European Chamber stance on China’s Data Security Law and Personal Information Protection Law Go back »

2021-08-25 | All chapters

European Chamber stance on China’s Data Security Law and Personal Information Protection Law

Background

On 10th June 2021, the National People’s Congress promulgated the Data Security Law (DSL), which will come into force on 1st September 2021. Original Chinese text can be found here. The DSL regulates data activities in Mainland China, with the aim of ensuring data security, promoting data development and use, protecting the lawful rights and interests of natural persons and organisations, and safeguarding national sovereignty, security and development interests. Under this law, different localities in China, as well as sectoral, public and national security bodies, will all bear responsibility for data security to varying degrees.

On 20th August 2021, China also promulgated the Personal Information Protection Law (PIPL), which will be enforced on 1st November 2021. Original Chinese text can be found here. The PIPL aims to protect natural persons' personal information by setting consent mechanisms and legal liabilities for the collection, storage, use, processing, transmission, provision, disclosure and deletion thereof. The PIPL introduces new grounds for processing personal information, such as that related to human resources, which is a welcome development.

This is the first time that China has formulated legislation dedicated to data and personal information protection. The laws are part of the larger security framework under the Cybersecurity Law (CSL), which came into force in 2017.

In lieu of further clarifications of terms within the laws and the promulgation of clear accompanying guidelines, the European Chamber is recommending to its member companies that they carefully examine their data collection and processing activities in order to remain compliant. An admittedly oversimplified spectrum of choices for companies to consider has at one end full data localisation, both for storage and analysis/use, in ‘island solutions’ to avoid transfer compliance concerns altogether; and at the other end capacity building in legal and compliance operations to try and maximise the amount of data that could be compliantly transferred. The pros and cons along the spectrum will vary based on factors like company size, intended uses of collected data and the scale of resources that could be allocated to compliance or localisation.

Stance

The European Chamber acknowledges the DSL and the PIPL as significant positive developments in China’s overall cybersecurity regime, as they provide an important legal foundation for data management and personal protection in China that was previously lacking.

However, both laws still raise a number of concerns for European companies in China. For example, the data localisation requirements and cross-border data transfer restrictions that remain in these national laws—as well as the increasing amount and severity of such restrictions in sectoral rules such as those for the automotive sector—will potentially have an extremely negative impact on business operations. Detailed implementation rules for these laws are still required, to provide companies with clear and transparent guidelines that will enable them to achieve compliance in the most efficient way possible. For example, companies need clarity regarding the categorisation of ‘important data’ across all industries and sectors.

The divergence of China’s data protection framework from those in the rest of the world, such as the General Data Protection Regulation (GDPR) in the EU, is also a major concern. This will make it difficult for companies—both foreign and Chinese—to comply with all relevant obligations, and will increase operational costs in a world that is already highly interconnected and will only become more so.

While the European Chamber understands the importance of data protection, it offers its support to the relevant government authorities to help formulate the data protection regulations that will be subsequently published in support of the DSL and the PIPL, which can ensure:

  • transparency throughout the data protection rule-making process;
  • consistency between the CSL, the DSL and the PIPL;
  • coordination during the enforcement actions conducted by the multiple government authorities involved; and
  • proportionality of all laws and regulations, ensuring that data is used to its maximum value while ensuring public and personal safety.

“All international companies need to be able to leverage their global systems. However, this is increasingly being challenged by vague definitions of what constitutes transferable data in China, in tandem with the government’s push for localisation as its definition of ‘national security’ expands,” said Joerg Wuttke, president of the European Union Chamber of Commerce in China. “Our concern is that China may ultimately become an ‘island’, cut off from the rest of the world.” 

For more information please contact

Xinhe Fan

Related EURObiz articles

China’s New Data Rules

How to Provide Online Services in China

Internet Registration Rules in China