China must clarify ‘uncertainty’ over data security laws, allow more cross-border transfers

Beijing has been urged to set a clear definition and scope for its enforcement of data security and transfer laws as it is vital for the operation of foreign businesses as well as China’s innovation strategy, the British Chamber of Commerce in China said on Tuesday.

China has recently elevated its requirements concerning data, particularly additional assessment requirements for cross-border transfers, with the introduction of laws on data safety and the protection of personal information in the past three months.

Having introduced a cybersecurity law in 2017, the Cyberspace Administration of China also released draft measures on security assessments for cross-border data transfers last month.

“Uncertainty over cybersecurity and data protection requirements consistently feature as two of the most significant concerns voiced by British companies operating in China,” Julian MacCormac, chair of the commerce chamber, wrote in the 26-page “Cross-Border Data and Innovation” report.

“This is most notable when it comes to cross-border data transfers.”

China’s Data Security Law requires the protection of “important data”, but it also adds a requirement to protect “core data”. That data is described as information involving national and economic security, people’s welfare or an important public interest.

Companies that transfer “core data” overseas without proper approval from Beijing will face a penalty of up to 10 million yuan (US$1.56 million) and could be forced to shut down.

How China’s new data laws will make cross-border business much harder

Fines for companies that hand over “important data” to a foreign judiciary or law enforcement agency without prior approval were raised to 5 million yuan.

The Personal Information Protection Law, meanwhile, is one of the world’s toughest on personal data security and makes it harder and more expensive for technology firms in China to access and use consumer information.

Amid a push by authorities to enforce strict provisions dictating how companies store, protect and share data, last week during a top-level Politburo meeting chaired by President Xi Jinping, data and cybersecurity were highlighted as a key issue and placed high on the 2021-25 national security plan.

The tightened requirements have already forced American companies, including Apple and Tesla, to store their data about Chinese consumers onshore.

China wants to join the DEPA digital trade pact, but why ‘is anyone’s guess’

US law firm WilmerHale also warned earlier this month that the draft measures on security assessments for cross-border data contradict with China’s commitments under the World Trade Organization’s General Agreement on Trade in Services.

The draft measures could also hinder China’s bids to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership and the Digital Economy Partnership Agreement, both of which contain sections covering digital trade.

“The bias is against overseas transfer and the procedure and length of government review may prove to be burdensome,” WilmerHale said.

The British Chamber of Commerce in China report also indicated that several questions remain unanswered for the foreign business community in China, including the type of data that is considered “important data”, which companies are classified as critical information infrastructure operators and the thresholds for cross-border security assessment.

It called on Chinese regulators to allow as much data as possible to be shared across borders without requiring external security assessments, while also refraining from including data deemed to be key to commercial activities in important data catalogues.

“Data are as vital as air for businesses, especially when it comes to [research and development],” the report said.

One business has cancelled two thirds of its planned research and development projects in China, while another has been forced to downgrade the quality of service they provide to clients, the commerce chamber added.

China should allow cities to provide broad approved lists of data that can be transferred across borders in any regional pilot zones, and remove external security assessments when companies share data with sister offices, parent companies or subsidiaries, the chamber advised.

Also, the lead time for external security assessments should be lowered to less than 20 working days, from the current requirement of 40-50 days.

China has stepped up its bid to woo foreign firms, and in his first virtual meeting with US President Joe Biden last week, Xi promised easier access for employees of American businesses to travel to China.

In a meeting last week, Vice-Premier Liu He also assured Ben Keswick, executive chairman of Jardine Matheson, that China is promoting a high level of opening up and is committed to providing a fair and competitive market environment for foreign-funded enterprises

“We’ll treat enterprises of all ownership types equally,” Liu said, in his first publicly reported face-to-face meeting with a foreign business dignitary in over two years.