China technology
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
As data regulation becomes more complex in China, companies must ensure they have the right infrastructure in place. Photo: Xinhua

Navigating data compliance is becoming a bigger challenge for businesses amid increased scrutiny

  • As China’s economy continues to digitalise at a rapid pace Beijing is seeking to build a robust data governance regime
  • Companies need to make sure they have good data management infrastructure in place, which allows them to keep Chinese data in China

Businesses are finding ways to navigate through a more complicated regulatory environment in mainland China and Hong Kong, as the Covid-19 pandemic forced all kinds of activities online, according to experts on Thursday at the South China Morning Post’s China Conference.

“We expect more laws coming in,” said Fuller Yu, chief information security officer at Hong Kong’s Hospital Authority. “Because number one, [data privacy] awareness from users [is increasing], and also, all countries are aware of their data as a critical asset and [are giving it] more protection.”

As China’s economy continues to digitalise at a rapid pace, Beijing is seeking to build a data governance regime that can strike a balance between unleashing the value of that data on the one hand with careful government scrutiny of how businesses handle personal data on the other.

A new national law that was passed last week, the Data Security Law, sets forward hefty punishments for companies that fail to protect their data, including those who fail to prevent large scale data leaks, and those that transfer the state’s “core data” overseas without Beijing’s approval. Companies that hand over “important data” to a foreign judiciary or law enforcement agency without approval will face a heavy penalty under the new law. 

While no definition was given for “important data,” and only a broad definition was given of what counts as the country’s “core data,” the law also urges the establishment of a data categorisation system that will help determine the difference between the two, and what kind of data will be encouraged to circulate without restrictions.

“Ultimately governments don’t want their nation’s data sitting with some other countries [and] being held by someone else, over which they have no control,” said Crystal Hui, head of data governance and analytics at AIA Hong Kong, at the China Conference. “Especially for China, they definitely have that highly secure concept in their mind. They have to keep the data in the country, so we have to do it.”

That means companies need to make sure they have good data management infrastructure in place, which allows them to keep Chinese data in China, and carry out risk management for that data as well, Hui said.

“It’s a lot of balancing work,” Hui said.

Meanwhile, in Hong Kong, the government is now reviewing and preparing to introduce possible amendments to the city’s Personal Data (Privacy) Ordinance (the “PDPO”), one of Asia’s longest-standing comprehensive data protection laws.

Passed in 1995 and taking effect in 1996, the city’s lawmakers plan to introduce amendments to the PDPO to align it better with the European Union’s General Data Protection Regulation (GDPR), putting forward stronger protection for personal data.

That includes mandatory notification upon data breaches and the criminalisation of doxxing. Doxxing, which refers to the act of maliciously revealing private or identifying information about a person, is a phenomenon that grew more prominent during the 2019 Hong Kong protests. 
In China, another national law dedicated to the protection of personal information is also set to be introduced soon. The Personal Information Protection Law, China’s first law dedicated to data privacy, will also put forward more restrictions on how companies handle personal data. Big Tech platforms, for instance, will be asked to each create an independent oversight body tasked with scrutinising their data privacy practices.
Local governments in China are also rolling out more detailed data regulations, with Shenzhen proposing a ban on companies serving up personalised recommendations for minors – which means people under the age of 18 in China. Personalised recommendations, which draw on users’ online profiles and behaviour data to tailor content and adverts for them, is a major growth engine for some of the world’s largest online platforms, including Facebook and TikTok maker ByteDance. 

Increasing scrutiny of data privacy goes hand in hand with wider government moves to rein in the influence of Big Tech, and also comes at a time when internet users are becoming more aware of their privacy online after all kinds of activities were forced online by the pandemic. 

“People are using a lot of online applications right now,” said Hui. “Previously [for example] we were not aware of this cookie thing, now everybody has a lot more awareness on this.” A cookie is data used to store user preferences for a specific site.

In order to gather the data needed for their businesses and to unlock its value, companies should make sure they are transparent with users about the data they are collecting and how it will be used, said Steven Fok, head of technology risk management at livi bank, a Hong Kong-based virtual bank offering online financial services. 

“Never ask for more than you need.” Fok said. “Customers are very smart. They know what is the value of their data and what is the nature of their data.”