In June 2017, China’s newly-established cybersecurity law came into effect. The law refines rules about personal information protection and related sanctions, and defines rules about cross-border data transmission. The establishment of the law standardises network operators’ rights and duties in Chinese cyberspace, and sets forth clear guidelines regarding data use both for local companies and international brands operating in China. Should these new laws be cause for concern for Western multinational brands and tech companies?
Data management in Chinese cyberspace is no longer a grey area
The new law standardises previous regulations and obligations, and transforms them into actual legislation. It reveals network operators’ obligations, namely to guarantee the security of their network products and services. If any risks are discovered, such as security shortcomings, providers must take immediate action. The law also dictates specific requirements that are directly imposed on operators, including recording network operation, categorising data, encrypting data and preserving relevant web logs for at least six months.
Who are exactly the “network operators” mentioned above?
The phrase refers to network owners and administrators, like telecom companies, but also network service providers who use networks owned and managed by others to offer relevant services – including information. Commercial sites with ICP Licenses like e-commerce platforms, non-commercial sites with ICP Registration Record like official brand sites, and online news sites are all considered to be network operators.
Protecting personal information is central to the new law
In the Chinese netizens’ rights protection report 2016 published by the Internet Society of China, it is estimated that in the past year, spam SMS, scam information and personal information leaks were responsible for a loss of 91.5 billion yuan and affected 688 million Chinese netizens nationwide. Personal data protection is becoming an urgent matter. This law and the importance it gives to personal information protection were triggered by a scandalous fraud case in which a Chinese student died from a heart attack after falling victim to fraud following her personal information being leaked.
The law doesn’t clearly define “personal information”, but it is generally considered to be individually identifying information – similar to the Western concept of “ PII“. The new legislation mentions principles of “legality, rightfulness and necessity” with regards to using personal information. The law strictly limits collecting, transferring, and otherwise exploiting personal information gathered by network operators:
- Rightfulness and necessity: personal data collection should be relevant to the service provided;
- Legality: personal data collection must not violate any law or regulation;
- Strict privacy: divulging or damaging personal information is strictly prohibited;
- Prior consent: operators are required to obtain consent from individuals in question when collecting personal information or sharing personal data with a third party;
- Sanctions: operators who fail to uphold cybersecurity protection standards may face a fine of up to one million yuan (about €130,000*).
After the incident that led to this law, the Chinese government set up a special investigation group to investigate the growing problem of personal information leakage. Many big data companies were involved as some of them might have crossed the line. Just before the cybersecurity law came into being, the VP of a listed big data company (Datatang) was under arrest and to be investigated.
Is free data movement over?
The new rules about cross-border data transmission are a source of worry for all international companies based in China. The law stipulates that “personal information and important data collected and produced by critical information infrastructure operators during their operations within the territory of PRC shall be stored within China.” This clause led to many discussions, as it made companies nervous. Regarding this controversy, a spokesperson from China’s Office of the Central Leading Group for Cyberspace Affairs clarified during a press conference: “Cross-border data transmission is not forbidden, but it requires authorisation from the government and from users beforehand.” Despite protests by certain global companies concerning these recent clauses, it is undeniable that cross-border data transmission has been a topic of discussion for many years in the legal sphere, particularly in the Western world. As early as 2009, the EU’s famous “E-Privacy Directive”4 was passed, which sets forth similar principles as the Chinese law regarding consent. Today, the EU-US Privacy Shield framework allows US companies to operate data services cross-border, as long as their transatlantic data exchanges conform to EU and Swiss privacy laws.
The new data storage rule could have a profound impact on data strategies and the organisation of many multinational groups in China. Several tech giants, including Apple, were quick to comply with the law. Recently, Apple announced that it would be creating a new iCloud data center in Guizhou, China, which will ultimately mean that Chinese Apple users’ iClouds will be eventually stored in China.
The design of this Chinese cybersecurity law is based on the specific local context, and aims at adapting the law to an ever-developing digital society. Consumer data is becoming increasingly important in business affairs for strategic corporate decision-making, product development, and effective marketing and sales. Multinational companies like Procter & Gamble actually taught Chinese business for data-driven decision making over the past 3 decades since they started operating in China in the late 1980s. This long-awaited data law paves the way for a new racing track for all players in the digital space. We have seen very quick responses from MNCs to adapt in the past months, including from Apple as above mentioned. As a specialised data consulting company, 55 helps brands customise and develop effective digital and data approaches in China, as part of their global customer strategy. Get in touch with us to achieve quick wins and to build long-term data assets to fuel growth in China.
*About £114,000 or $152,000