Cybersecurity Asia: People's Republic of China to treat data security as matter of national security

The People's Republic of China (PRC) unveiled two pieces of draft legislation this year that will, once passed, elevate the conversation around cybersecurity from an issue of corporate compliance to a matter of national security.

The PRC economy is becoming increasingly digitalised, with the government placing ever greater importance on digitalisation as a means of driving economic growth. The digital economy accounted for 36.2% of GDP in 2019, reaching 35.8 trillion yuan ($5.47 trillion), according to a report from the China Academy of Information and Communications Technology published in July.

The State Council, meanwhile, announced in April that, for the first time, data would be considered a key production factor, alongside traditional areas such as human resources, capital, land, knowledge and technology. But as data becomes ever more important to the country’s economic development, so too does safeguarding that data from internal and external threats.

The Standing Committee of the National People’s Congress published the draft Data Security Law (DSL) on 2 July 2020. While the DSL covers a broad spectrum of data security definitions and requirements – including personal data – the government also unveiled the draft Personal Data Protection Law (PDPL) for public consultation on 21 October.

Once passed, the DSL will be the PRC’s first designated data security law, while the PDPL will become the country’s first comprehensive law on personal data protection.

These draft laws are part of an overarching evolution in the country’s data security landscape, which started with the implementation of the Cybersecurity Law (CSL) on 1 June 2017. While the new drafts propose higher cybersecurity standards, the real shift lies in the PRC government’s desire to see that data generated within the country’s borders stay within those borders.

Multinational companies with Chinese operations may not only need to locate servers and relevant personnel physically within the PRC, but they must also be ready for the advent of tougher limits on data exports as well as a potential national security review when implementing data transactions.

Legislative shift

The CSL marked a shift in the mainland government’s thinking around cybersecurity, introducing data localisation requirements for critical information infrastructure operators (CIIOs). In addition to requiring these network operators to store locally generated data that was deemed to be "important" on domestic servers, the CSL also required CIIOs to conduct security assessments before allowing the export of such data to foreign jurisdictions.

… national security [has] become a catch all for governments to extend control over the digital space."

Both the DSL and PDPL deepen these requirements, aiming to set out a more developed regulatory environment to oversee data localisation and transfers overseas.

One of the DSL's main themes is that data security and national security are inextricable interwoven. Guohua Zhang, managing partner and co-founder of Osborne Clarke's office in the PRC, said: "There has been a growing trend around the world that has seen national security become a catch all for governments to extend control over the digital space and, in many ways, this draft law is a direct response to those developments."

The DSL in its current form will require various government departments to sort data into categories – including critical data, state secrets and personal information – based upon their impact on national security, the public interest and individual, or corporate interests. Moreover, all data export requests in relation to foreign criminal or regulatory proceedings that involve individuals and companies in the mainland must first be vetted by local authorities.

the next test will be learning to filter data security through the lens of national security."

Personal data will fall under the purview of the PDPL, which has also proposed more expansive data localisation requirements than the CSL. Moreover, Chinese regulators will be required to conduct a security assessment for any cross-border data transfer involving CIIOs or large amount of personal information.

Zhang said: "While companies have adapted their cybersecurity systems to comply with CSL requirements, the next test will be learning to filter data security through the lens of national security."

Local focus

Joy Wu, legal and compliance director at appliance manufacturer Vorwerk China, said the biggest challenge for many multinationals would be to adapt to the new data localisation requirements.

She said: "The introduction of the CSL prompted us to discuss the relocation of our servers from the European Union to China and we have started that process."

"While the DSL is unlikely to affect our day-to-day operations dramatically, given that we’re already compliant on personal data requirements such as consent and transparency, relocating our servers and establishing a local IT support base is naturally a costly process."

Vorwerk decided to transition its IT facilities owing to its customer-facing nature. "Vorwork wanted to secure a level three cybersecurity certification from the government, which was only possible by relocating our servers containing customer and employee data from the EU," she explained.

We'll have to invest more in our human resources, both legal and IT, in order to ensure we comply with the new implementation rules."

Companies seeking higher cybersecurity ratings from the government must submit a certification of their IT infrastructure by a local third-party IT specialist.

A private counsel to an internet technology multinational, who we refer to as "Danny", agreed that managing compliance issues would have an inevitable impact on the cost of operations.

He said: "The PDPL is still too high-level in nature to be absolutely sure how it will affect day-to-day operations, but ensuring compliance will inevitably cost more. We’ll have to invest more in our human resources, both legal and IT, in order to ensure we comply with the new implementation rules and regulations as they are released."

Wu, meanwhile, said her company had also started mulling the implications of the drafts’ restrictions around on cross-border data sharing. The company’s appliances have traditionally shared customer submitted recipes across its global network of devices. However, the changes proposed by the DSL and PDPL drove Vorwerk to rethink how data is shared across its network, with the company now looking at ways to purge customer identifiers from shared submissions.

There are some similarities between China's approach to cybersecurity and GDPR."

Outside of the extra-territorial jurisdiction of the draft DSL, there may be fewer regulatory surprises for companies on the ground in the PRC than have been widely predicted.

Outlook

Both Danny and Wu were relaxed about the new DSL and PDPL drafts, noting that the former was still too high level in nature and required rules of implementation for greater clarity while the latter's general data protection requirements were already widely followed.

Danny said his company had already encountered bigger cybersecurity challenges abroad and that domestic changes were unlikely to disrupt the company's operations.

He said that the General Data Protection Regulation (GDPR) had set an extremely high threshold for he company in Europe. "We've been able to capitalise on that experience at a global level," he added. "There are some similarities between China's approach to cybersecurity and GDPR, which makes sense given that Europe is a mature cybersecurity market, and this has given us a head start."

Danny added, however, that eventual PDPL guidelines were unlikely to follow Europe's rules in full. The European approach to cybersecurity legislation has attracted criticism from some quarters that it constrains growth opportunities for the European tech industry.

It will be also interesting to see how the different sectors‚ especially data heavy industries such as banks, e-commerce, etc. adapt to this escalation of data protection to national security."

Danny said the GDPR's broad approach was unlikely to be replicated by the PRC government, given that the sector has been highlighted as a key pillar of economic development. He added: "GDPR is overly broad in nature and is impractical at a business level. The mainland government will likely balance data protections without going to extremes, ensuring companies can still grow as they embrace new cybersecurity norms."

Zhang echoed this sentiment, saying: "Europe doesn't have any tech giants and its regulatory approach reflects this fact. The PRC wants to balance the need for greater data protection with its desire to grow its data markets."

He added: "It will be also interesting to see how the different sectors especially data heavy industries such as banks, e-commerce, etc. adapt to this escalation of data protection to national security. One can never be too cautious when it comes to approaching such regulatory issues and being proactive on this front will be essential."