As China continues to grow as a significant global economic force, the country’s cybersecurity and data privacy laws mean that UK businesses exploring opportunities in this expansive market face an increasingly complex regulatory environment surrounding cybersecurity and data protection. Recent legislative developments have introduced stringent requirements, making it crucial for businesses to understand and proactively comply with these evolving regulations.
For tech companies, especially, where a strong digital foundation is required, there are not only complex rules and regulations to get to grips with, but also risks around control of sensitive data and commercial information.
Moreover, companies aiming to establish an IT presence in the region could find themselves behind China’s Great Firewall (GFW). The GFW heavily regulates and censors the internet, blocks access to many ubiquitous Western websites like Google and Facebook and slows down cross-border internet traffic. Foreign companies are required to adapt to these regulations if they want to do business in China.
China’s cybersecurity environment
China’s regulatory framework now includes several key pieces of legislation. The Cybersecurity Law (CSL), which took effect in June 2017, provides foundational rules focusing on protecting critical information infrastructure and enforcing data localisation requirements. Building on this foundation, the Data Security Law (DSL), implemented in September 2021, introduces a structured approach to data classification, requiring businesses to adopt varying protection measures depending on the data’s sensitivity and its importance to national security. Additionally, the Personal Information Protection Law (PIPL), effective from November 2021, aligns closely with principles seen in the EU’s General Data Protection Regulation (GDPR), emphasising user consent, data minimisation, and granting individuals specific rights, including data access and deletion.
Cross-border data transfers are subject to stringent controls under these laws. Companies wishing to transfer data out of China must now utilise specific mechanisms authorised by the Cyberspace Administration of China (CAC). These include undergoing security assessments administered by CAC, obtaining certifications from accredited institutions, or entering into standardised contractual agreements with international data recipients. Non-compliance can lead to severe repercussions, including fines, operational suspensions, or business disruptions.
On 9 April 2025, the CAC released the “Q&A on Data Cross-Border Security Management Policies”, giving some more practical insights into how companies can comply with this complex framework.
For example, the Q&A states that “general data that does not involve personal information or important data can flow freely across borders”. This is an important development considering that the handling of general data has not been explicitly stipulated in the CSL, the DSL or the PIPL. Dezan Shira and Associates’s China Briefing has produced a detailed guide to the Q&A, which can be accessed here.
Considerations for UK businesses
For UK businesses, particularly those in the technology sector, this regulatory environment necessitates a comprehensive reassessment of data management strategies. Companies may need to implement local data storage solutions to meet localisation requirements fully. Establishing dedicated compliance programs and appointing responsible personnel to manage data protection matters is now essential. Additionally, engaging legal advisors with expertise in Chinese data regulations can significantly mitigate risks associated with non-compliance.
Moreover, increased regulatory enforcement activity by the CAC highlights the necessity for businesses to adopt proactive compliance measures. Regular compliance audits, training programs, and maintaining clear communication channels with regulatory authorities are critical practices for companies operating in China.
Operating digitally within China brings additional challenges, notably the Great Firewall, which restricts access to numerous Western online services. Businesses must plan for alternative digital infrastructure solutions and adapt to mandatory real-name user registrations required for online services. Furthermore, stringent content monitoring rules mean that companies must rigorously review and tailor their digital content to comply with local regulations to avoid censorship or penalties.
To navigate these complexities effectively, UK businesses are advised to conduct thorough compliance audits regularly, establish strong local partnerships for better market integration, invest in staff training on local data protection obligations, closely monitor regulatory changes, and actively engage with local regulatory bodies.
By proactively addressing cybersecurity and data protection risks and adapting swiftly to China’s evolving legal landscape, UK companies can enhance their prospects for successful and sustainable business operations in this critical global market.
