I’ve seen a lot of discussions in the last few weeks – some of them actually really rather negative – about the new China data privacy laws and the implications for companies. I decided to have a closer look at these laws to see what is really regulated and what is still open.
In short, the Chinese government has attempted to create an overarching law governing how companies should behave if they are gathering and storing any kind of data about their consumers. It is a company’s responsibility to ensure that whatever data they have is held securely. There has been increasing criticism in the last years by Chinese citizens that their personal details were not being held securely and this law is in part a reaction to that.
What is the new law?
Actually, the law which came into effect on 1 September 2021 is not one but two laws.
The first is the so-called China data security law governing how companies hold data. It provides a framework to classify data by its economic importance and the relevance to national security.
The second is the so-called Personal Information Protection Law, or PIPL, (this is something like Europe’s GDPR) which governs how personal information can be stored & user privacy.
Why does China feel the need for these laws?
In the last months, especially since the beginning of 2021, there has been considerable criticism from the authorities towards tech companies that they have been bullying consumers into purchasing and participating in certain promotions. For example, in some cases a user would subscribe to a service thinking they were buying something simple such as a low value one off item, but in actual fact it would be a rather high value subscription with no possibility to cancel.
A couple of months ago the government also outlawed the use of fake online reviews (it had been a regular practice until then for brands to “buy” reviews) as they would like to ensure that competition is somewhat fairer in future. Several companies have also been publicly reprimanded for violation of user privacy.
Which articles of the China Data Privacy Laws could be critical for overseas companies?
Between them the laws cover 55 articles. These cover how data can be collected, saved, used, processed, sent between company locations, provided to other people or published.
In this case data is defined as any kind of information collected in an electronic or analogue form from consumers or users. At the moment, many points about the implementation are only very vague. However, it’s already clear that there will be stricter regulations for so-called “important data” or “core national data”.
This article states that there will be regress under the law if companies are processing data outside of China that could be deemed to damage national security, the public interest or the legitimate rights and interests of citizens or organisations within China.
Any companies who process so-called “critical information infrastructure” data have to ensure that they have designated a responsible person (“data handler”) to ensure regulations are met. This data handler may have a level of personal liability for ensuring compliance with the laws. This “critical information infrastructure” means relating for example to essential network facilities or information systems used in public communications, in energy provision, transportation, water, finance, e-governance, or in any areas that could be deemed critical to defence or national security. This kind of information is deemed a basic or strategic national resource and will be treated more strictly.
It’s necessary to obtain security approval from the authorities before any of the above-mentioned critical data may be transferred abroad. At the moment though it looks as if general data may still be transferred out of the country.
Up until now it’s not clear how intermediary service providers will be regulated. This includes many data trading platforms such as Jingdong Cloud or Qichacha. Is the liability for data security passed on to them by the original data provider?
What seems clear is that these intermediary service providers need to very clearly understand the data source of what they are buying. They have to be sure that the data was obtained legally in the first place and will be obliged to check if both the buyer and the seller of the original data have the necessary licenses to carry out these transactions.
The Chinese government authorities are above this law. They can access data at almost any time for purposes of national security or in the course of criminal investigations.
On the other hand, providing data about Chinese citizens to authorities outside of China will only be legal if permission is obtained in advance. (And this is rather unlikely to be granted unless in exceptional circumstances).
What are the consequences for non-compliance?
In most cases non-compliance with these laws will mean fines for the company, and potentially also for the data handler. Depending on the level of importance of the data leaked the fine could range from a relatively minor sum up to RMB 10 million. For especially serious cases, business licenses or permits could be removed or revoked and businesses could even be closed.
Who benefits from the new China Data Privacy laws?
It’s clear that Chinese users in China will have a higher level of personal data security in future, meaning that this new law is good for the general public.
Until now there was no regress if data provided to an online company was hacked, lost, accessed on a server, sold or stolen. There was also no protection to ensure that only enough data was collected to complete the transaction being performed.
This will change in future with companies only allowed to collect enough data for the job in hand. E.g., if a consumer is buying a product online, then it will be possible to collect the address as this is necessary for the delivery, however the gender of the purchasing person will not be required.
Up until now many consumers in China handed over a large amount of data in post-purchase consumer experience surveys. They might be asked when they purchased which products, how was the purchasing experience, what else did they buy at the same time and in addition to this the phone, email and address details were often collected. Imagine if all of the companies that you sometimes interacted with, were sending you these kinds of surveys…
Who is the loser in this scenario?
Probably, in this case, it is those smaller companies who up until now gathered data and sold it on to intermediary service providers. This has been a huge market in China with personalised recommendation algorithms driving a vast majority of sales.
Until now for many companies in the e-commerce and online space, their data represented the majority of their company value. The huge amount of data that they collected from their users or from their consumers allowed them to charge a premium to advertisers. This may change with the new law.
What does this mean for companies working in China going forward?
Firstly, it’s essential to know that these China data privacy laws will probably result in increased costs for companies. It will be necessary to invest in IT infrastructure, in training programs for staff, in data encryption and security, as well as potentially in additional personnel. e.g. Data handlers will have to do period compliance audits, thus adding to the work load within companies.
Compliance with these new laws may turn out to be rather complicated and difficult to implement. In a similar way to the European regulation, companies will need an individual‘s consent to collect their personal data. According to the state, companies are only allowed to collect “the minimum scope necessary to achieve the goals of handling the data”. That means companies need to have a clear and reasonable purpose for asking for this information (you don’t need to know my profession if you are sending a taxi to my house to bring me to the airport).
Perhaps most importantly
Any data which is collected, has to be encrypted and stored safely.
Whilst that may seem like something that should be taken for granted it wasn’t the case up until now. That doesn’t mean that the rest of the world is so much better in this – the US also yet has to pass a federal law on data security and personal privacy of data, although California has a similar law already. (You may remember the case of Experian in the US, whose servers were hacked and personal data was stolen. However, Experian themselves were not held liable for the loss of this personal data.)
Realistically speaking, in future all data which is collected on Chinese consumers and users should be stored on servers located in China. That also means that many companies may be forced to found an entity also in China. Companies such as Apple or Tim Hortons have already tried to get ahead of the curve by founding companies that they can use as a home location for their data on Chinese consumers.
Also, companies will need permission from users to apply personalised algorithms to the recommendations that they make. All users must have the right to opt out of this in future. Can you imagine how the recommendations on video platforms will look if consumers opt out of this? Or how the “customers also bought” section of an e-commerce platform could look? Can you imagine YouTube or Amazon without your recommendations?
Ethics & Social Morality as a concept
It is the first time in Chinese law that ethics or social morality has been anchored as a concept. This was partly driven by examples such as that of an online car app whose drivers were found to have access to the personal data such as gender, age or jobs of users. Of course, this is nothing that was relevant to being able to transport a person from A to B & was partly abused.
The law protects the vulnerable to a certain extent also, by preventing companies from insisting on digital payments only. The last 18 months have been a steep & difficult learning curve for many elderly citizens with Covid QR health codes being necessary to go anywhere and food purchasing moving almost completely online at times. These new laws however anchor the obligation (for now at least) for companies to accept traditional order methods and means of payment.
These new laws should also work hand-in-hand with the cyber security law which was passed in 2017.
What do companies need to watch out for?
As of today in 2021, these two laws represent an overarching framework rather than a detailed instruction list as to how companies should manage their data security for the future. It is quite usual in China to formulate laws in this way. Initially the law is published and in the months after the initial law and increasing number of side regulations with detailed instructions for implementation will be brought out.
That means that companies need to keep a close eye on the situation to ensure the integrity of their data. Transferring any kind of private data on Chinese consumers into your head office shouldn’t be done unless you have very good grounds for doing so. In most cases, this is probably not required anyway as it is usually enough to have anonymised data for statistical purposes.
This new law will certainly benefit general users however as I’ve already mentioned it could be rather tricky and potentially expensive to implement well for smaller companies. Keep a close eye open for implementation updates being published in the coming months as those will give you the true picture about ensuring compliance for your China business. There will also be additional information about which authorities or departments are responsible for the implementation and control.
Obviously, I’m not a lawyer or legal specialist so this article is designed to be purely informative.
Thinking that working with a consultant would accelerate your international expansion?
If you’d like to learn more about working with me for support on your internationalisation projects or personal export knowledge, you can book a 30 minute international clarity call here.
If you haven’t already signed up for my free e-book about how to select which international market to enter next, you can do so here, or using the form below.
If you enjoyed this content please share it on social media or recommend it to your network.