Data compliance: challenges to foreign companies doing business in and relating to China
Eric J Jiang
Jingtian & Gongcheng, Bejjing
Data is defined as information in electronic and non-electronic forms, often referring to personal data. Data protection has since become a popular legislative subject, with the General Data Protection Regulation (GDPR) of the European Union (Regulation (EU) 2016/679 of the European Parliament and European Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)), effective as of 25 May 2018, as the best known of all. The Chinese data protection legislations, although they transplant many ideas contained in the GDPR, form a different regime for data protection. Furthermore, the Chinese data protection laws apply not only to foreign companies doing business in China, but also to those doing business relating to China in other countries. Data compliance is now a challenge.
Multiple Objectives for Data Protection
When the European Parliament, through its Policy Department for Citizens’ Rights and Constitutional Affairs, published the report entitled ‘The Data Protection Regime in China: In-depth Analysis’ in 2015, the European Parliament concluded as follows:
‘One cannot talk of a proper data protection regime in China, at least not as it is perceived in the EU. The international data protection fundamentals that may be derived from all relevant regulatory instruments in force today, namely the personal data processing principles and the individual rights to information, access and rectification, are not unequivocally granted under Chinese law. An efficient enforcement mechanism, also required under European standards, is equally not provided for. China has no comprehensive data protection act but several relevant sectorial laws that, under a combined reading together with basic criminal and civil law provisions, may add up to a data protection “cumulative effect”.’
How fast things have changed in China since 2015. On 7 November 2016, the Network Security Act (often roughly translated as ‘Cybersecurity Law’) (NWSA), effective 1 June 2017, was adopted. On 10 June 2021, the Data Security Act (DSA), effective 1 September 2021, was adopted. On 20 August 2021, the Personal Information Protection Act (PIPA), effective 1 November 2021, was adopted. These three statutes, together with regulations promulgated thereunder, as well as certain provisions scattered in other statutes and regulations, have quickly weaved up a ‘comprehensive’ Chinese data protection regime.
In fact, the Chinese data protection regime has gone further than what the European Parliament could have imagined. The objectives to be achieved in the Chinese data protection legislation have never been limited to protection of personal data; protection of national security and ‘cyber sovereignty’ may be more important objectives to achieve. It is indeed critical for one to bear this in mind when looking into the details of the Chinese data protection law.
Data Handling and Cross-border Transfers
Data never simply means personal data under the Chinese data protection law. In fact, by the aforesaid legislations, data may be categorised differently, and the data handlers’ obligations may vary significantly in collecting, storing, utilising, processing, transmitting, providing and disclosing data, especially when transferring across the borders.
Core Information Infrastructure Data
According to the NWSA, this is data collected or generated by the operators of core information infrastructure, which includes, without limitation, public telecommunication and information services, energy, transportation, water management, finance, public services and online government services. Disclosure of this data may be detrimental to national security, national livelihood or public interest. All ‘Core Information Infrastructure Data’ handlers must store all personal information and important data collected or generated within China and must not transfer any of such data across the borders unless they pass a national security assessment prior to the transfer. It should come as no surprise that big foreign companies such as Apple and Tesla have decided to store all their data collected or generated from China within the same country.
Both the NWSA and the DSA refer to ‘Core Information Infrastructure Data’ and ‘Important Data’, without any definition. Both statutes have left definitions of these two crucial concepts to regulations to be promulgated by competent regulatory authorities. All ‘Important Data’ handlers must periodically make risk assessments for their data handling activities and file their risk assessment reports with competent regulatory authorities. Unfortunately, except perhaps for ‘Important Data’ in the automobile industry, the regulatory authorities so far have provided little guidance on defining the ‘Important Data’ referred to in the aforementioned statutes.
Export Control Related Data
According to the DSA, any data pertaining to items subject to export control shall be classed as ‘Export Control Related Data’. Items on the current Chinese export control list includes certain listed military products, nuclear products and core technologies. ‘Export Control Related Data’ shall also be controlled, and therefore shall not be transferred outside China.
For all purposes, Chinese legislation has preferred the use of ‘personal information’. With support from the NWSA and the DSA, the PIPA has since become the primary legislation protecting personal information. Using the GDPR as a model, the PIPA has replicated most, if not all, key protections provided for in the GDPR. However, the PIPA does not take the GDPR’s differentiation between the data controller and the data processor. It is said that they are intentionally not differentiated so that they may be held jointly liable for any violation of personal information protection. For this reason, the use of ‘data handler’ in this article shall refer to both the data controller and the data processor under the GDPR.
For the data handlers, it is important to note that, personal information, inter alia, cannot be simply transferred across the borders without first checking for compliance. By the PIPA, informed consent must be sought from a person before his or her personal information can be transferred outside China. Further, for any transfer of personal information across the borders, the data handler must ensure that the transfer will be made only after:
- a mandatory security assessment has been approved by the competent regulatory authority;
- a certificate of personal information protection has been issued by an accredited professional institution;
- a standard contract as published by the competent regulatory authority has been signed; and
- it is made specifically in accordance with an applicable statute or regulation.
By the Methods for Security Assessment of Data Exports proposed by the Cyberspace Administration of China (the ‘State Internet and Information Office’ by literal translation) on 29 October 2021, where either of the following conditions is met, the data handler must obtain a security assessment approval from the competent regulatory authority prior to any data export:
- export of any personal information or ‘Important Data’ collected or generated by a core information infrastructure operator;
- export of any data containing ‘Important Data’;
- export of personal information from a personal information handler which handles personal information of one million people or more;
- export of personal information by a personal information handler which has accumulatively exported personal information of more than one hundred thousand people or ‘Sensitive Personal Information’ of more than ten thousand people; or
- any other circumstance in which the competent regulatory authority requires security assessment.
‘Sensitive Personal Information’ is defined by the PIPA as any disclosed personal information, illegal use of which tends to injure the personal dignity, personal or property safety of a natural person, including personal information on biometric identification, religious beliefs, specific identity, health and medical conditions, financial accounts and whereabouts, and any personal information concerning a minor of 14 years old or less.
‘Other Data’ is used by the NWSA and the DSA as the remaining category of data after ‘Core Information Infrastructure Data’ and ‘Important Data’, for the purpose of protecting national security and data security. Generally, there should be fewer obligations on the data handlers of ‘Other Data’. However, this may not always be true. ‘Other Data’ could also include personal data or personal information, which will subject their handling to the PIPA.
In addition to the above explained restrictions, it is worth noting that there are many more restrictions that could impact on the transfer of data across the borders, in the aforementioned statutes and regulations, as well as in other statutes and regulations. For example, the Methods for Network Security Assessment, adopted on 16 November 2021 and repealing its predecessor adopted on 13 April 2020, requires that all network platform operators which control personal information of more than one million users apply for network security assessment before they may go listed in any foreign stock exchange. Didi, the ‘Chinese Uber’, has been charged with violation of this provision. A further example is that the Securities Act, as amended on 28 December 2019, prohibits individuals or organisations from providing any data (‘documents and materials’) relating to their securities-related activities to foreign securities regulators, without prior written approval from the competent Chinese regulatory authorities. The Public Company Accounting Oversight Board’s role in inspecting and auditing dispute between China and the United States actually reflects this prohibition. Moreover, the DSA prohibits provision of any data stored within China to any foreign judicial or law enforcement authorities, without prior approval from the competent Chinese regulatory authorities.
Extraterritorial applications and costs of non-compliance
The Chinese data protection law, as briefly discussed above, applies to all individuals and organisations who deal with data in the Chinese jurisdiction, regardless of whether they are domestic or foreign individuals, companies or other organisations. It further applies to individuals, companies or other organisations domiciled outside of China if:
- they collect personal information for the purposes of providing products or services to natural persons in China;
- they collect personal information for the purposes of analysing or assessing the behavior of natural persons in China;
- they deal with data in such way that impairs the Chinese national security, public interest, the lawful rights and interests of Chinese citizens or organisations; or
- such application is otherwise required by a statute or regulation.
Essentially, all foreign companies, within or outside China, so long as they deal with data from China or about Chinese natural persons, may be subject to Chinese data protection law.
As such, compliance with the Chinese data protection law becomes important for foreign companies doing business in, or relating to, China. By the Chinese law, failure to comply with Chinese data protection law could be very costly. By the PIPA, failure to comply could lead to a penalty up to RMB 50m or five per cent of the global turnover of the company, a suspension of business operation, or a cancellation of business licence, with the individuals found responsible for the non-compliance subject to the imposition of a penalty up to RMB 1m and a prohibition from becoming a director, supervisor, senior manager, or information protection manager of any company. The Criminal Act, as amended, could also become applicable since it has an offence for ‘infringing personal information’, an offence for ‘refusal to perform obligations relating to network security and management’, and an offence for ‘stealing, obtaining, purchasing or illegally providing state secrets or intelligence for (entities) outside China’.
Strategies for compliance
As discussed above, a comprehensive data protection regime has been established in China since 2016. This regime incarnates certain personal data protection ideas similar to those contained in the GDPR, and further some ideas closely related to the protection of national security and ‘cyber sovereignty’. Typically, such national-security-related ideas have not been clearly defined. Also, the imposition of a pre-export security assessment by the regulatory authorities for exports of many ‘Important Data’ has created plenty of legal uncertainties. The potential overlapping and cross application of the NWSA, the DSA and the PIPA, and the regulations promulgated and to be promulgated under them could further produce confusion and overburden for compliance.
With such a data protection regime in place and evolving, it is almost imperative for foreign companies doing business in or relating to China to hire professional advisers and build up a data compliance mechanism. This may involve an initial analysis of what data the company has been collecting and how such data are stored and processed. An internal security assessment may need to be made to identify any non-compliance and any compliance issues. Depending on how the company is handling China-related data, a data compliance officer or representative may need to be appointed. More actions may need to be taken in order to establish and maintain a data compliance system at the company.
In summary, data compliance is now a challenge that a company doing business in, or relating to, China must accept and manage.
 Eric J Jiang is a Senior Partner at Jingtian & Gongcheng, a national law firm in China, with offices in Beijing, Shanghai, Guangzhou, Shenzhen, Hong Kong, Tianjin, Nanjing, Hangzhou, Chengdu and Sanya. He is admitted to practice in all mainland provinces in China, New York (US) and Ontario (Canada). His practice currently focuses on customs and international trade, export controls and sanctions, cross-border investments, international arbitration, corporate governance and regulatory compliance.