2021 was a pivotal year in the formation of China’s emerging data governance regime, with a flurry of new laws and regulations—most consequentially, the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). Frameworks established by these pieces of legislation make clear that Chinese regulators aim to compel multinational corporations (MNCs) to pursue data localization—requiring data generated in China to be stored within China. With the country’s data regime finally taking form, government agencies have also begun to wield their newly acquired regulatory powers, conducting a string of high-profile data-related regulatory probes.
BALANCING SECURITY AND GROWTH
Beijing has long indicated that in terms of cybersecurity regulation, it is fundamentally motivated by national security considerations. In 2018, President Xi Jinping articulated the importance of stringent data regulation during a cybersecurity work conference, stressing that “there is no national security without cybersecurity,” and that data security regulation is essential to China’s national development.
Meanwhile, policymakers recognize the economic value of data and the important role of the digital economy in spurring growth and supporting the real economy. As emphasized during the Chinese Communist Party’s Sixth Plenum in November 2021, China remains committed to “coordinating development and security” to build a “secure but efficient open economic system.” In 2020, China officially introduced data as a fundamental national resource, a key factor of production alongside land, labor, capital and technology.
Beijing aims to strike a delicate balance between security concerns and development priorities, permitting the less-restricted flow of less sensitive data while limiting to varying degrees the export of important and personal data overseas. However, key definitions, including of what constitutes “important data,” remain vague and open to interpretation as government agencies are still determining their sector’s categorization processes. By contrast, regulators have been quicker and clearer in their efforts to define personal information.
While policymakers have signaled their caution in permitting data exports from the country, China has begun to gradually experiment with more liberal data export measures in a number of selected free trade zones (FTZ), including Beijing, Shanghai and Hainan with the aim of establishing best practices for harnessing the economic value of cross-border data flows. In these FTZs, pilot projects have been tasked with exploring the security management of cross-border data transfers to develop a mechanism that can both facilitate the flow of data and guarantee security. Pilot reforms will continue at a gradual pace in 2022, allowing more outbound flows of data from selected data processors within these FTZs.
China also looks to expand the economic potential of data via the Shanghai Data Exchange (SDE); launched in late 2021, it allows participating entities to trade data rights as well as data products and services. Through the SDE, the government aims to explore innovative solutions for data ownership, data pricing, eligibility for participation and data security in the data exchange market. Best practices from the SDE trials will likely be applied to other regions.
As the definition and scope of personal information becomes gradually clearer following the passage of the PIPL in November 2021, Chinese regulators have ramped up enforcement efforts against excessive personal information collection. It is now increasingly routine for the Ministry of Industry and Information Technology (MIIT) and Cyberspace Administration of China (CAC) to conduct investigations into mobile application compliance concerning personal information protection and data privacy.
Since May 2021, mobile application operators have been prohibited from blocking users’ access to basic services if they choose to reject operators from collecting data beyond necessary personal information. Among the 2.44 million applications inspected by the MIIT in 2021, 2049 were found to have violated regulations and 514 were removed from Chinese app stores due to illegal collection and use of personal data, including ride-hailing giant Didi Chuxing.
HOW MNCS ARE REACTING
While some MNCs have adopted a “wait-and-see” approach, choosing to hold out and observe ongoing regulatory developments, many have started to assess how they will implement data localization plans—including assessing the data they handle and sorting data deemed sensitive or could be defined by Beijing as “important data”—to comply with incoming regulation. Others, in more sensitive industries, have already begun to implement data localization plans, in order to comply with regulatory demands.
For example, in May 2021, Tesla announced it would set up a site to store all car data generated within China. The move followed growing public and government scrutiny of the company’s handling of sensitive data and a tightening of regulation on vehicle data. In October 2021, Tesla subsequently opened a separate data center in Shanghai to store the company’s local manufacturing and operational data. Tim Hortons China, the company that manages the Chinese operations of Canadian coffee chain Tim Hortons, announced in August 2021 that it would create a separate entity in China to safeguard customer data prior to its listing plans in the United States. The decision was taken shortly after Chinese regulators launched an investigation into Chinese ride-hailing giant Didi’s domestic data practices two days after the company was listed on the New York Stock Exchange.
RECOMMENDATIONS FOR MNCS
- Establish an internal mechanism to comprehensively examine and evaluate corporate data assets and cybersecurity risks.
- Start preparing data localization plans, especially for personal information and any data classes likely to be defined as important data in incoming regulation.
- Monitor evolving data regulations to ensure compliance and identify regulatory trends.
- Explore opportunities to participate in outbound data transfer pilots in selected FTZs.
- Observe data exchange pilot practices and assess the risk of regulatory scrutiny from home country prior to participation.