How do China’s new data protection regulations impact multinational companies?
In November 2021, China announced the rollout of the new Personal Information Protection Law (PIPL). With the Cybersecurity Law and the Data Security Law, the PIPL is the third of three Chinese laws designed to provide a comprehensive approach to cybersecurity, data security and data privacy. With this law coming into effect from November 1, 2021, it is expected to alter how multinational companies outside China interact with their Chinese customers and this also has implications for Global data privacy advocacy since China enjoys a major share of the global markets. The PIPL is the first comprehensive, national level personal information protection law in China. However, the PIPL does not replace but enhances and clarifies, earlier personal information laws and regulations.
In this article, we will have a brief overview of the Chinese data privacy laws and we will discuss in detail the implications of these laws on companies processing their data in China.
A Brief Summary of Chinese Data protection laws
The Cybersecurity law, published on 7 november 2016, came into effect on 1 June 2017, and immediately it encompassed many existing cybersecurity regulations into one single regulatory umbrella. This law is intended to protect national security, to reduce online crime and to improve and enhance information and network security in China. The CSL contains personal information protection requirements which are applicable to all enterprises that operate a computerized information network system.
The Data Security law (DSL) came into effect on September 1, 2021 and this regulation expands on the scope and regulatory potential of the CSL. This regulation also focuses on classifying data based on its import to Chinese national security. This in turn has a flow-through effect on how the data may be stored and transferred. Another important feature of the DSL, which has led it to be seen in some circles as a response to the US Cloud Act, prohibits CII operators and other types of network operators from providing any data stored in China to any foreign judicial or law enforcement body without the approval of Chinese authorities. The scope of the DSL is extra-territorial in nature.
The most recent of the three laws, the Personal Information Protection Law (PIPL), has a number of elements strongly reminiscent of the EU GDPR and went into effect on November 1, 2021. The PIPL is designed to protect personal information, regulate its processing and promote the reasonable use of personal information. Unlike the CSL and DSL, it also restricts itself to information about natural persons. The PIPL also has extraterritorial scope and applies both to companies in public and private sectors.
Overall impact for Multinational companies
With the rollout in 2021 of the DSL and the PIPL, China’s laws on data security and personal information have aligned much more closely to other international benchmarks. By and large, compliance with GDPR will serve organizations working with the personal data of Chinese residents well, but companies should be reviewing the requirements of the DSL and PIPL to ensure that they are compliant and also well-placed to comply with the anticipated regulation. These moves on China’s part to better protect personal information and grant individuals more access to and rights over their data are welcome measures and it shall pave the way for other countries in the region to follow suit and set stringent data protection measures in place.
While domestic companies faced new penalties for illegal cross-border transfers, most of their servers were already in China, so the law did not require a significant shift in resources. With the DSL and PIPL, however, even domestic companies face new compliance costs, which include having specific personnel in charge of managing cybersecurity. Given the broad scope of the laws, some companies might choose to outsource management of data related to China.
Many companies in China became serious about appointing a data protection officer (DPO) after PIPL came into force. Before PIPL, Chinese legislation provided similar requirements such as the CSL and DSL. The PIPL states that the DPO can assume responsibilities similar to those required under the GDPR. So now, the Chinese concept of DPO fits in the global data protection governance structure as established.
More broadly, data localisation requirements could reshape the way large cloud platforms operate. Cloud computing architecture at American Big Tech firms like Amazon, Google and Microsoft were not designed for localized data. But new developments in edge computing allow for elements of applications and the data associated with them to be kept within specific geographic locations. This is becoming an increasingly important element of cloud computing as the number of countries with data localisation laws continues to grow. India, Brazil and Russia, among others, have introduced their own data localisation rules.
Based on these assessments, organizations that process a significant amount of Chinese data need to adapt to the following changes in their general data and privacy strategies:
1. Dynamic Data Segmentation
2. Effective Data Localisation techniques
3. Recruiting and Collaborating with local governance staff
4. Regular Multilevel assessments
5. Consent management for sensitive information
6. Initiate third line of defense for parties
In order to remain on the top of compliance and to ensure holistic compliance for corporations in an agile and cost effective way, it is important to identify their exposure to instances where these laws might be applicable, and bridge any gaps, if they exist. This will ensure that the companies are up to date with the compliance while ensuring a compliant service for clients.
On June 30, 2022 the Cyberspace Administration of China (CAC) issued the Draft SCCs Provisions (Draft Provisions on Standard Contracts for Cross-border Transfer of Personal Information). This Draft provides clarification on how the SCCs may be implemented by organisations as one of the mechanisms for overseas data transfer under the PIPL. The Draft Provisions also includes a template which appears to be influenced by the GDPR; several clauses are aligned with the GDPR.