Navigate the complexities of China's personal data regulations

European companies are waiting for clarity on the legislation on personal data

China, the world's largest emerging economy, and the EU, the largest trading bloc, are key global players. In 2022, China was the EU's third largest partner for goods exports (9.0%) and first for imports (20.8%). While the size of the Chinese market offers huge potential for European business and investment, doing business in China has never been a walk in the park, especially when it comes to personal data governance. In recent years, China has enacted several regulatory reforms regarding how it handles data, including cross-border data transfers in 2022 and exports of personal information in 2023. A number of existing laws – the Cybersecurity Law (CSL) of 2017, the Data Security Act (DSL) of 2021 and the Protection of Personal Information Act (PIPL) – constitutes the key legislative framework on privacy and data security. For many years, Chinese regulators and standards bodies have sought to improve the protection of personal information and important data. However, despite recent legislative changes, China's data regulation continues to pose significant operational and compliance challenges for potential investors and foreign – not just European – companies operating in the country.

As a significant challenge, the European Chamber's investigation into the consequences of Chinese data regulation highlights that the vast majority (96%) of European companies' cross-border data transfers consist of internal transfers to headquarters (HQ) or other regional offices. As a result, the risk associated with data protection is relatively low. However, the impact of current data regulations can be significant, forcing many companies to undergo a regulatory security assessment (30%), resulting in increased compliance costs (59%) and pressure for data localization , information technology (IT) systems or operations as a whole (41%).

Uncertainty remains

Recent legislation – which includes China's amended Anti-Espionage Law as well as the new Foreign Relations Law – also indicates a growing focus on national security across a broad range of sectors, pushing businesses to exercise even more caution. In an increasingly politicized business environment, the challenges of navigating the complexity of Chinese regulations are set to increase.

Regulatory ambiguity means uncertainty remains a key feature of China's business environment, at a time when China's faltering economic recovery presents worrying challenges for the coming years, particularly with the looming property crisis and low youth employment rates.

Indeed, these data regulations lack clarity, particularly in defining the scope of terms such as “important data”. For example, there is not yet a publicly accessible catalog outlining the specifications of “important data”, although this has been mandated by the DSL. Clarity on the definition of “important data” is critical, as it underpins the onerous requirements to undergo special cross-border data transfer mechanisms, such as additional security assessments.

Operational challenges

The overly stringent requirements are also increasing operational burdens for European companies transferring data outside of China as part of their international business operations. For example, regulatory security assessment thresholds are relatively low, especially for large multinationals that handle huge volumes of customer or employee data. As a result, many companies that have triggered such regulatory security assessment have been affected by the thresholds for transferring personal information overseas. This leaves many companies to evaluate their data compliance maturity levels, considering the severe penalties under the Data Security Act for mishandling data.

In terms of cross-border data transfers, the European Chamber on Data Regulation survey published in November 2023 finds that personal information of employees represents the majority (78%), followed by personal information of suppliers and customers (67%). This means that the exemption for data transfers necessary for human resources (HR) or contract performance could be of great benefit to the European business community, as 65% of respondents said they transfer data your data across borders for one of two reasons.

What will be the future of cross-border data transfer?

In response to growing concerns from the business community, Chinese authorities have taken steps to improve data management regulations. In August 2023, the State Council released 24 guidelines to optimize China's foreign investment environment to attract more foreign investment. These guidelines also recommend optimizing security mechanisms for cross-border data flow. For example, it is proposed to start experimenting with creating a list of general data allowed to flow freely in some cities and regions in China, including Beijing, Shanghai and the Greater Bay Area.

A first draft of provisions on promoting cross-border data flow, published by the Cyberspace Administration of China (CAC) in September 2023, reinforces these positive signals. The draft specifies a list of exemptions from the relevant obligations and provides a little more clarity on how to verify what is considered by authorities to be “important data”. The draft provisions above could significantly mitigate data-related regulatory risks, introducing a more transparent approach to regulation and boosting investor confidence. However, careful analysis of their full impact is still required, which will largely depend on the practical implementation of the relevant thresholds. Given that the CAC and other regulators retain the authority to determine when a company holds 'important data,' these developments would not completely eliminate data-related regulatory risks, but would significantly lower them.

I invite clarity

With tightening control over domestic data and cross-border transfers, it is clear that China's ultimate goal is to increase national security. However, this also leads to the conundrum of regulators having to balance two conflicting objectives: improving data security measures and promoting economic growth.

So far, the impact on business strategies has been limited. Only a minimal share of survey respondents are considering or have already made investment shifts outside of China as a result of data regulation reforms. While data regulatory reforms have strengthened some companies' data protection mechanisms, rising compliance costs and pressure to localize data systems are significant negative factors. While some companies are evaluating their options, Chinese authorities still have the opportunity to intervene. Considering the slow pace of economic recovery in China, addressing these compliance concerns over data regulation may be more conducive to attracting needed foreign investment into China.

By: Attorney Carlo Diego D'Andrea, Vice President of the European Union Chamber of Commerce in China