China’s data protection regime tells us how the resource is valued
2021 has been a busy year for China’s cybersecurity regime. At the national level, the Personal Information Protection Law (PIPL) was passed in August and will come into effect on 1st November. China’s Data Security Law (DSL), passed earlier in June, came into effect inSeptember 2021. Regulations on the protection of critical information infrastructure were enacted in late summer. The automotive sector has also seen multiple cybersecurity regulations, including a wide-sweeping regulation on the governance of automotive data and a guiding opinion on the cybersecurity of smart vehicles. As Tiffany Wong from Sinolytics explains, all these laws and policies fundamentally change the way corporations should think about data and data processes in China.
Together with the 2017 Cybersecurity Law (CSL), the PIPL and the DSL form a three-pronged cybersecurity framework that covers all aspects of a corporation’s functions. The CSL, forming the foundation for regulations such as the network grading system Multi-level Protection Scheme 2.0, focusses mainly on network security compliance. The PIPL, focussing on the categories of personal information and sensitive personal information, poses new challenges for corporations collecting and processing such data; cross-border transfer of personal information could potentially trigger additional security assessments by the Cyberspace Administration of China (CAC). Individual consent is now required for information collected on persons based in Mainland China. Companies in Europe are likely to need to revise their privacy policies in order to comply with the law.
Understanding the DSL
The newly-effective DSL remains one of the more challenging laws to comply with and interpret. It includes the category “important data”, which will be subject to stricter controls than ordinary data. What exactly constitutes “important data” remains unclear, but companies are expected to comply in ways that could lead to significant costs. Another aspect of the DSL also remains underexplored by businesses – the fact that the law treats and protects data as a strategic economic resource. To better understand the DSL, corporations need to consider the two aspects of what data security means for China: 1) protecting national security, and 2) protecting data as an economic asset.
For foreign companies, assessing how their data-collecting and -processing procedures are seen through the lens of national interest has become a pressing matter. According to Article (Art.) 21 of the DSL, any and all data collected and processed within China’s borders will be categorised based on levels of potential harm towards legal persons, public security and national security. Many corporations process data that is not directly managed by the national security apparatus, but which may still be seen as sensitive information by the state (for example, mapping data). Under the DSL, data will fall into one of three classes: core data of the state; “important data”; and general data.
The “important data” challenge
But what does it mean for a foreign company to process “important data”? A concept introduced by the 2017 CSL, “important data” is now subject to an extensive set of security requirements as enumerated in the DSL. The implications for companies are wide-ranging: they are required to set up a separate data security management system, with regular employee training (Art. 27), and carry out regular risk assessments (Art. 30). “Important data” generated by critical information infrastructure operators (CIIOs) must be localised. Non-CIIOs can also expect increased scrutiny due to cross-border data transfer regulations to be released by the CAC and other government bodies (Art. 31). All this complicates the process and transfer of data for foreign firms. In some cases, companies could be required to store data that contain critical intellectual property within China’s borders.
The challenge is that the DSL does not yet give a precise enough definition of “important data” for companies to know whether they collect and process such data. The law stipulates that this work will be incrementally carried out by government agencies. Regional and industry regulators will draw up “important data” catalogues, with the overall planning conducted at national level to avoid fragmentation of data protection rules (Art. 21).
Data as a means of production
But it would be oversimplifying to state that China regards data protection solely as a matter of security. In April 2020, the State Council released a set of guidelines for the Chinese Government to facilitate more effective flow of factors of production, entitled Opinions on Improving the Mechanisms for Market-based Allocation of Production Factors. This document identifies data as an economic asset critical to creating value in the digital economy. Data is treated by the Chinese Government as a strategic resource, and has de facto become a fourth ‘production factor’ in addition to labour, land and capital.
Through the “data as a strategic resource” lens, data protection is inextricably linked to data valuation and the development of China’s economy. Interspersed among compliance requirements, Art. 7 of the DSL states that data protection should play a part in “promoting the development of the digital economy”. Art. 13 stipulates that data security should be used to “ensure the development of data for utilisation and to build the digital industry”. Art. 19 calls for the creation of data-trading platforms. From the Chinese Government’s perspective, data cannot reliably be used as a resource for a data-driven economy without first ensuring that critical information cannot be leaked.
The DSL shows an intention to simultaneously protect information that is vital to national security, but also unleash data’s value potential – a balancing act of security and value proposition. The law does not aim to cripple corporations’ ability to use data, but rather to guide them in maximising their data’s valuation while maintaining protective measures around information deemed sensitive for national security.
Case study: automotive data security
A recent example involves the Trial Provisions on the Management of Automobile Data Security (Provisions). The Provisions lay out the types of data collected by (smart and connected) vehicles that are subject to increased protection requirements and stricter regulations. This includes vehicle data and all other information collected by cars – city streets, other vehicles, pedestrians, and their own drivers and passengers. All this data will have to be stored in China; cross-border transfer triggers security assessments. The Provisions cover the entire “life-cycle” of data, meaning that the suppliers of automotive manufacturers will also face increased regulatory requirements and scrutiny.
The Provisions effectively force automotive companies to segment data into granular categories – important data, personal information, sensitive personal information and the rest. On the flip side, they also force automotive companies to control what data needs to be tightly governed (that infringing on people’s rights and affecting national security) and what data might be used to leverage economic value (that which can easily be collected and transferred). The process is daunting for most corporations, whether local or foreign. But the Chinese Government considers this is a small price to pay if it makes automotive companies see data from the government’s perspective: resources that need to be protected before their value can be fully unleashed.
China’s cybersecurity and data protection laws have evolved and matured with astonishing speed in the last two years. Data security supervision will likely increase, bringing new compliance complications. Businesses in China will need to seriously tackle these challenges, including systematically reviewing their current data-handling strategies and procedures. However, the potential opportunities that will arise in the digital economy arena once China’s data security regime is in place should not be overlooked. Anhui and Chongqing’s regional governments are already inviting corporations to play active roles in their big-data trading platforms. Meanwhile, cross-border data platforms are slowly emerging. China’s data protection regime seeks to lay the foundation for what could become one of the fastest-growing drivers for the country’s economy, and the DSL is its cornerstone.
Tiffany Wong is a project leader at Sinolytics and focusses on cybersecurity and tech regulations in China, as well as China’s industrial policy and geopolitical issues. Sinolytics is a highly specialised consultancy entirely focussed on China with offices in Berlin, Beijing, and Zurich. It provides in-depth research, expert analysis and strategic advice at the nexus of business and policy. It works with international companies operating in China, enabling well-informed China strategy development and decision-making.
The European Chamber collaborated with Sinolytics to produce the report; The Digital Hand: How China’s Corporate Social Credit System Conditions Market Actors, which can be downloaded here: https://www.europeanchamber.com.cn/en/publications-corporate-social-credit-system