For tech companies, especially, where a strong digital foundation is required, there are not only complex rules and regulations to get to grips with, but also risks around control of sensitive data and commercial information.

Moreover, companies aiming to establish an IT presence in the region could find themselves behind China’s Great Firewall (GFW). The GFW heavily regulates and censors the internet, blocks access to many ubiquitous Western websites like Google and Facebook and slows down cross-border internet traffic. Foreign companies are required to adapt to these regulations if they want to do business in China.

China’s cybersecurity environment

China’s regulatory framework now includes several key pieces of legislation. The Cybersecurity Law (CSL), which took effect in June 2017, provides foundational rules focusing on protecting critical information infrastructure and enforcing data localisation requirements. Building on this foundation, the Data Security Law (DSL), implemented in September 2021, introduces a structured approach to data classification, requiring businesses to adopt varying protection measures depending on the data’s sensitivity and its importance to national security. Additionally, the Personal Information Protection Law (PIPL), effective from November 2021, aligns closely with principles seen in the EU’s General Data Protection Regulation (GDPR), emphasising user consent, data minimisation, and granting individuals specific rights, including data access and deletion.

Cross-border data transfers are subject to stringent controls under these laws. Companies wishing to transfer data out of China must now utilise specific mechanisms authorised by the Cyberspace Administration of China (CAC). These include undergoing security assessments administered by CAC, obtaining certifications from accredited institutions, or entering into standardised contractual agreements with international data recipients. Non-compliance can lead to severe repercussions, including fines, operational suspensions, or business disruptions.

On 9 April 2025, the CAC released the “Q&A on Data Cross-Border Security Management Policies”, giving some more practical insights into how companies can comply with this complex framework.

For example, the Q&A states that “general data that does not involve personal information or important data can flow freely across borders”. This is an important development considering that the handling of general data has not been explicitly stipulated in the CSL, the DSL or the PIPL. Dezan Shira and Associates’s China Briefing has produced a detailed guide to the Q&A, which can be accessed here.

Considerations for UK businesses

For UK businesses, particularly those in the technology sector, this regulatory environment necessitates a comprehensive reassessment of data management strategies. Companies may need to implement local data storage solutions to meet localisation requirements fully. Establishing dedicated compliance programs and appointing responsible personnel to manage data protection matters is now essential. Additionally, engaging legal advisors with expertise in Chinese data regulations can significantly mitigate risks associated with non-compliance.

Moreover, increased regulatory enforcement activity by the CAC highlights the necessity for businesses to adopt proactive compliance measures. Regular compliance audits, training programs, and maintaining clear communication channels with regulatory authorities are critical practices for companies operating in China.

Operating digitally within China brings additional challenges, notably the Great Firewall, which restricts access to numerous Western online services. Businesses must plan for alternative digital infrastructure solutions and adapt to mandatory real-name user registrations required for online services. Furthermore, stringent content monitoring rules mean that companies must rigorously review and tailor their digital content to comply with local regulations to avoid censorship or penalties.

To navigate these complexities effectively, UK businesses are advised to conduct thorough compliance audits regularly, establish strong local partnerships for better market integration, invest in staff training on local data protection obligations, closely monitor regulatory changes, and actively engage with local regulatory bodies.

By proactively addressing cybersecurity and data protection risks and adapting swiftly to China’s evolving legal landscape, UK companies can enhance their prospects for successful and sustainable business operations in this critical global market.

The post How to navigate China’s cybersecurity and data privacy laws appeared first on Focus - China Britain Business Council.

Kay Ng, cybersecurity and data regulations expert and founder of Cyber Analytics, offers a guide to protecting digital data and assets for British companies operating in China

In an era of unprecedented economic volatility and geopolitical tensions, where data and cybersecurity have become the new battlegrounds, UK businesses operating in China face a unique challenge: driving business growth in a complex market while safeguarding their intellectual property and digital assets.

This guide aims to reaffirm cybersecurity and data protection strategies, with the aim of helping companies in China to preserve their competitive advantage during uncertain times.

Why prioritising cybersecurity in China is non-negotiable, even in a downturn

In a slower growth environment, intellectual property becomes even more valuable

Robust cybersecurity measures are critical to protect trade secrets and innovations that drive competitive advantage. It is important to know in what format your IP exists, who has access to it, and whether it can be shared with competitors without your knowledge.

The typical IP a company holds is already in the public domain. However, certain IP, like trade secrets, is reserved for only a subset of inner circle executives. A global Fortune 500 manufacturing company I consulted for defined the following as IP requiring the highest level of protection:

• Manufacturing processes and 3D-drawing: These might include source code, bills of materials, etc., from R&D flow to manufacturing.
• Customer lists: These might contain valuable information about target, existing and potential clients, their preferences and purchasing history.
• Pricing strategies: This could include confidential information about pricing models, discounts, and other commercially sensitive data.

The Fortune 500 company’s assessment was that the above were easily subject to insider exfiltration of data and should warrant a security programme that targeted insider risks.

On the other hand, digital assets such as Internet domain names are easy targets for external attackers. Domain names could be stolen by local companies and competitors to impersonate you, thereby stealing your business.

Securing the company’s online presence and brand identity in the digital space typically forms another strand of a global company’s cybersecurity programme.

During economic downturns, regulatory bodies may increase scrutiny to protect national interests

China’s cybersecurity laws are complex and frequently updated. The Cybersecurity Law, Data Security Law, and Personal Information Protection Law form a comprehensive framework that affects almost all aspects of business operations.

During economic downturns, regulatory bodies may increase scrutiny to protect national interests. More and more non-traditional areas such as climate and the environment could now come under the umbrella of China’s state security.

Restricting the outbound flow of data means all data storage and processing such as AI and machine learning needs to be done locally. This creates job opportunities and upskilling in the local market.

The main difference between the Chinese data laws and UK GDPR is the wide and vague scope of what “important data” is to China. The deliberate vagueness means it could be interpreted in any ways that suit its purpose.

The high stakes of data breaches: Financial and reputational risks you can’t afford

Europe tends to enforce GDPR consistently and regularly; China tends to make an example of large corporations as a deterrence mechanism.

For example, Chinese ride-hailing firm Didi Global was fined 8.026 billion yuan (£860.3 million) by the Cyberspace Administration of China in 2022 after it decided that the company violated the nations’ Network Security Law, Data Security Law, and Personal Information Protection Law. In a statement, Didi Global said it accepted the cybersecurity regulators’ decision, which came after a year-long investigation into the firm over its security practices and “suspected illegal activities”.

The key point is, the more foreign ties a company has, the more the company is subject to geopolitical risks. To date (and my knowledge), no UK companies have been fined under the Chinese Data Laws.

Cost-effective strategies for safeguarding data interests in China

Companies can apply these cost-effective practices to safeguard their interests in challenging times:

a) Smart data management: Balancing localisation and global operations

• Targeted data classification: Implement targeted data classification to minimise unnecessary data localisation costs.
• Data minimisation: Don’t hoard data. It costs money to collect, store, and increases your organisation’s burden to protect. Explore data minimisation technologies or practices to reduce storage and compliance costs.
• Secure cloud solutions: Leverage secure cloud solutions that comply with Chinese regulations while maintaining global data access.

b) Maximising security ROI: Encryption and access control on a budget

• Prioritise encryption: Prioritise end-to-end encryption for your most critical data assets.
• Risk-based authentication: Implement risk-based authentication to balance security and user experience.
• Regular access audits: Conduct regular access audits, particularly during sensitive times, to prevent unauthorised data exposure and reduce overheads.

c) Navigating compliance efficiently

• Build relationships: Cultivate a good relationship with the relevant authorities.
• Shared compliance resources: Consider shared compliance resources or partnerships to distribute costs while maintaining regulatory alignment.
• Focus on fundamentals: Focus on the foundation of good data security practices and develop a streamlined compliance monitoring system to stay ahead of regulatory changes without overburdening resources.
• Leverage technology: Utilise technology for automated compliance checks and reporting.

Staying ahead of the curve: What to watch for in an evolving landscape

a) Emerging threats in a shifting economic climate

• Insider threats: Watch for a potential rise in insider threats as economic pressures mount.
• Opportunistic cybercrime: Stay vigilant against opportunistic cybercrime targeting businesses perceived as vulnerable during downturns.
• Cyber espionage: Be alert to increased cyber espionage as companies and state actors seek competitive advantages. I often see companies become the collateral damage of national rivalry rather than the targeted victim.

b) Regulatory evolution in response to economic conditions

• Data regulation fluctuations: Anticipate potential loosening or tightening of data regulations as China balances economic growth with security concerns.
• New incentives and requirements: Monitor for new incentives or requirements aimed at boosting specific sectors or technologies.
• Cross-border data flow: Stay informed about changes in cross-border data flow regulations that may impact global operations.

c) Adapting to shifting cultural and operational norms

• Evolving business practices: Be prepared for changes in business practices and cybersecurity attitudes as economic pressures evolve.
• Government intervention: Anticipate potential increases in government oversight or intervention in key industries.
• Risk tolerance: Understand how economic challenges might influence risk tolerance and security investment decisions among Chinese partners and competitors.

In times of economic uncertainty, businesses don’t want to spend more than needed on risk management. However, effective cybersecurity and data protection strategies become more critical in times like this. By prioritising these areas, companies can protect their most valuable assets, maintain regulatory compliance, and position themselves for resilience and future growth.

The key is to approach security as a strategic investment, balancing immediate cost considerations with long-term risk mitigation and competitive advantage. With careful planning and execution, UK businesses can navigate the complexities of the Chinese market, safeguarding their digital assets while remaining agile in the face of economic challenges.

The post Investing in cybersecurity is crucial for UK businesses in China – here’s why appeared first on Focus - China Britain Business Council.

Two new regulations making their way into law, the Personal Information Protection Law (PIPL) and the Data Security Law (DSL), are predicted to add to the compliance burden of companies needing to move data to and from China. Together with the 2017 Cyber Security Law, these laws form the backbone of China’s cybersecurity regulation.

Data Security Law

Passed on 10 June and coming into effect on 1 September 2021, the DSL governs how data is collected, used, stored, and protected in China, including tightened restrictions on the transfer of data outside of China.

One important element of the law is a grading system that will define and establish a hierarchy of what they consider important data, based on which, companies will also have to classify the data they handle. There will also be different levels of fines and penalties for data protection violations depending on the importance of the data involved. For example, special permission may be required to collect data related to critical information infrastructure (including, but not limited to sectors such as public communications, energy, finance, and e-government) or any data which, if disclosed, might threaten national security, the national economy, or public interests. However,  beyond these, the classifications of important data have not yet been set.

Personal Information Protection Law

Sometimes referred to as China’s answer to the EU’s General Data Protection Regulation (GDPR), the PIPL was passed on 20 August and will be implemented from 1 November.

As Torsten Weller observed in a recent episode of China Business Brief, PIPL does share similarities with GDPR. For example, PIPL has strong consent and personalisation clauses, requiring user consent for the use and sharing of data, as well as an option to opt-out of automated data collection. However, there are some significant differences. For example, PIPL includes a separate clause on what happens to a user’s data after they die, i.e., their close relatives automatically gain the right to manage their data.

For businesses, there are two crucial parts of the law. The first is how data can be transferred outside of China. Companies will have to accept an audit and receive a license — likely from the Ministry of Industry and Information Technology (MIIT) —  in order to transfer data out of China. The other crucial element is the liability clause, which demands that companies have a specific person that supervises data protection policy (can also be external) and who is personally liable for any data violations.

Why have these laws been introduced?

There are two main drivers behind these new laws. The first is growing awareness of consumer data protection. As China’s tech giants like Tencent and Alibaba have grown, there have been increasing numbers of public complaints about misuse of data and user privacy violations. For example, during this year’s 618 shopping festival, several e-commerce companies and telecoms operators were called to a meeting with MIIT over invasive spam marketing text messages. Furthermore, on 18 August, 43 apps, including WeChat, were criticised by MIIT for illegally transferring user data such as contact information and location, and also spamming users with pop-up ads.

The second is national security, as evidenced by the emphasis on “critical information infrastructure” and “core data” in the text of the DSL. This was also made clear when the Cybersecurity Administration of China opened an investigation into Didi just days after its New York IPO, citing the need to “guard against risks to national data security.”

The impact on businesses

Many are wondering whether these new laws will become a burden for companies operating in China, especially those that are conducting R&D activities that involve significant amounts of data. Companies will potentially have to invest in data storage facilities in China or in hiring extra personal to manage data protection as mentioned above. As Torsten Weller pointed out, it will not really be possible for UK companies to operate in China without storing user data here.

Although to date, no detailed implementation guidelines have been released, companies should start reviewing and assessing their data activities to identify areas that could potentially require compliance with these new laws.

The post How will China’s new data protection laws affect your business? appeared first on Focus - China Britain Business Council.