Data: Data means information in electronic and non-electronic forms, and often refers to personal data.
Data Protection: Data protection has since become a popular legislative subject, with the General Data Protection Regulation (GDPR) of the European Union (the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)), effective as of May 25 2018, as the best known of all.
Chinese Data Protection: The Chinese data protection legislations, although they transplant many ideas contained in the GDPR, form a different regime for data protection. These Chinese data protection laws apply not only to foreign companies doing business in China, but also to those doing business relating to China in other countries. With that in mind, data compliance is now a challenge.
What are the objectives for Data Protection in China?
When the European Parliament, through its Policy Department for Citizens’ Rights and Constitutional Affairs, published the report entitled “the Data Protection Regime in China: In-depth Analysis” in 2015, the European Parliament concluded as follows:
How fast things have changed in China since 2015:
These three statutes, together with regulations promulgated thereunder, as well as certain provisions scattered in other statutes and regulations, have quickly weaved up a “comprehensive” Chinese data protection regime.
In fact, the Chinese data protection regime has gone further than what the European Parliament would have imagined. The objectives to be achieved in the Chinese data protection legislation have never been limited to protection of personal data; protection of national security and “cyber sovereignty” may be more important objectives to achieve. It is indeed critical for one to bear this in mind when looking into the details of the Chinese data protection law.
China's Data Handling and Cross-border Transfer of Data
For all purposes, the Chinese legislation has preferred the use of “Personal Information”. With support from the NWSA and the DSA, the Personal Information Protection Act (PIPA) has since become the main legislation protecting personal information. The PIPA drafters took the GDPR as the model legislation and has resembled most, if not all, key protections provided for in the GDPR.
However, the PIPA does not take the GDPR’s differentiation between the data controller and the data processor. It is said that they are intentionally not differentiated so that they may be held jointly liable for any violation of personal information protection. For this reason, I am using “data handler” in this article, which shall refer to both the data controller and the data processor under the GDPR.
For the data handlers, it is important to note that, personal information, inter alia, cannot be simply transferred across the borders without first checking for compliance. By the PIPA, informed consent must be sought from a natural person before her/his personal information may be transferred outside China.
Further, for any transfer of personal information across the borders, the data handler must ensure that the transfer will be made only after
- A mandatory security assessment has been approved by the competent regulatory authority
- A certificate of personal information protection has been issued by an accredited professional institution
- A standard contract as published by the competent regulatory authority has been signed, or
- It is made specifically in accordance with an applicable statute or regulation.
By the Methods for Security Assessment of Data Exports proposed by the Cyberspace Administration of China (the “State Internet and Information Office” by literal translation) on 29 October 2021, the data handler must obtain a security assessment approval from the competent regulatory authority prior to any data export where any of the following conditions are met:
- Export of any personal information or Important Data collected or generated by a core information infrastructure operator;
- Export of any data containing Important Data;
- Export of personal information from a personal information handler which handles personal information of one million people or more;
- Export of personal information by a personal information handler which has cumulatively exported personal information of more than one hundred thousand people or “Sensitive Personal Information” of more than ten thousand people; or
- Any other circumstance in which the competent regulatory authority requires security assessment. “Sensitive Personal Information” is defined by the PIPA as any personal information disclose or illegal use of which tends to injure the personal dignity, personal or property safety of a natural person, including personal information on biometric identification, religious beliefs, specific identity, health and medical conditions, financial accounts and whereabouts, and any personal information concerning a minor of 14 years old or less.
In addition to the above explained restrictions, it is worth to note that there are many more restrictions that could impact on the transfer of data across the borders, in the above said statutes and regulations, as well as in other statutes and regulations. For example, the Methods for Network Security Assessment, adopted on 16 November 2021 and repealing its predecessor adopted on 13 April 2020, requires that all network platform operators which control personal information of more than one million users apply for network security assessment before they may go listed in any foreign stock exchange. Didi, the “Chinese Uber”, has been charged with violation of this provision.
A further example is that the Securities Act, as amended on 28 December 2019, prohibits any individual or organisation from providing any data (“documents and materials”) relating to their securities-related activities to foreign securities regulators, without prior written approval from the competent Chinese regulatory authorities. The United States Public Company Accounting Oversight Board (PCAOB)’s inspecting and auditing dispute between China and the US actually reflects this prohibition. And the DSA prohibits the provision of any data stored within China to any foreign judicial or law enforcement authorities, without prior approval from the competent Chinese regulatory authorities.
Extraterritorial Applications and the Costs of Non-Compliance
- They collect personal information for the purposes of providing products or services to natural persons in China
- They collect personal information for the purposes of analysing or assessing the behaviour of natural persons in China
- They deal with data in such way that impairs the Chinese national security, public interest, the lawful rights and interests of Chinese citizens or organisations, or
- Such application is otherwise required by a statute or regulation.
Essentially, all foreign companies, within or outside China, so long as they deal with data from China or about Chinese natural persons, may be subject to the Chinese data protection law.
The Criminal Act, as amended, could also become applicable since it has an offence for “infringing personal information”, an offence for “refusal to perform obligations relating to network security and management”, and an offence for “stealing, obtaining, purchasing or illegally providing state secrets or intelligence for (entities) outside China”.
In summary, data compliance is now a challenge that a company doing business in or relating to China must accept and manage.
How Do you Ensure Compliance with China's Data Protection Regime?
As discussed above, a comprehensive data protection regime has been established in China since 2016. This regime incarnates certain personal data protection ideas similar to those contained in the GDPR, and further some ideas closely related to the protection of national security and “cyber sovereignty”.
Typically, such national-security-related ideas have not been clearly defined. Also, the imposition of a pre-export security assessment by the regulatory authorities for exports of many “Important Data” has created plenty of legal uncertainties. Plus, the potential overlapping and cross-application of the NWSA, the DSA and the PIPA, and the regulations promulgated and to be promulgated under them could further produce confusion and overburden for compliance.
With such data protection regime in place and evolving, it is almost imperative for foreign companies doing business in or relating to China to hire professional advisers and build up a data compliance mechanism.
Is your business considering engaging with Chinese markets?
Our data compliance team is ready to provide such services at your request.
Prospect Law is a multi-disciplinary practice with specialist expertise in the energy and environmental sectors with particular experience in the low carbon energy sector. The firm is made up of lawyers, engineers, surveyors and finance experts.
This article remains the copyright property of Prospect Law Ltd and neither the article nor any part of it may be published or copied without the prior written permission of the directors of Prospect Law.
This article is not intended to constitute legal or other professional advice and it should not be relied on in any way.