Explainer | What China’s new data laws are and their impact on Big Tech
- The Data Security Law and Personal Information Protection Law passed this year will make it even more costly for companies to store Chinese user data overseas
- The new rules come into effect amid a broad cybersecurity crackdown that started with Didi Chuxing but is now affecting the entire online platform economy
China has long sought to shield its domestic internet from outside influences with a policy it calls “cyber sovereignty”, but a slate of new laws and regulations are forcing companies – both foreign and domestic – to keep data related to local customers and operations inside the country.
Here is a look at China’s cross-border data rules, why they are being enforced now, and what they mean for tech giants and their users.
What are China’s cross-border data rules?
Through the implementation of three recent laws – the Cybersecurity Law, Data Security Law (DSL), and Personal Information Protection Law (PIPL) – China has a range of measures that restrict cross-border data flows and enforce data localisation.
The law offers some guidance on what types of businesses or sectors might deal with such infrastructure. Public communications, information systems, energy, water, transport, finance, health care and other public services are all mentioned.
The law’s most important contributions to data security are two new rules that did not exist before:
- Companies considered critical information infrastructure operators must store data collected in mainland China locally;
- These firms must also undergo a security assessment to gain approval to send any of that data overseas.
The onus is on companies to adopt measures that secure their data. It specifically requires businesses to place someone in charge of cybersecurity, conduct training, and classify, back up and encrypt important data.
China’s newest data laws passed this year, built on the groundwork laid by the Cybersecurity Law.
The DSL focuses on activities involving data processing, and the PIPL focuses on personal information. Regarding specific rules for sending data overseas, however, the laws rehash much of what is already in the Cybersecurity Law while increasing the rules’ scope and penalties.
With its focus on “personal information”, the PIPL adds yet another type of data requiring special attention.
Why China is tightening control over cybersecurity
While the PIPL has been compared to Europe’s General Data Protection Regulation (GDPR), China defines personal information more broadly than many other countries. For example, even if certain data may not be able to identify a user, it could still fall under the PIPL as long as it is “related to identified or identifiable natural persons”.
Under all of these laws, companies that want to transfer data overseas must undergo a review to address privacy, safety and cybersecurity concerns. Precisely how companies can go about doing that, however, has yet to be revealed. Future regulations from various government departments are expected to clear up some of the laws’ ambiguities.
What are the penalties for sending data overseas?
Under the Cybersecurity Law, sending data overseas without authorisation could result in a fine of 50,000 to 100,000 yuan (US$7,730 to US$15,450). Responsible personnel could also be fined 10,000 to 100,000 yuan. For serious offences, companies could have their websites shut down or business licenses suspended or revoked. Storing unauthorised data overseas comes with higher penalties, with fines up to 500,000 yuan.
The DSL escalates penalties considerably, depending on how severe the government considers a given infraction. While some fines under the Cybersecurity Law could run up to 1 million yuan for failing to safeguard data and personal information, the DSL tops out at 10 million yuan for violations involving core data – i.e. data considered to impact national sovereignty or security.
Violations of important data could result in fines of 100,000 to 1 million yuan under the new law, while companies failing to take corrective measures could be fined up to 2 million yuan. Individuals in charge of cybersecurity could also separately face fines of up to 1 million yuan for cases involving important data.
Why is China passing these laws now?
A confluence of events have made this the ideal time for Beijing to take action on data security, of which data localisation is a big part. Policy objectives reflect both the need for better security in the country, which has traditionally lagged in internet security standards, and the central government’s desire for greater control over a once freewheeling digital sector.
One immediate concern has been the need to address overseas legislation that has affected data governance standards.
With China’s tech champions on the defensive abroad, Beijing has an opportunity to tighten control of data at home using the same logic foreign governments have used against Chinese companies.
The Chinese government has previously been averse to encryption, seeking to keep data where it can be easily monitored. But now the Data Security Law requires encryption for sensitive data, keeping it accessible to authorities when needed and, ideally, hidden from foreign adversaries.
What impact will this have on companies operating in China?
When the Cybersecurity Law went into effect four years ago, the impact was almost immediate. Foreign companies suddenly had to assess their data practices to see if they were in compliance with the law, which is difficult for companies that rely on centralised control of cloud infrastructure.
While domestic companies faced new penalties for illegal cross-border transfers, most of their servers were already in China, so the law did not require a significant shift in resources.
With the DSL and PIPL, however, even domestic companies face new compliance costs, which include having specific personnel in charge of managing cybersecurity.
This is becoming an increasingly important element of cloud computing as the number of countries with data localisation laws continues to grow. India, Brazil and Russia, among others, have introduced their own data localisation rules.
In mainland China, however, international companies have been quick to find ways to comply with new data laws, showing the strength of the market in a country that now has 1 billion internet users.