The new measures, which aim to protect data privacy and national security, require companies to implement comprehensive risk assessments, obtain regulatory approvals, and ensure transparency in data handling. For businesses transferring data in or out of China, understanding these requirements is crucial for maintaining compliance and avoiding penalties.

Key provisions of the cross-border data transfer regulations

1. Mandatory security assessments for sensitive data transfers
   • Companies that transfer sensitive or critical data outside China must now conduct detailed security assessments. These assessments evaluate the risks associated with data transfers and ensure that data security standards are met. Businesses must demonstrate that adequate safeguards are in place to protect sensitive information during cross-border transfers.
2. Regulatory approval requirements
   • Before transferring specific categories of data internationally, companies must obtain approval from Chinese regulatory authorities. This applies particularly to personal data or any data deemed critical to national security. The approval process involves a thorough review by authorities, who assess the potential risks of data leaving China and evaluate the company’s data protection protocols.
3. Data processing and consent obligations
   • The new measures require companies to obtain explicit consent from individuals whose data will be transferred outside of China. Companies must inform individuals about the purpose, scope, and recipients of their data, ensuring that users understand and agree to the transfer. This aligns with global privacy trends prioritising user consent and control over personal data.
4. Data localisation for critical information
   • Critical information infrastructure operators (CIIOs) are required to store personal and important data collected within China locally, unless otherwise approved. Data localisation measures aim to enhance security by keeping sensitive information within Chinese jurisdiction, reducing exposure to foreign risks.
5. Transparency in data transfer agreements
   • Companies transferring data across borders must ensure transparency in their data transfer agreements, particularly with foreign entities receiving the data. These agreements should detail security standards, processing guidelines, and compliance with Chinese data protection regulations, ensuring that foreign partners uphold similar data security standards.
6. Penalties for non-compliance
   • The new regulations enforce strict penalties for non-compliance, including fines, operational restrictions, or revocation of business licenses for severe violations. These penalties underscore the importance of adhering to the cross-border data transfer requirements and maintaining regulatory compliance.

Compliance Strategies for Businesses

1. Conduct comprehensive risk assessments
   • To meet security assessment requirements, businesses should implement thorough risk assessments for all cross-border data transfers. Identifying and mitigating risks in advance can help ensure compliance and protect sensitive data during international transfers.
2. Seek early regulatory approvals
   • Given the time-intensive nature of regulatory approvals, companies should apply for necessary permissions early in the transfer planning process. By preparing documentation and complying with regulatory protocols, businesses can expedite the approval process.
3. Enhance consent mechanisms
   • Update consent forms and policies to meet the explicit consent requirements. By providing clear information on data transfer practices, companies can enhance user trust and comply with transparency obligations, ensuring that individuals are informed and in control of their data.
4. Establish data localisation practices
   • For companies identified as CIIOs, implementing data localisation measures can support compliance and protect critical information. Local storage solutions, including working with approved data centres within China, can simplify adherence to localisation requirements.
5. Formalise data transfer agreements
   • Develop detailed data transfer agreements with foreign partners to ensure compliance with China’s data security standards. These agreements should include clauses on data handling, security protocols, and compliance to align with Chinese regulations.

Conclusion

China’s new cross-border data transfer measures reinforce the country’s commitment to data sovereignty and privacy protection. For businesses operating in China or transferring data internationally, adhering to these guidelines is essential for legal compliance and operational stability. By proactively implementing security assessments, obtaining regulatory approvals and enhancing transparency, companies can ensure smooth cross-border data transfers within China’s regulatory framework.

The post China’s New Measures for Cross-Border Data Transfers appeared first on Focus - China Britain Business Council.

Kay Ng, cybersecurity and data regulations expert and founder of Cyber Analytics, offers a guide to protecting digital data and assets for British companies operating in China

In an era of unprecedented economic volatility and geopolitical tensions, where data and cybersecurity have become the new battlegrounds, UK businesses operating in China face a unique challenge: driving business growth in a complex market while safeguarding their intellectual property and digital assets.

This guide aims to reaffirm cybersecurity and data protection strategies, with the aim of helping companies in China to preserve their competitive advantage during uncertain times.

Why prioritising cybersecurity in China is non-negotiable, even in a downturn

In a slower growth environment, intellectual property becomes even more valuable

Robust cybersecurity measures are critical to protect trade secrets and innovations that drive competitive advantage. It is important to know in what format your IP exists, who has access to it, and whether it can be shared with competitors without your knowledge.

The typical IP a company holds is already in the public domain. However, certain IP, like trade secrets, is reserved for only a subset of inner circle executives. A global Fortune 500 manufacturing company I consulted for defined the following as IP requiring the highest level of protection:

• Manufacturing processes and 3D-drawing: These might include source code, bills of materials, etc., from R&D flow to manufacturing.
• Customer lists: These might contain valuable information about target, existing and potential clients, their preferences and purchasing history.
• Pricing strategies: This could include confidential information about pricing models, discounts, and other commercially sensitive data.

The Fortune 500 company’s assessment was that the above were easily subject to insider exfiltration of data and should warrant a security programme that targeted insider risks.

On the other hand, digital assets such as Internet domain names are easy targets for external attackers. Domain names could be stolen by local companies and competitors to impersonate you, thereby stealing your business.

Securing the company’s online presence and brand identity in the digital space typically forms another strand of a global company’s cybersecurity programme.

During economic downturns, regulatory bodies may increase scrutiny to protect national interests

China’s cybersecurity laws are complex and frequently updated. The Cybersecurity Law, Data Security Law, and Personal Information Protection Law form a comprehensive framework that affects almost all aspects of business operations.

During economic downturns, regulatory bodies may increase scrutiny to protect national interests. More and more non-traditional areas such as climate and the environment could now come under the umbrella of China’s state security.

Restricting the outbound flow of data means all data storage and processing such as AI and machine learning needs to be done locally. This creates job opportunities and upskilling in the local market.

The main difference between the Chinese data laws and UK GDPR is the wide and vague scope of what “important data” is to China. The deliberate vagueness means it could be interpreted in any ways that suit its purpose.

The high stakes of data breaches: Financial and reputational risks you can’t afford

Europe tends to enforce GDPR consistently and regularly; China tends to make an example of large corporations as a deterrence mechanism.

For example, Chinese ride-hailing firm Didi Global was fined 8.026 billion yuan (£860.3 million) by the Cyberspace Administration of China in 2022 after it decided that the company violated the nations’ Network Security Law, Data Security Law, and Personal Information Protection Law. In a statement, Didi Global said it accepted the cybersecurity regulators’ decision, which came after a year-long investigation into the firm over its security practices and “suspected illegal activities”.

The key point is, the more foreign ties a company has, the more the company is subject to geopolitical risks. To date (and my knowledge), no UK companies have been fined under the Chinese Data Laws.

Cost-effective strategies for safeguarding data interests in China

Companies can apply these cost-effective practices to safeguard their interests in challenging times:

a) Smart data management: Balancing localisation and global operations

• Targeted data classification: Implement targeted data classification to minimise unnecessary data localisation costs.
• Data minimisation: Don’t hoard data. It costs money to collect, store, and increases your organisation’s burden to protect. Explore data minimisation technologies or practices to reduce storage and compliance costs.
• Secure cloud solutions: Leverage secure cloud solutions that comply with Chinese regulations while maintaining global data access.

b) Maximising security ROI: Encryption and access control on a budget

• Prioritise encryption: Prioritise end-to-end encryption for your most critical data assets.
• Risk-based authentication: Implement risk-based authentication to balance security and user experience.
• Regular access audits: Conduct regular access audits, particularly during sensitive times, to prevent unauthorised data exposure and reduce overheads.

c) Navigating compliance efficiently

• Build relationships: Cultivate a good relationship with the relevant authorities.
• Shared compliance resources: Consider shared compliance resources or partnerships to distribute costs while maintaining regulatory alignment.
• Focus on fundamentals: Focus on the foundation of good data security practices and develop a streamlined compliance monitoring system to stay ahead of regulatory changes without overburdening resources.
• Leverage technology: Utilise technology for automated compliance checks and reporting.

Staying ahead of the curve: What to watch for in an evolving landscape

a) Emerging threats in a shifting economic climate

• Insider threats: Watch for a potential rise in insider threats as economic pressures mount.
• Opportunistic cybercrime: Stay vigilant against opportunistic cybercrime targeting businesses perceived as vulnerable during downturns.
• Cyber espionage: Be alert to increased cyber espionage as companies and state actors seek competitive advantages. I often see companies become the collateral damage of national rivalry rather than the targeted victim.

b) Regulatory evolution in response to economic conditions

• Data regulation fluctuations: Anticipate potential loosening or tightening of data regulations as China balances economic growth with security concerns.
• New incentives and requirements: Monitor for new incentives or requirements aimed at boosting specific sectors or technologies.
• Cross-border data flow: Stay informed about changes in cross-border data flow regulations that may impact global operations.

c) Adapting to shifting cultural and operational norms

• Evolving business practices: Be prepared for changes in business practices and cybersecurity attitudes as economic pressures evolve.
• Government intervention: Anticipate potential increases in government oversight or intervention in key industries.
• Risk tolerance: Understand how economic challenges might influence risk tolerance and security investment decisions among Chinese partners and competitors.

In times of economic uncertainty, businesses don’t want to spend more than needed on risk management. However, effective cybersecurity and data protection strategies become more critical in times like this. By prioritising these areas, companies can protect their most valuable assets, maintain regulatory compliance, and position themselves for resilience and future growth.

The key is to approach security as a strategic investment, balancing immediate cost considerations with long-term risk mitigation and competitive advantage. With careful planning and execution, UK businesses can navigate the complexities of the Chinese market, safeguarding their digital assets while remaining agile in the face of economic challenges.

The post Investing in cybersecurity is crucial for UK businesses in China – here’s why appeared first on Focus - China Britain Business Council.

The legislative framework in China for governing data security consists of three laws: the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. The Measures on the Standard Contract for Cross-border Transfers of Personal Information, which came into effect last June, have the biggest impact on companies in China.

Though the measures have been in effect for some time, their implementation has been slow in practice as there are too many such companies in China and not enough manpower to handle their assessment reports. High compliance costs, difficulties in communicating with overseas data recipients and regulatory uncertainty are some key factors affecting companies’ willingness to declare cross-border data transfers.

The new rules, aimed at protecting national security, directly impact the cross-border transfer of personal information by businesses operating in China, Chinese companies listed overseas and those in data-rich industries such as retail, internet, health care, automotive, civil aviation and finance.

Corporations that regularly share employee or customer data with their headquarters, share IT infrastructure with their Chinese subsidiaries or have remote access to data stored in China may be subject to China’s cross-border data transfer requirements.

The first of the three mechanisms for transferring personal information out of China is the signing of a standard contract with an overseas recipient. The other two are a mandatory security assessment by the Cyberspace Administration of China (CAC) for critical information infrastructure operators, and transfers of important/sensitive personal data and certification by an accredited institution (applicable to intra-group transfers and data processors abroad subject to the extra-territorial application of China’s Personal Information Protection Law).

The latter certification is only available if the transfer does not fall within the mandatory assessment requirements, and not all entities can adopt this option. For example, representative offices set up by foreign entities are not eligible.

Businesses that transfer personal data out of Mainland China on a smaller scale, such as small and medium-sized enterprises, may opt for the standard contract. This option can only be used under certain circumstances:

• The data processor is not a critical information operator
• It processes the personal data of less than 1 million individuals
• Since 1 January of the previous year, the personal data of less than 100,000 individuals (in aggregate) has been transferred
• Since 1 January of the previous year, sensitive personal data of not more than 10,000 individuals (in aggregate) has been transferred

A personal information protection impact assessment (PIA) must be executed before entering into the standard contract. This step evaluates important matters such as the legality and necessity of the data transfer, the scale, scope, and sensitivity of the outbound personal data, the risks to the rights and interests of individuals concerned, and other security issues. Data systems must be compatible with Chinese law in order to pass the PIA, and it is prohibited to divide data into smaller quantities to meet the standard contract criteria in an attempt to circumvent the mandatory security assessment regime.

The standard contract, impact assessment report and other supporting documents must be presented to the local cyberspace administration authority within 10 working days of the effective date of the contract.

While the Chinese government hopes to develop the digital economy to uplift the country’s gross domestic product, the rules could slow down progress for the industry. Regulators are struggling to strike a balance between enhancing data security and promoting data-driven economic growth. Moreover, industry experts argue that many aspects of the rules remain vague, such as in security assessments, thus slowing down the approval process and causing confusion for some companies.

A lack of clarity on the review criteria is slowing down the approval process, with regulators and companies not seeing eye-to-eye on why the requested data transfers are necessary. The measures for security assessment require applicants to explain why it is justified, legal and necessary for their data to flow overseas and for overseas recipients to process it, but not much more is specified.

Regulators are trying to shift more of their efforts to helping contracts complete the filing process, which in turn will speed up their approval of security assessments, according to experts.

Companies that need to rectify any non-compliant arrangements occurring before 1 June 2023, have until 30 November 30 to do so.

The post How to comply with China’s new rules for cross-border transfer of personal information appeared first on Focus - China Britain Business Council.

In this article, first published in China Briefing, Thomas Zhang, Dezan Shira & Associates’ Group IT Director, introduces the PIPL and explains several key considerations for companies to build a roadmap for compliance.

PIPL states that a company should appoint “a person in charge of personal information protection” when processing personal information on a large scale based on the criteria specified by the CAC. Is the appointment of a Data Protection Officer (DPO) mandatory under the PIPL?

No, it is not mandatory; however, for companies that don’t have an office in China and still want to provide services in China, a DPO or representative is necessary. In general, in cases where the company has an office in China and they can find a local person to play the role of representative, there is no need to have a DPO. Nevertheless, many companies don’t have enough internal resources to support this, so an external DPO can be very helpful.

Can a company send aggregated information derived from personal information across borders, especially if it doesn’t contain any specific personal information on Chinese citizens?

Yes, because we are talking about aggregated data – which doesn’t have any specific personal information of individuals. This means that it will be “abstract” data that cannot be tracked to one single individual. In this case, the data will not be treated as personal information or as sensitive personal information, and you are allowed to transfer it outside of China.

A company is exchanging data with its headquarters via SAP. Will this be deemed a cross-border transfer and require a Data Protection Impact Assessment (DPIA)?

If your IT system is located in the UK, but your business operations in China are processing personal information, you will need a DPIA. Whether you are allowed to transfer personal information out of the country or not is based on the scale of the personal information. The Cyberspace Administration of China (CAC) will specify the criteria about which kind of personal information will not be allowed to be transferred out, but for now, we will need to wait for more details from the government.

Many international schools store student data. What about the protection of data for children under 14 years old? Are there special protections under the PIPL?

Yes. Information from people under 14 years of age will also be regarded as sensitive information. If you are going to process sensitive personal information, you must collect separate consent and conduct a DPIA.

Are employee names and mobile phone numbers in an active directory considered personal information?

Yes. The definition of personal information is very wide under the PIPL. Any information that can be tied to one single individual is considered personal information. For example, mobile phone numbers in China are tied to real names and can be connected to an individual. Names are also a kind of personal information. Although a name can be common and used for multiple people, under the PIPL it is still considered personal information.

Yes. The definition of personal information is very wide under the PIPL. Any information that can be tied to one single individual is considered personal information. For example, mobile phone numbers in China are tied to real names and can be connected to an individual.

Are security logs (e.g., firewalls and active directories) considered personal information (as they are usually linked to an IP address or account name and not directly linkable to the user)?

Yes. Under the GDPR, IP addresses are defined as personal information, and this is the same for the PIPL. We know that IP addresses are dynamic, but from an IT perspective, we can still trace an individual to their IP address most of the time with certain efforts, making IP addresses one kind of personal information under the PIPL.

If processed personal information is stored by a third-party vendor such as Google Drive, does it fall to the vendor to formulate proper information protection that complies with the PIPL?

Similar to GDPR, under PIPL, it is the information controller – the one who makes decisions on how to collect and store the data – that assumes the responsibility for personal information protection. Therefore, if you are the information controller, and you make the decision to collect personal information and make the decision to transfer it out to save in Google Drive, you are responsible for everything. Of course, you can make a service agreement with your vendor to specify what kind of measures should be taken to protect the personal information.

If an IP address is a company private IP address, for example, 10.0.0.1, is it considered personal information?

From a technical perspective, yes. For example, in China, the cyber police require companies to set up a firewall or security device, which can allow the company to track the website access logs for users. This means that even if you are using a private IP of your company, your firewall or security can still track these records, and IT can use these records to trace back to the individual using this IP address. In practice, however, at the current stage, IP address information is really a minor consideration for the authorities. There are other more significant issues for the authorities to pay attention to.

This article was first published by China Briefing, which is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in China, Hong Kong, Vietnam, Singapore, India, and Russia. Readers may write to info@dezshira.com for more support.

The post What does China’s new data privacy law mean in practice? appeared first on Focus - China Britain Business Council.