Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
A man looking at a phone is seen through a digitally decorated glass during the World Internet Conference in Wuzhen, Zhejiang province, in November 2020. Photo: Reuters

Explainer | What China’s new data laws are and their impact on Big Tech

  • The Data Security Law and Personal Information Protection Law passed this year will make it even more costly for companies to store Chinese user data overseas
  • The new rules come into effect amid a broad cybersecurity crackdown that started with Didi Chuxing but is now affecting the entire online platform economy
When Chinese authorities initiated a cybersecurity review of ride-hailing giant Didi Chuxing, it marked another move in a widening crackdown on the country’s technology industry.
But it was also a unique case: Didi was the first company to be subjected to such a review in China, signalling that authorities are getting serious about how companies collect, store and use data.

China has long sought to shield its domestic internet from outside influences with a policy it calls “cyber sovereignty”, but a slate of new laws and regulations are forcing companies – both foreign and domestic – to keep data related to local customers and operations inside the country.

In addition to various laws governing data localisation, the new Data Security Law, in effect as of Wednesday, is the country’s first law designed to limit the methods of processing and using data. This will have wide-ranging implications for how tech companies operate in China.
Didi Chuxing was hit with a cybersecurity review days after going public in New York, sending its shares plummeting. The firm’s possession of sensitive data such as maps and users’ locations was said to be of particular concern to regulators. Photo: Reuters

Here is a look at China’s cross-border data rules, why they are being enforced now, and what they mean for tech giants and their users.

What are China’s cross-border data rules?

Through the implementation of three recent laws – the Cybersecurity Law, Data Security Law (DSL), and Personal Information Protection Law (PIPL) – China has a range of measures that restrict cross-border data flows and enforce data localisation.

Some rules on keeping data in China have been in place since 2017, when the Cybersecurity Law came into force. In this law, critical information infrastructure is broadly defined as anything that if damaged, disabled or disclosed would threaten national security.

The law offers some guidance on what types of businesses or sectors might deal with such infrastructure. Public communications, information systems, energy, water, transport, finance, health care and other public services are all mentioned.

The law’s most important contributions to data security are two new rules that did not exist before:

  • Companies considered critical information infrastructure operators must store data collected in mainland China locally;
  • These firms must also undergo a security assessment to gain approval to send any of that data overseas.

The onus is on companies to adopt measures that secure their data. It specifically requires businesses to place someone in charge of cybersecurity, conduct training, and classify, back up and encrypt important data.

China sets out new rules to protect ‘critical information infrastructure’

China’s newest data laws passed this year, built on the groundwork laid by the Cybersecurity Law.

The DSL focuses on activities involving data processing, and the PIPL focuses on personal information. Regarding specific rules for sending data overseas, however, the laws rehash much of what is already in the Cybersecurity Law while increasing the rules’ scope and penalties.

Like the Cybersecurity Law, the DSL requires the protection of “important data”, but it also adds a requirement to protect “core data”. That data is described as information involving national and economic security, people’s welfare or an important public interest.

With its focus on “personal information”, the PIPL adds yet another type of data requiring special attention.


Why China is tightening control over cybersecurity

Why China is tightening control over cybersecurity

While the PIPL has been compared to Europe’s General Data Protection Regulation (GDPR), China defines personal information more broadly than many other countries. For example, even if certain data may not be able to identify a user, it could still fall under the PIPL as long as it is “related to identified or identifiable natural persons”.

Under all of these laws, companies that want to transfer data overseas must undergo a review to address privacy, safety and cybersecurity concerns. Precisely how companies can go about doing that, however, has yet to be revealed. Future regulations from various government departments are expected to clear up some of the laws’ ambiguities.

What are the penalties for sending data overseas?

Under the Cybersecurity Law, sending data overseas without authorisation could result in a fine of 50,000 to 100,000 yuan (US$7,730 to US$15,450). Responsible personnel could also be fined 10,000 to 100,000 yuan. For serious offences, companies could have their websites shut down or business licenses suspended or revoked. Storing unauthorised data overseas comes with higher penalties, with fines up to 500,000 yuan.

The DSL escalates penalties considerably, depending on how severe the government considers a given infraction. While some fines under the Cybersecurity Law could run up to 1 million yuan for failing to safeguard data and personal information, the DSL tops out at 10 million yuan for violations involving core data – i.e. data considered to impact national sovereignty or security.

Centralised data centres are less economical under China’s new laws, and standard practices such as sharing data between servers in different locations can now result in steep fines. Photo: Shutterstock

Violations of important data could result in fines of 100,000 to 1 million yuan under the new law, while companies failing to take corrective measures could be fined up to 2 million yuan. Individuals in charge of cybersecurity could also separately face fines of up to 1 million yuan for cases involving important data.

Penalties under the PIPL are also much higher for infractions considered severe. Basic violations still result in fines of up to 1 million yuan, but serious violations could see fines of up to 50 million yuan or 5 per cent of annual revenue – more than the 4 per cent Alibaba Group Holding, the owner of the South China Morning Post, was fined over antitrust violations.

Why is China passing these laws now?

A confluence of events have made this the ideal time for Beijing to take action on data security, of which data localisation is a big part. Policy objectives reflect both the need for better security in the country, which has traditionally lagged in internet security standards, and the central government’s desire for greater control over a once freewheeling digital sector.

One immediate concern has been the need to address overseas legislation that has affected data governance standards.

The PIPL is seen as a way of catching up to the standards Europe set with the GDPR. The DSL is seen, in part, as a response to the 2018 Clarifying Lawful Overseas Use of Data (Cloud) Act in the US. The latter allows the US to demand access to data, regardless of where it is stored.

Huawei says US CLOUD Act, not Chinese telecoms equipment, is biggest risk

Under the DSL, a company holding data belonging to a US citizen stored on a Chinese server may not be able to legally hand over that data to the US government without proper approval. This forces companies to choose which laws to follow.
Beijing’s cited cybersecurity concerns echo those from Washington, which has blacklisted several Chinese technology giants, most notably embattled telecoms equipment maker Huawei Technologies Co.

With China’s tech champions on the defensive abroad, Beijing has an opportunity to tighten control of data at home using the same logic foreign governments have used against Chinese companies.

The focus on data security also dovetails with Beijing’s broader crackdown on the tech sector, which has been carried out in the name of strengthening antitrust law, cybersecurity and social welfare.
More practically, China’s internet has long suffered from numerous cyberattacks and data leaks. Personal information such as phone numbers, national ID cards and facial recognition data have been easy to find on some of the country’s second-hand e-commerce platforms.

Chinese police crack syndicate selling schoolchildren’s personal data online

This has become an even bigger concern during the Covid-19 pandemic, during which cyberattacks have surged. Remote work and education have meant more opportunities for hackers, who sniff out and exploit weak cybersecurity practices such as mismanaged VPNs or Microsoft Exchange servers – an exploit Chinese hackers were allegedly involved in.

The Chinese government has previously been averse to encryption, seeking to keep data where it can be easily monitored. But now the Data Security Law requires encryption for sensitive data, keeping it accessible to authorities when needed and, ideally, hidden from foreign adversaries.

What impact will this have on companies operating in China?

When the Cybersecurity Law went into effect four years ago, the impact was almost immediate. Foreign companies suddenly had to assess their data practices to see if they were in compliance with the law, which is difficult for companies that rely on centralised control of cloud infrastructure.

This led to some controversial decisions among global tech firms. Apple had to move encryption keys for Chinese iCloud customers inside the country.
For Microsoft, different organisations within the company wound up taking different approaches. Skype did not comply with the new data requirements and was eventually removed from app stores, but the company’s professional networking site LinkedIn complies with local data and censorship requirements to continue operating in the country.
Apple CEO Tim Cook previews powerful new privacy protections at Apple's Worldwide Developers Conference at Apple Park in Cupertino, California. The company said its new “private relay” VPN feature would not be available in mainland China. Photo: AFP

While domestic companies faced new penalties for illegal cross-border transfers, most of their servers were already in China, so the law did not require a significant shift in resources.

With the DSL and PIPL, however, even domestic companies face new compliance costs, which include having specific personnel in charge of managing cybersecurity.

Given the broad scope of the laws, some companies might choose to outsource management of data related to China. Hong Kong’s former privacy commissioner Stephen Wong Kai-yi said local businesses may need to hire compliance officers or go through specialist agencies when handling data from the mainland.
Another impact on domestic companies is restrictions on fundraising. Beijing is limiting data-rich companies from going public overseas. This could be a blow to the many internet platform companies that hoped to take advantage of higher valuations on US exchanges. TikTok owner ByteDance, for example, once sought a New York listing but is now preparing a Hong Kong IPO, the Financial Times reported.

Beijing takes minority stake, board seat in ByteDance’s main domestic subsidiary

More broadly, data localisation requirements could reshape the way large cloud platforms operate. Cloud computing architecture at American Big Tech firms like Amazon, Google and Microsoft were not designed for localised data. But new developments in edge computing allow for elements of applications and the data associated with them to be kept within specific geographic locations.

This is becoming an increasingly important element of cloud computing as the number of countries with data localisation laws continues to grow. India, Brazil and Russia, among others, have introduced their own data localisation rules.

China’s laws are more broad than what many countries are adopting, but the biggest impact may stem from the size of its market. After Beijing imposed the 2020 National Security Law on Hong Kong, international tech companies including Facebook, Google, Microsoft and Twitter all said they were freezing their handling of data requests from Hong Kong police.

In mainland China, however, international companies have been quick to find ways to comply with new data laws, showing the strength of the market in a country that now has 1 billion internet users.