for the data protection is mutual on both sides. Practically, from now on you better be more careful when choosing your partners. You should consider conducting due diligence checks to confirm your partner’s identity, and ensure the data source is legal and valid. You are allowed (and now required by law) to ask for your partners’ licensing and security certifications, which they should have issued according to the Cybersecurity Law. If they collect data manually, you can request clarification as to the internal mechanisms they implement for data security purposes.
Implement internal data-protection mechanisms
We recommend that you conduct periodical risk assessments and employee training. In some cases, it is worth considering to develop in-house technological systems for data protection, although this is not a mandatory requirement. Besides, it is highly advisable to start raising your local employees’ awareness to the new law, and perhaps even include special guidelines in the company’s Employee’s Handbook.
Data security regulations are already standardized in some western countries. So even if you read this post and don’t understand what the fuss is all about, do know that it is a big deal in China. Yet, and quite commonly for China, the national law leaves room for future regulations to be determined by provincial and municipal governments. Keep in mind that the DSL is only one pillar in China’s comprehensive “data protection” framework, which will collectively work to make the regulatory environment much more complex and challenging. In such a realm, it’s even more important to obtain business support in China and ensure that your business is operating in a proper and compliant manner.