"Data is the new oil. It's valuable, but if unrefined it cannot really be used. It has to be changed into gas, plastic, chemicals, etc to create a valuable entity that drives profitable activity; so must data be broken down, analyzed for it to have value." — Clive Humby, 2006.
Many people ranging from Angela Merkel to Jack Ma have made similar points as to the similarity between data and oil.
It is not surprising – oil drove the 20th century by enabling mass shipping and mass manufacturing. Data is at the heart of the 21st century's digital economy. Data makes life more convenient, more entertaining and more efficient.
However, it is not all upside. This modern, interconnected world has given rise to new dangers. Hackers can break into systems to steal information, bank details, bring down targeted websites, access government websites etc. Our private information can be used to manipulate our purchasing decisions, social attitudes or even how we vote or think.
Like data the risk is expanding exponentially. Infrastructure is operated exclusively online. People obtain most of their news from social media. Information which is innocuous by itself can be geo-politically significant if gathered en masse. Our devices connect to the internet and to each other. Soon our cars will be driving us around.
This modern world brings a lot of convenience …. but also a lot of vulnerability. How to deal with it?
China's Balancing Act
"If you open a window for fresh air, you have to expect some flies to blow in." – Deng Xiaoping
Information and communications technology is both key to economic development but also a critical challenge to global and national security. Cybersecurity is an issue across all sectors and across all countries. China is no exception.
Globalization was fuelled in part by mass manufacturing and mass shipping but also by governments around the world removing restrictions on the movement of goods and harmonizing standards.
This is not happening in respect of sensitive cybersecurity and mass data projects. Governments are building walls to protect their critical infrastructure and restricting the movement beyond their borders of mass or sensitive data.
However, all countries including China will need to balance the advantages of a data economy (economic development, technological advancement and security) with its potential downsides (cyber-attacks, breaches of state secrets, misuse of personal data etc.).
To this end the PRC authorities issued a raft of data related laws in relatively quick succession to address these concerns including the PRC Cybersecurity Law (2017), PRC Data Security Law (2021), PRC Personal Information Protection Law (2021), PRC Provisions on Management of Automotive Data Security (2021) etc.
Many commentators expressed concern that these regulations were aimed at foreign owned businesses operating in China. However, this does not seem to be the case. Since the Cybersecurity Law came into effect enforcement actions have been primarily against PRC tech giants. Foreign companies are just not important enough to warrant much attention. Also there have not been any credible published cases of Chinese authorities forcing access to technology backdoors or stealing of foreign company data.
What are the Goals?
Based on experience to date the main goals of China's data related legislation appears to be:
Safe and secure technology and systems to safeguard the national interest, secure social stability and protect crucial infrastructure
Protecting the privacy and dignity of Chinese citizens
Goal 1: Safeguarding national interests, social stability, crucial infrastructure
Overview – The relevant laws center on State Secrets (revised in 2010), Cybersecurity and Data Security.
State Secrets – Companies must be cautious when conducting information gathering activities in China in respect to sensitive topics. It should be noted that the same piece of information may be considered both a state secret and a commercial secret.
State secrets have a wide scope, including (i) matters that have a vital bearing on State security and national interests, and the leakage of which may impair the security and interest of China's national politics, economy, national defense or foreign affairs; and (ii) information classified as State secrets. It should be noted that PRC authorities have wide ranging discretion and also follow internal policies that are not publicly available. If a company is dealing with data containing State secrets then it must be at pains to follow the strictly set procedures. State secrets can cover a wide variety of confidential data including production forecasts for SOEs (especially energy or agricultural), SOEs' contractual negotiating position, large scale infrastructure plans, geological surveys, sensitive technology (especially defence related) etc.
Cybersecurity – China's Cybersecurity Law was China's first comprehensive law to address cybersecurity regarding establishment, operation, maintenance and use of cyber networks within China.
The Cybersecurity Law sets forth a series of requirements and obligations on "network operators" for cybersecurity, introduced the concept of "critical information infrastructure operators" (CIIO) and set specific rules for providers of network products and services. The law defines "Cybersecurity" broadly, it includes security for internet, data, communications, computers – not just IT.
The level to which a company is affected will depend largely upon whether you are a CIIO or a network operator.
CIIOs are enterprises where a breach would pose a real threat to national security or the public interest. These are the major companies at the heart of modern society – financial sector, infrastructure, energy. Few foreign companies will be at this heart.
Network operator is not a clearly defined term but the law only sets reasonable requirements in respect of network security, government supervision and social responsibility such as cybersecurity protection measures, development of emergency plans for cybersecurity events, implementing real-name system for customers, providing public security and national security authorities with technical support/ assistance to safeguard national security and fight crime, inform authorities of serious leaks or loss of personal information, etc.
Data Security - The Data Security Law established data protection obligations and protection scheme and it also clarifies China's extraterritorial reach – so China law enforcement agencies can take measures to safeguard sovereign integrity and protect security of relevant information, documents and data within China.
Actions for MNCs – the MNCs in China likely to be affected by this set of laws are those (i) handling highly sensitive information that touches on national interests; or (ii) providing cyber products or services to companies operating in sectors related to fundamental PRC national interest (i.e. financial sector, infrastructure, large SOEs, large CIIOs); or (iii) dealing in mass amounts of data – the Auto Data Rules specifies 100,000 data subjects.
Accordingly, such MNCs will need to be careful in dealing with data containing State secrets and may face uncertainty in respect of sales of such related products and services and formal execution of contracts and indeed supplies may be complicated. Similarly, MNCs need to ensure their data processing and management activities are compliant and do not breach PRC security measures. It would be important to classify customers according to cybersecurity review requirements. In particular, it is important to establish if they are a CIIO or a sensitive SOE. In some cases, MNCs will need to undertake a cybersecurity security review to ensure they are eligible to supply sensitive customers.
Goal 2: Protecting the privacy and dignity of Chinese citizens
Overview – PIPL provides individuals with more rights over the use of their data – Individuals will need to actively consent to their data being used. In addition, individuals will obtain supervisory rights over their data including right to correct, restrict or remove their data as well as knowing who has access to their information, what they are doing with the data and which other parties will gain access to such data.
Actions for MNCs – If a Western company is doing business in or with China then it is highly likely to be affected to some degree. If the Western company's China business is already GDPR compliant then some adjustment is required but most of the heavy lifting would already have been done. If no personal data management is in place in the China operations then a lot more work awaits.
Companies most likely to be affected by PIPL are:
China's tech giants – these are companies that manage and access enormous amounts of personal data. Recent events show that the Chinese authorities are keen to ensure these companies manage personal data responsibly.
Foreign Companies Reliant on China's Tech Giants – if you are reliant on the tech giants (i.e. ecomm sales; SaaS; gaming) then expect the tech giants to be the gate keepers – your non-compliance will be their non-compliance. And they really do not want to be non-compliant so vigorous vetting is expected. This may be an unexpected issue for foreign companies that have been operating offshore beyond the application of Chinese regulations. PIPL applies extraterritorially.
Consumer Facing Companies – China's consumers are increasingly active in holding companies to account. The growth in social media, use of internet and consumer protection laws means consumer complaints and lawsuits is an increasingly expensive and risky aspect of doing business in China for consumer brands.
Foreign companies Handling Mass Personal Data – companies with sizeable China consumer facing business may well face barriers to transferring personal data overseas. Although no official threshold has been announced it is likely to be triggered if more than 100,000 data subjects and a lower threshold if sensitive personal information is involved. The treatment will be similar to the restrictions on cross border data transfers(security assessment).
Foreign companies Handling Sensitive Personal Data – even if the company does not deal with mass levels of data special measures will be triggered if the company is dealing with sensitive personal information. This could impact 1) education – if you are collecting personal information of minors under age of 14; 2) healthcare – if you are collecting or transferring health data or biometric data; 3) fintech – if dealing with financial data; 4) location tracking – this may be the one that leads to the most unforeseen problems as it could be problematic for many tech companies that rely on geo-mapping ranging from digital marketing; mapping; autonomous cars; ride hailing apps etc.
Using Biometric Personal Data – in addition a sensitive area is if a company uses or collects facial recognition, fingerprints, voiceprints or other biometric data from consumers or employees. This is a sensitive area for the government and individuals alike. As more and more APPs rely on biometrics it will be important to ensure individuals have a choice how to authenticate who they are and also how the collected data will be used.
China's legal framework in relation to data will impact Western companies if 1) they are providing services or products to critical information infrastructure; 2) if they deal with sensitive information – this is not limited to national defense but can also be economic information related to SOEs; 3) if they deal with mass amounts of personal information; or 4) if they transfer sensitive personal data.
In most cases there are solutions – if you wish to sell to CIIOs then you may need to undergo a security assessment indirectly; if the data is sensitive you may need to keep the information within China and may lead to duplication of infrastructure; if the information is personal data then you may need explicit consent.
It is important to note that the laws do not seek to single out Western companies – the laws apply to Chinese and foreign companies alike. Indeed, as Chinese companies are more at the heart of critical information infrastructure and more likely to deal with mass amounts of data they are clearly subject to much more scrutiny.
For most companies the data laws will be a manageable part of being compliant. Generally, all that is required will be reasonable corporate good governance. However, companies should be alert to red flags of State secrets, CIIOs and mass amounts of data as the potential consequences for non-compliance could be severe.