US firms say China’s ‘ambiguous’ data laws are creating a ‘uniquely restrictive’ environment

‘Complex’, unclear regulations have made compliance difficult and created policy uncertainties for US firms in China, says the US-China Business Council

New laws and regulations are forcing companies – both foreign and domestic – to keep data related to local customers and operations inside the country

2-MIN READ2-MIN

China’s data security rules are putting pressure on American businesses operating in the country, a US business lobby says. Photo: Reuters

Published: 9:00am, 21 Apr 2022

China’s data and cybersecurity regime is creating a “uniquely restrictive” business environment and American companies face higher operating costs due to its complexity, a US business lobby said in a report on Thursday.

Beijing passed two laws in September last year – the Data Security Law (DSL) and Personal Information Protection Law (PIPL) – that restrict cross-border data flows and enforce localisation.

The regulations, which build on the groundwork laid by the Cybersecurity Law of 2017, have wide-ranging implications for how companies operate in China.

Though Beijing said they are needed to protect personal data and strengthen national security, the “ambiguous” regulations have made compliance difficult and created policy uncertainties for US firms, the US-China Business Council said in a report based on interviews with 30 American companies.

“American companies want and need to leverage their global strength in China, but they worry that the costs, complexity, and nature of China’s data and privacy frameworks increasingly will limit their ability to do so,” said Matthew Margulies, senior vice-president at the council.

The new rules, which vary across regions and industries, are putting pressure on businesses, including hotels, which face additional scrutiny from regulators about their data practices due to the volume of personal information processed.