Data protection compliance is complex. Even more so if your organisation is doing business in or relating to China. Our international trade specialist Eric Jiang covers the key laws and regulations you'll likely have to comply with when handling data in, and in relation to China, and the potential cost of non compliance.
Data: Data means information in electronic and non-electronic forms, and often refers to personal data.
Data Protection: Data protection has since become a popular legislative subject, with the General Data Protection Regulation (GDPR) of the European Union (the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)), effective as of May 25 2018, as the best known of all.
Chinese Data Protection: The Chinese data protection legislations, although they transplant many ideas contained in the GDPR, form a different regime for data protection. These Chinese data protection laws apply not only to foreign companies doing business in China, but also to those doing business relating to China in other countries. With that in mind, data compliance is now a challenge.
What are the objectives for Data Protection in China?
When the European Parliament, through its Policy Department for Citizens’ Rights and Constitutional Affairs, published the report entitled “the Data Protection Regime in China: In-depth Analysis'' in 2015, the European Parliament concluded as follows:
“One cannot talk of a proper data protection regime in China, at least not as it is perceived in the EU. The international data protection fundamentals that may be derived from all relevant regulatory instruments in force today, namely the personal data processing principles and the individual rights to information, access and rectification, are not unequivocally granted under Chinese law. An efficient enforcement mechanism, also required under European standards, is equally not provided for. China has no comprehensive data protection act but several relevant sectorial laws that, under a combined reading, together with basic criminal and civil law provisions, may add up to a data protection ‘cumulative effect’ ’’.
How fast things have changed in China since 2015:
- On 7 November 2016, the Network Security Act (often roughly translated as “Cybersecurity Law”) (“NWSA”), effective 1 June 2017, was adopted.
- On 10 June 2021, the Data Security Act (“DSA”), effective 1 September 2021, was adopted.
- On 20 August 2021, the Personal Information Protection Act (“PIPA”), effective 1 November 2021, was adopted.
These three statutes, together with regulations promulgated thereunder, as well as certain provisions scattered in other statutes and regulations, have quickly weaved up a “comprehensive” Chinese data protection regime.
In fact, the Chinese data protection regime has gone further than what the European Parliament would have imagined. The objectives to be achieved in the Chinese data protection legislation have never been limited to protection of personal data; protection of national security and “cyber sovereignty” may be more important objectives to achieve. It is indeed critical for one to bear this in mind when looking into the details of the Chinese data protection law.
China's Data Handling and Cross-border Transfer of Data
Data never simply means personal data under the Chinese data protection law. In fact, by the aforementioned legislations, data may be categorised differently and the data handlers’ obligations in collecting, storing, utilising, processing, transmitting, providing, disclosing, especially transferring across the borders, may vary significantly.
Core Information Infrastructure Data:
By the Network Security Act (NWSA), this is data collected or generated by the operators of core information infrastructure, which includes without limitation:
- Public telecommunication and information services
- Water management
- Public services and online government services, disclosure of which data may be detrimental to national security, national livelihood, or public interest.
All Core Information Infrastructure Data handlers must store within China all personal information and Important Data (see below) collected or generated, and must not transfer any of such data across the borders unless they pass a national security assessment prior to the transfer. It should come as no surprise that big foreign companies like Apple and Tesla have decided to store within China all their data collected or generated from within China.
Both the NWSA and the Data Security Act (DSA) refer to Core Information Infrastructure Data and Important Data, without any definition. Both statutes are leaving definitions of these two crucial concepts to regulations to be promulgated by competent regulatory authorities. All “Important Data” handlers must periodically make risk assessments for their data handling activities, and file their risk assessment reports with competent regulatory authorities. Unfortunately, except maybe for "Important Data" in the automobile industry, the regulatory authorities so far have provided little guidance on what is “Important Data” referred to in the above two statutes.
Export Control Related Data:
By the DSA, any data pertaining to the items subject to export control shall be Export Control Related Data. Items on the current Chinese export control list includes:
- Certain listed military products
- Nuclear products and core technologies
Export Control Related Data shall also be controlled, and therefore shall not be transferred outside China.
For all purposes, the Chinese legislation has preferred the use of “Personal Information”. With support from the NWSA and the DSA, the Personal Information Protection Act (PIPA) has since become the main legislation protecting personal information. The PIPA drafters took the GDPR as the model legislation and has resembled most, if not all, key protections provided for in the GDPR.
However, the PIPA does not take the GDPR’s differentiation between the data controller and the data processor. It is said that they are intentionally not differentiated so that they may be held jointly liable for any violation of personal information protection. For this reason, I am using “data handler” in this article, which shall refer to both the data controller and the data processor under the GDPR.
For the data handlers, it is important to note that, personal information, inter alia, cannot be simply transferred across the borders without first checking for compliance. By the PIPA, informed consent must be sought from a natural person before her/his personal information may be transferred outside China.
Further, for any transfer of personal information across the borders, the data handler must ensure that the transfer will be made only after
- A mandatory security assessment has been approved by the competent regulatory authority
- A certificate of personal information protection has been issued by an accredited professional institution
- A standard contract as published by the competent regulatory authority has been signed, or
- It is made specifically in accordance with an applicable statute or regulation.
By the Methods for Security Assessment of Data Exports proposed by the Cyberspace Administration of China (the “State Internet and Information Office” by literal translation) on 29 October 2021, the data handler must obtain a security assessment approval from the competent regulatory authority prior to any data export where any of the following conditions are met:
- Export of any personal information or Important Data collected or generated by a core information infrastructure operator;
- Export of any data containing Important Data;
- Export of personal information from a personal information handler which handles personal information of one million people or more;
- Export of personal information by a personal information handler which has cumulatively exported personal information of more than one hundred thousand people or “Sensitive Personal Information” of more than ten thousand people; or
- Any other circumstance in which the competent regulatory authority requires security assessment. “Sensitive Personal Information” is defined by the PIPA as any personal information disclose or illegal use of which tends to injure the personal dignity, personal or property safety of a natural person, including personal information on biometric identification, religious beliefs, specific identity, health and medical conditions, financial accounts and whereabouts, and any personal information concerning a minor of 14 years old or less.
What is Considered Other Data?
Other Data is used by the NWSA and the DSA as the remaining category of data after Core Information Infrastructure Data and Important Data, for the purpose of protecting national security and data security. Generally there should be less obligations on the data handlers of Other Data. However, this may not always be true. Other Data could also include Personal Data or personal information, which will subject their handling to the PIPA.
Further Restrictions on Data in China
In addition to the above explained restrictions, it is worth to note that there are many more restrictions that could impact on the transfer of data across the borders, in the above said statutes and regulations, as well as in other statutes and regulations. For example, the Methods for Network Security Assessment, adopted on 16 November 2021 and repealing its predecessor adopted on 13 April 2020, requires that all network platform operators which control personal information of more than one million users apply for network security assessment before they may go listed in any foreign stock exchange. Didi, the “Chinese Uber”, has been charged with violation of this provision.
A further example is that the Securities Act, as amended on 28 December 2019, prohibits any individual or organisation from providing any data (“documents and materials”) relating to their securities-related activities to foreign securities regulators, without prior written approval from the competent Chinese regulatory authorities. The United States Public Company Accounting Oversight Board (PCAOB)’s inspecting and auditing dispute between China and the US actually reflects this prohibition. And the DSA prohibits the provision of any data stored within China to any foreign judicial or law enforcement authorities, without prior approval from the competent Chinese regulatory authorities.
Extraterritorial Applications and the Costs of Non-Compliance
The Chinese data protection law, as briefly discussed above, applies to all individuals and organisations who deal with data in the Chinese jurisdiction, regardless whether they are domestic or foreign individuals, companies or other organisations. It further applies (extraterritorially) to individuals, companies or other organisations domiciled outside China if:
- They collect personal information for the purposes of providing products or services to natural persons in China
- They collect personal information for the purposes of analysing or assessing the behaviour of natural persons in China
- They deal with data in such way that impairs the Chinese national security, public interest, the lawful rights and interests of Chinese citizens or organisations, or
- Such application is otherwise required by a statute or regulation.
Essentially, all foreign companies, within or outside China, so long as they deal with data from China or about Chinese natural persons, may be subject to the Chinese data protection law.
As such, compliance with the Chinese data protection law becomes important for foreign companies doing business in or relating to China. By the Chinese law, failure to comply with the Chinese data protection law could be very costly. By the PIPA, failure to comply could lead to:
- A penalty up to RMB 50,000,000 or 5% of the global turnover of the company,
- A suspension of business operation, or a cancellation of business license, with
- The individuals found responsible for the non-compliance subject to the imposition of a penalty up to RMB 1,000,000 and a prohibition from becoming a director, supervisor, senior manager, or information protection manager of any company.
The Criminal Act, as amended, could also become applicable since it has an offence for “infringing personal information”, an offence for “refusal to perform obligations relating to network security and management”, and an offence for “stealing, obtaining, purchasing or illegally providing state secrets or intelligence for (entities) outside China”.
In summary, data compliance is now a challenge that a company doing business in or relating to China must accept and manage.
How Do you Ensure Compliance with China's Data Protection Regime?
As discussed above, a comprehensive data protection regime has been established in China since 2016. This regime incarnates certain personal data protection ideas similar to those contained in the GDPR, and further some ideas closely related to the protection of national security and “cyber sovereignty”.
Typically, such national-security-related ideas have not been clearly defined. Also, the imposition of a pre-export security assessment by the regulatory authorities for exports of many “Important Data” has created plenty of legal uncertainties. Plus, the potential overlapping and cross-application of the NWSA, the DSA and the PIPA, and the regulations promulgated and to be promulgated under them could further produce confusion and overburden for compliance.
With such data protection regime in place and evolving, it is almost imperative for foreign companies doing business in or relating to China to hire professional advisers and build up a data compliance mechanism.
- This may involve an initial analysis of what data the company has been collecting and how such data are stored and processed.
- An internal security assessment may need to be made to identify any non-compliance and any compliance issues.
- Depending on how the company is handling China-related data, a data compliance officer or representative may need to be appointed.
- More actions may need to be taken in order to establish and maintain a data compliance system at the company.
Eric Jiang is a Partner at Jingtian & Gongcheng, a Beijing based law firm, and in that capacity works as a consultant with Prospect Law advising clients in the fields of international trade and customs, international investments and transactions, and international litigation and arbitration.
Is your business considering engaging with Chinese markets?
Our data compliance team is ready to provide such services at your request.
Prospect Law is a multi-disciplinary practice with specialist expertise in the energy and environmental sectors with particular experience in the low carbon energy sector. The firm is made up of lawyers, engineers, surveyors and finance experts.
This article remains the copyright property of Prospect Law Ltd and neither the article nor any part of it may be published or copied without the prior written permission of the directors of Prospect Law.
This article is not intended to constitute legal or other professional advice and it should not be relied on in any way.