European Businesses await clarity in data regulations
This article was originally published in Italian in Panorama on 15th February 2024.
Please note that this is a courtesy translation of the Italian language article originally published in the Panorama Magazine Issue at: https://www.panorama.it/economia/navigare-complessita-norme-cina-dati-privacy
Navigating the Complexities of China’s Data Regulations
China — the world’s largest emerging economy, and the EU — the biggest trading block, are both key global players. In 2022, China was the third largest partner for EU exports of goods (9.0 %) and the largest partner for EU imports of goods (20.8 %). Although the sheer size of the Chinese market has huge potential for European business and investments, doing business in China has never been a walk in the park – especially when it comes to data governance. In recent years, China has issued several regulatory reforms on the way it governs data, including cross-border data transfers in 2022 and the export of personal information in 2023. A series of existing legislation –the 2017 Cybersecurity Law (CSL), the 2021 Data Security Law (DSL) and the Personal Information Protection Law (PIPL)- constitute the fundamental legislative framework for data privacy and security laws. China’s regulatory authorities and standard-setting bodies have sought to improve the protection of personal information and important data for many years. But despite recent legislative amendments, China’s data regulations continue to pose significant operational and compliance challenges for potential investors and foreign businesses – not only European - operating in the country.
As a significant challenge, the European Chamber’s survey on the impact of China’s data regulation outlines that the overwhelming majority (96%) of European companies’ cross-border data transfers are internal transfers to the companies’ headquarters (HQs) or other regional offices, therefore the associated risk for data protection is relatively low. However, the impact of existing data regulations can be significant, with many companies obliged to undergo the regulatory security assessment (30%), bearing increased compliance costs (59%) and facing pressure to localise their data, information technology (IT) systems or operations altogether (41%).
Uncertainty remains.
Recent legislation -including China’s amended Anti-espionage Law and the new Foreign Relations Law - also indicates an increasing focus on national security across a widening scope of areas, which is prompting businesses to exercise even more caution. Given the increasingly politicised business environment, challenges with navigating the complexity of China’s regulations is only set to increase.
Ambiguous regulations means that uncertainty remains a key defining feature of China’s business environment, at a time where China’s faltering economic recovery presents worrying challenges for the coming years – particularly with the looming property crisis and low youth employment rates.
But these data regulations lack clarity, particularly in defining the scope of terms such as ‘important data’. For example, a publicly accessible catalogue outlining the specifics of ‘important data’ is still unavailable, despite being prescribed by the DSL. Clarity on the definition of ‘important data’ is crucial, as it underpins onerous requirements to undergo special cross-border data transfer mechanisms such as extra security assessments.
Operational Challenges
Overly stringent requirements are also exacerbating operational burdens for European businesses that transfer data outside of China as part of their international business operations. For example, the regulatory security assessment thresholds are relatively low, especially for large multinational corporations that handle huge volumes of customer or employee data. As a result, many companies that triggered the regulatory security assessment were caught by the thresholds for transferring personal information overseas. This leaves many businesses assessing their data compliance maturity levels, considering the severe penalties for mishandling data under the Data Security Law.
In terms of cross-border data transfers, the European Chamber’s data regulation survey published in November 2023 finds that employees’ personal information accounted for the majority (78%), followed by suppliers’ and customers’ personal information (67%). This indicates that the exemption for data transfers that are necessary for either human resources (HR) purposes or for performing a contract could be of great benefit to the European business community, given that 65% of respondents transfer their data across the border for these two reasons.
What Next for Cross-Border Data Transfer?
In response to mounting concerns from the business community, the Chinese authorities have taken action to improve data regulations. The State Council released 24 guidelines to optimise China’s foreign investment environment to attract further investment in August 2023, which also recommended the optimisation of security mechanisms for cross-border data flow. For example, it called for certain cities and regions of China—including Beijing, Shanghai and the Greater Bay Area—to pilot the creation of a list of general data permitted to flow freely.
Further draft provisions on promoting cross-border data flow published by the Cyberspace Administration of China (CAC) in September 2023 reinforce these positive signals. It specifies a list of exemptions to relevant obligations and provides a little more clarity on how to verify what is considered by the authorities as ‘important data.’ The proposed draft provisions could significantly lower data regulatory risks, presenting a more transparent approach to data regulation and boost investor confidence. However, careful analysis of their full impact is still necessary, as it will largely depend on the practical implementation of the relevant thresholds. Given that the CAC and other regulators still retain the authority to determine when a company has ‘important data’, these developments would not completely eliminate data regulatory risks but only significantly lower them.
Call for Clarity
As China tightens its grip on domestic data and cross-border data transfers, it is clear that the end game is to increase national security. However, this also leads to the conundrum of regulators balancing two conflicting targets: enhancing data security measures while promoting economic growth.
So far, the impact on companies’ business strategies has been limited. Only a minor share of surveyed respondents are considering shifting, or have already shifted, investments out of China as a consequence. While the data regulation reforms have strengthened some companies’ own data protection mechanisms, increased compliance costs and pressure to localise data systems are major detrimental factors. As some companies are weighing their options, the Chinese authorities still have the opportunity to take action. Considering China’s slow economic recovery momentum, perhaps addressing these compliance concerns on data regulations will be more conducive to attracting much needed foreign investment in China.
Edited by: Lawyer Carlo Diego D'Andrea, Vice President of the European Union Chamber of Commerce in China