How China’s data privacy and security rules could impact your business

Global companies must assess their data compliance maturity levels and determine whether processes can be improved.

In brief

• China has introduced laws that give data subjects new rights and protections, and include stringent penalties.
• The regulations will also affect data processors that deliver services or analyze people in China.
• Companies must understand the impact and determine what measures they might need to take.

New Chinese laws addressing data privacy and security are raising critical questions for businesses operating inside and outside of China. The Personal Information Protection Law (PIPL), which went into effect in November 2021, gives Chinese data subjects new rights as it seeks to prevent the misuse of personal data. Two months earlier, the Data Security Law (DSL) came into force. It requires business data to be categorized by different levels of importance and puts new restrictions on cross-border transfers. These regulations will have a significant impact on how companies collect, store, use and transfer data.

New protections for Chinese data subjects

The PIPL is similar to the EU’s General Data Protection Regulation (GDPR) in that it gives Chinese consumers the right to access, correct and delete their personal data gathered by businesses. It also impacts offshore data processors that deliver goods and services or analyze individuals in China.  The law includes stringent penalties. Fines can be as much as RMB50 million or up to 5% of a company’s turnover from the previous financial year. Businesses may also be required to suspend operations until they demonstrate compliance. There are also impacts on individuals, with anyone directly responsible for data protection personally facing fines of up to RMB1 million.

Considering the public interest to classify business data

The new DSL requires that business data be classified according to its relevance to national security and the public interest. Companies looking to transfer “important” data outside of China must perform an internal security review before applying for a security assessment and approval from the Cyberspace Administration of China (CAC) and other relevant authorities. Companies that mishandle data under the DSL face severe penalties.

Regulating predictive algorithms

China is taking the lead on restricting how companies use algorithms to increase sales. In September 2021, the CAC announced a three-year plan to regulate predictive algorithms used by online content providers. The draft rules prohibit algorithms that encourage online addiction, a main issue in China. The proposed regulations also require that users be told about algorithmic recommendation services and be given a way to switch them off. Because these regulations are enabled by the PIPL, they can impact foreign businesses as well as Chinese companies.

What should companies do while awaiting further guidance?

Many Chinese and global operating companies are hastening to assess their data compliance maturity levels and improve their processes. Foreign data processors in compliance with GDPR or similar statutes have work to do as well — even highly mature processes will need to be analyzed, adjusted and supplemented. Multinational companies face the dilemma of whether to adopt the most stringent data privacy and security measures wherever they do business or follow the least restrictive guidelines allowed. Based on their current business models and future growth plans, companies are carefully assessing their risks and evaluating their options.