The impact of China’s data regulations on European business

On 15^th November, the European Chamber released the findings of a survey on the impact of China’ s data regulations on European business, which provides an overview of the areas where further steps are needed to optimise the country’ s regulatory framework for cross-border data transfers.

Although China’ s regulatory authorities and standard-setting bodies have long been in the process of issuing legislation and standards on the protection of personal information and important data, many of the laws, guidelines and measures lack specificity, which poses serious operational and compliance challenges to European companies operating in China.

As outlined in the European Chamber’ s Cybersecurity Sub-working Group Position Paper and several other sectoral position papers in recent years, despite key regulations—including the Cybersecurity Law (CSL), the Data Security Law (DSL) and the Personal Information Protection Law (PIPL)—having been in force for many years,[1] certain key elements that are necessary for their roll-out still need to be clarified by lower-level rules and/or sectoral rules. For example, the DSL prescribed the formulation of a catalogue of “important data”; however, at the time of writing, no such catalogue has been released by the relevant authorities.

At the same time, some requirements are overly stringent, causing operational burdens for businesses. These include: regulatory security assessment thresholds that are relatively low, especially for larger multinational companies (MNCs) that handle large volumes of customer or employee data; and the fact that data handlers may be unable to sign standard contracts or be certified for the cross-border handling of personal information once a regulatory security assessment has been triggered.

That being said, the Chinese authorities have sought to improve data governance regulations. For example, in August 2023, the State Council issued its Opinions of the State Council on Further Optimising the Foreign Investment Environment and Increasing Efforts to Attract Foreign Investment (Opinions). The Opinions included a point on promoting convenient security management mechanisms for cross-border data flows. It called for certain cities and regions of China—including Beijing, Shanghai and the Greater Bay Area—to pilot the creation of a list of general data that is allowed to flow freely.[2]

Following the release of the Opinions, on 28^th September 2023, the Cyberspace Administration of China (CAC) issued its draft Provisions on Regulating and Promoting Cross-border Data Flow (Draft Provisions). The Draft Provisions relieve companies of some of the major difficulties with cross-border data transfer, partly by specifying a list of exemptions to relevant obligations and partly by providing more clarity on how data handlers can verify what is qualified by the authorities as “important data”.[3] The release of the draft, therefore, was seen as a signal from the Chinese Government that it is listening to businesses’ concerns and is ready to take steps to address them. Companies are waiting eagerly for these positive signals to be translated into action.

In the meantime, the European Chamber is calling both for urgent clarification of certain aspects of the Draft Provisions and for the draft to be finalised as soon as possible. In addition, since many companies are also subject to sectoral rules on data protection and cross-border data transfer, these rules should be synchronised with the general rules on data management.

[1] The CSL came into effect on 1^st June 2017, the DSL became effective on 1^st September 2021 and the PIPL on 1^st November 2021.

[2] Opinions of the State Council on Further Optimising the Foreign Investment Environment and Increasing Efforts to Attract Foreign Investment, State Council, 13^th August 2023, viewed 26^th October 2023, <https://www.gov.cn/zhengce/content/202308/content_6898048.htm>

[3] Notice of the Cyberspace Administration of China on the Public Solicitation of Comments on the Provisions on Regulating and Promoting the Cross-border Flow of Data (Draft for Comments), Cyberspace Administration of China, 28^th September 2023, viewed 26^th October 2023, <http://www.cac.gov.cn/2023-09/28/c_1697558914242877.htm>