Bio: Tom Nunlist is Associate Director at Trivium China, a leading China policy research consultancy. Tom’s research focuses on the intersection of politics and technology in China, with a specialty in data security and governance. Tom’s hands-on consulting work with Fortune 100 clients covers policy analysis, risk assessment, government relations and communications. 

In a time of growing geopolitical tensions and the rapid digitalization of all facets of life, data as a commodity has skyrocketed in importance. As a result, China has implemented a regulatory framework aimed at controlling the flow of data across its borders.

In this interview, Tom Nunlist, Associate Director of the Technology Practice at Trivium China, discusses the development of the framework, the compliance difficulties faced by businesses and regulators and how the Chinese government has adapted.

Q.Can you give a brief overview of how China’s cross-border data legislation has changed over the past five to 10 years?

A.The process started in earnest with the passing of the Cyber Security Law (CSL) in 2016. In the first few years after the CSL passed there was a period of formation where the government was trying to figure out what the legal framework for data security would look like. There was quite a lot of confusion at the time about definitions of data and what the requirements might be on businesses, so there was a waiting period for the framework to be filled out—and arguably some companies are still waiting. Since then, we’ve had two other major laws, the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), which both came into effect in 2021, and a suite of other regulations that are intended to help clarify standards and the minutiae.

Where we are now, from the point of an inspiration to formulation to implementation process, is still not quite the final stage. It is certainly moving towards full implementation, but formulation and adjustment are still ongoing.

What we have seen over the last two years is the government moving to start enforcing the laws in a more serious way, particularly in relation to cross-border data transfer. This may have been a bit premature, as the result was that the initial enforcement didn’t really work for either businesses or regulators. In March 2024, they rolled back some aspects of the system and that has resulted in the environment that we’re in now, which is the shift towards pilot areas for enforcement in the country’s Free-Trade Zones (FTZs).

Overall, the bulk of the system is now in place, and highly unlikely to change in a fundamental way, but there are still some important kinks to be worked out.

Q. Can you briefly explain the basics of the data security system and the biggest challenges it presents?

A.There are two big parts: Personal Information (PI) and other data. The latter is regulated in a three-tiered system. At the bottom is “general data,” which is the largest proportion of data and can be freely transferred across borders as long as it is declared. Above that is “important data” and at the top is “national core data.” The rule of thumb, although I’m not sure it has ever been properly confirmed, is that anything that gets categorized as national core data can never leave the country. To date, the government has provided very little indication about what national core data includes.

Most companies, including foreign companies, will be dealing with PI and general data, and complaince requirements for these were substantially reduced by rules released in March 2024. The important data category is where some businesses find themselves facing difficulties if they operate in certain sensitive sectors. Important data can include things like mapping data used to train self-driving cars, and in order to transfer it across borders, companies need to complete a “Data Export Security Assessment.” These assessments are submitted to regulators and issues such as the type of data, where it is being sent and what it will be used for, are considered.

A good example is that Tesla wants to launch its Full Self-Driving services in China, but to do so the technology has to be contextualized for Chinese roads. One of the things holding this process back is that they will also want to use the data to train the system in their US data centers, but so far they have been unable to export the data from China to do that. It makes sense from the China perspective given the current geopolitical tensions with the US, but it is also a good example of a business that can’t push forward in China as easily due to the legislation.

Q.Do the rules present equal challenges to domestic and foreign companies?

A.It is certainly going to impact international companies more, because they are usually the ones that need to send data back and forth more often. From the perspective of an MNC, the ideal is that each aspect of the business has centralized functions. For example, managing cybersecurity is a global operation, and companies usually have staff stationed around the world so that somebody is always in a time zone that is currently in work hours, meaning they can monitor things while others are asleep. This tends to be the most cost effective and safe way to do things.

But this approach is made much more difficult by China’s data regulations, which have essentially forced MNCs to look at China as somewhat separate from the rest of the world, meaning their related operations will have to be handled differently.

Prior to the changes last March, the rules heavily affected all companies, from SMEs up to large multinationals. But with the rollbacks, many SMEs no longer meet the thresholds that require advanced compliance steps. MNCs, on the other hand, are still affected, whether that be companies that have large quantities of personal data, such as retail or any consumer facing business, or those working in sectors deemed sensitive.

Q.To what degree has China’s cross-border data regulation changed or been updated based on business feedback?

A.Business pushback has been a significant reason for the regulatory amendments we saw last March, and the government has clearly been listening to businesses. The cross-border data transfer oversight regulations that came out in 2021 were simply not manageable, and the response was to roll back the least tenable aspects of those regulations, and that appears to have been in a pretty direct response to business complaints.

Given China’s current economic needs, they want foreign businesses here, and the changes did a lot to resolve the issues of SMEs, which would have previously had massive compliance headaches but now don’t really have to think too much about it.

For larger companies, though, there are still some major barriers, and although there are continuous incremental changes around the edges, there hasn’t been as much progress as some of these companies might like.

Q.To what extent are the data transfer regulations applied differently in China’s free-trade zones (FTZs)?

A.The March rule changes gave formal license to China’s FTZs to experiment with how to implement the rules in a pilot system. Initially, the expectation was that the FTZs would quite quickly pursue some loosening of the rules, but that hasn’t necessarily been the case all around. There are examples of some loosening, particularly in relation to data thresholds and in the retail sector. The threshold at which you would then have to go through additional scrutiny has risen, especially for things like customer loyalty programs, but mostly in low impact areas that lack a security argument.

But what has been interesting, particularly in terms of important data, is that because of a quirk in the way the laws are written, compliance has in some instances become more difficult. The March rules basically said that, unless a regulatory body stated that something was important data, then it wouldn’t be considered as such—this relieved a lot of stress for companies that were unsure whether they had important data or not.

But since then, each of the FTZs has started compiling its own “negative lists” of important data, specifying what does and does not need extra scrutiny, and these lists differ between the FTZs and from the nationally specified list as well. As a result, some of the FTZs are technically more tightly regulated than elsewhere in the country. The clearest case has been with automotive data in Beijing’s FTZ, where, although there was a separate national list laid out by the CAC, the zone took that list and added wholly new categories to it.

It is quite likely that the FTZ lists will be amalgamated into the national lists at some point, but for now there is quite a lot of inconsistency.

Q.How would you suggest the regulations should be updated in order to make it easier for businesses to operate?

A.There is actually something that the government is already doing. We have recently seen the governments responsible for the FTZs in Beijing, Shanghai and Hainan start to use the same format of negative list, and hopefully this alignment will start to make things a little clearer. It’s not perfect, because it would seem sensible to just roll this out nationally and make it consistent everywhere, but it is a step forward.

There is also a certain level of having to be careful what you wish for when it comes to changes, because once some sort of national negative list has been compiled, it may be much stricter than it is now in relation to identifying important data, and that might not be something that companies will find easy to deal with.

This could also have negative repercussions for the government, affecting foreign companies’ willingness to operate or store data in China. There is a pilot program allowing foreign companies to operate wholly owned data centers in the country to help assuage concerns, but there is still the problem of hived-off China operations.

Q.To what degree are China’s cross-border data regulations different than those elsewhere in the world?

A.The overall data security project didn’t happen in a vacuum—countries everywhere are grappling with the same underlying data security concerns. China has really led the world in this area and it seems likely that other countries will adopt some sort of similar system of data regulation. Vietnam, for example, has recently adopted a data security law very similar to China’s. I would think that China is quite happy with the notion of pioneering something like this, but as a result, it has also incurred costs that others may be able to avoid in the future.