Any company with a subsidiary or a counterparty in China needs to have a basic understanding of China’s rules on information control. These go further than GDPR to cover national interests – in some cases criminal liability can arise. It is not enough simply to engage your data security or GDPR advisors. Cybersecurity and IT professionals are arguably more relevant, as are China regulatory advisors.
In 2021, two new Chinese laws on data control came into force, the PRC Data Security Law and PRC Personal Information Protection Law.
These, combined with the PRC Cybersecurity Law that came into force in 2017, means that China’s basic legal system for network security and data protection has become considerably stronger over the last few years. Companies need to get to grips with these three laws and the key areas they address:
- The PRC Cybersecurity Law lays the general tone for Chinese cyberspace, while building a compliance framework for cyberspace, together with its subsidiary legislation, the Cybersecurity Review Measures and Regulations on Security Protection of Key Information infrastructure.
- The PRC Data Security Law deals particularly with the protection of “important data” and “national core data”. The regulated data is not limited to cyber data. More importantly, a typical British or American’s idea of what is important or of national significance is much narrower than the Chinese idea, where personnel, corporate or social survey data can all be deemed to be of national significance.
- The PRC Personal Information Protection Law focuses on the refinement of personal information processing criteria and protection.
This legal system has a significant and direct effect on two kinds of enterprise: Chinese enterprises with international businesses or branches abroad and foreign enterprises with businesses or branches in China.
The PRC Cybersecurity Law
The key to this legislation is found in Article 37:
Personal information and important data collected and generated by the operators of key information infrastructure in the operation of the People’s Republic of China must be stored in China. If it is necessary to provide overseas services due to business needs, the security assessment shall be carried out in accordance with the measures formulated by the national network information department in conjunction with the relevant departments of the State Council; where there are other provisions in laws and administrative regulations, such provisions shall prevail.
This means that foreign enterprises are required by law to establish data centres in China if they collect and generate personal and key information, which will increase the operating costs of foreign enterprises. More significantly, the law implies that data relating to your staff or finances in China cannot actually be transmitted outside China without approval.
This law has a series of penalty provisions, and in some cases can result in criminal liability for those who breach its requirements. Other penalties such as public exposure, confiscation of illegal income, suspension of relevant business, closure of websites, or revocation of relevant business licenses can be imposed according to the circumstances.
The alarming liability and breadth of application of this law has met with some pushback, and officials have been at pains to emphasise that data retention in China is a requirement for key information infrastructure operators, not for all network operators. They also stress that data is limited to personal information and important data. ‘Important’ refers to data which is important for the country, not for enterprises and individuals. However, these explanations do not completely assuage doubt, because the uncertainty of the concept of network operators and key information infrastructure operators has not been resolved.
The PRC Data Security Law
Article 2 of the PRC Data Security Law provides its raison d’être:
This law shall apply to data processing activities and safety supervision within the territory of the people’s Republic of China. If data processing activities outside the territory of the people’s Republic of China harm the national security, public interests, or the legitimate rights and interests of citizens and organizations of the people’s Republic of China, they shall be investigated for legal responsibility according to law.
Remarkably, the law provides for a wide range of extraterritorial jurisdiction, which is unusual for China (although not unheard of – Hong Kong’s National Security Law also applies anywhere in the world). In theory, someone could be held in breach of the PRC Data Security Law without ever setting foot in China.
Article 31 of the PRC Data Security Law:
The PRC Cybersecurity Law applies to the outbound security management of important data collected and generated by the operators of key information infrastructure in the operation within the territory of the People’s Republic of China which shall be formulated by the state network and information department in conjunction with the relevant departments of the State Council.
This provision establishes the exit requirements for important data. However, neither the data security law nor the cybersecurity law defines the practical operation method of “outbound security assessment of important data”, and the national network information department has not actually carried out an outbound security assessment of data. Therefore, it is not clear how to implement this provision. It needs to be operated in practice, and some supporting measures need to be improved.
Those who violate this law can be fined, ordered to suspend relevant businesses, suspend business for rectification, or have their revoke business licenses revoked. Again, criminal liability can be incurred.
The Personal Information Protection Law
The Personal Information Protection Law sets out how personal data can be collected and used in the country while also stipulating how companies can move such data out of China. Article 3 of the Personal Information Protection Law shows that, like the legislation discussed above, this law has extra-territorial application:
“This law shall also apply to activities outside the territory of the People’s Republic of China dealing with the personal information of natural persons within the territory of the People’s Republic of China under any of the following circumstances:
（1） For the purpose of providing products or services to domestic natural persons;
（2） Analyse and evaluate the behaviour of natural persons in China;
（3） Other circumstances stipulated by laws and administrative regulations.”
Chapter III of the Personal Information Protection Law stipulates the requirements and conditions for cross-border provision of personal information. It thus impacts upon on British, American or other non-Chinese enterprises managing cross-border information. For example, key information infrastructure operators and personal information processors who process a specified amount of personal information will find that personal information needs to be subject to a security assessment by relevant government departments. Other enterprises should be certified or should sign standard contracts with overseas receivers.
Companies that breach these requirements can be subject to the various penalties discussed above. Directly responsible executives and other directly responsible personnel can also be punished and also prohibited from serving as directors or senior managers. If the circumstances are particularly serious, criminal liability can arise.
Foreign enterprises should guard against the risks presented by China’s cybersecurity and data protection legal system. Furthermore, international businesses should consider both the Chinese regime and the laws and regulations of other markets.
For example, for the legislation on cross-border data flow, the EU complies with the GDPR. The United States has the Cloud ACT, and Japan has PIPA. Yet these overseas rules tend not to deal with national security, which makes the risk of non-compliance in China rather more serious.