Many companies are having difficulties traversing the data categorization process within China’s data laws

Data is a critical part of the global economy, but businesses in China are wondering how to navigate the increasingly complicated regulatory environment in the country, following news that only a small portion of cross-border transfer applications are being approved.

China’s stringent data laws, which have been progressively introduced over the last seven years, are similar to those implemented in other countries, but there are concerns over implementation, interpretation and transparency, presenting challenges for multinational corporations (MNCs) and Chinese firms with global ambitions.

“Everyone operating in China is impacted to some degree,” says Tom Nunlist, Associate Director at China-focused research and consulting firm, Trivium. “It’s a large legal framework and companies are having to deal with the requirements in different ways and for different reasons. But for many, especially larger, companies there is still confusion around what exactly is required of them.”

By the book

In 2023, according to a People’s Daily estimate, the digital economy’s contribution to China’s overall GDP reached 42.8%, and it is therefore no surprise that the country’s leadership has increased its focus on regulating data. Under the perview of the Cyberspace Administration of China (CAC), China’s data laws are underpinned by three main legislative pillars: the 2017 Cybersecurity Law (CSL), the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), both introduced in 2021.

The CSL regulates the use, storage and cross-border transfer by companies of personal data along with other data management practices. The DSL aims to protect the security of processed data, doing so through classifying data by level of importance in terms of national security. The underlying principle of the PIPL is the need for user consent.

China’s data laws are perceived as being extremely stringent, but while they do pose challenges for businesses, the fundamental building blocks align with the European General Data Protection Regulation (GDPR). “If a company is GDPR compliant then they have already done about 80% of the work in meeting China’s requirements,” says Alex Roberts, Partner and Head of China TMT at Linklaters. “There are particular aspects that differ in China, such as requirements for separate consent, but the GDPR is very much the underlying model.”

The Chinese legislation puts greater emphasis on the need for data to be stored locally (data localization), data classification and particularly stringent regulation of cross-border data transfers, contrasting with the GDPR’s more flexible approach to international data flows.

While some US states have enacted similar legislation, the federal government has yet to codify laws that act in a similar way to the Chinese and EU rules. “The US is a bit of an outlier and it’s actually a case of them having to catch up with the other two,” says Roberts. “Some drafts have come through, but nothing has been finalized.”

Red tape

As with many aspects of Chinese legislation, there are concerns over a lack of clarity in some of its requirements. What constitutes personal data, for example, is quite easy to understand. However, the DSL splits data into ‘national core data,’ ‘important data’ and ‘ordinary data.’ ‘National core data’ is defined as data related to national security, economic interests, Chinese citizens’ welfare or the public interest, and is seen as the most sensitive data type. ‘Important data’ is seen as the second most sensitive data type but what exactly falls into this category is unclear.

“What is considered important or sensitive data can be hard to work out and might fall anywhere on a spectrum,” says Nunlist. “There are cases where it is clear that you don’t have it and somewhere it is definitely sensitive, but there are any number of companies in between where it is unclear.”

While some personal and sensitive data must be stored domestically, data export is possible, but the requirements to do so vary depending on the type and quantity of data held. Exporting data over certain quantitative thresholds requires a security review by the CAC or affiliate, but queues for approval can be long.

In March 2024, the CAC clarified rules on the process of classifying important data, requiring companies to begin by creating a descriptive inventory of their data and identifying whether or not they think they have important data. If it is deemed to be so, and the company wishes to export the data, it will have to go through data export security assessments, which again can be challenging and take a large amount of time.

Another option for larger MNCs looking to transfer personal data internally is to gain an export certificate. The third option is for companies seeking to transfer data under a certain quantitative threshold is to conclude a standard contract that has been drawn up by the CAC.

“A key part of the contract is that it stipulates that Chinese law applies to the agreement,” says Rogier Creemers, assistant professor in the Law and Governance of China at Leiden University, and co-founder of DigiChina, an initiative with Stanford University. “It sounds like a simple solution, but it has led to cases of organizations in the West receiving a contract to sign from a Chinese firm and having no idea what to do with it and an unwillingness to put in quite a large amount of effort and agree to the terms. There have been some exceptions added for some companies, such as Air China, to export passenger details without the contract.”

According to Nunlist, there is a perception among many law firms that companies don’t need to be proactive in their applications, but the March update clarified that although a company can keep operating until the identification process is complete, it is responsible for initiating the process. “But that also leads to an area of uncertainty,” he adds. “The government is telling companies that they need to take steps, but it is not clear how quickly or what would count as dragging your feet.”

There are a number of local or regional regulatory bodies responsible for conducting the data categorization process, including local governments or specialized centers in some of China’s special data pilot zones located in the country’s free trade zones (FTZs). This can make operating across jurisdictions increasingly complex, particularly if different definitions are adopted.

“The lack of enforcement uniformity and stability makes it difficult for international companies to understand what is required of them,” says Cai Peng, Partner at Zhong Lun LLP. “It has led to companies incurring large costs through engaging specialists.”

The lack of clarity can also lead to officials either denying or sitting on applications for fear of approving something that could later turn out to be important data.

Toeing the line

International firms operating in Western markets, and particularly within the realm of the GDPR, have had significant experience in dealing with regulatory requirements, but for Chinese firms there has been a steep learning curve. For those looking to expand operations internationally, there have also been some benefits.

“Due to the lack of enforcement pressure, Chinese companies that are now following the PIPL requirements may find it easier to comply with international legislation such as the GDPR, as there can be more flexibility within those rules, especially for smaller businesses,” says Peng. “For larger firms, taking into account national security considerations, especially in sensitive sectors like tech and the pharmaceutical industry, there can be a bit more of a difficulty.”

The responses of international businesses to the changing data laws have been varied. From greater localization of staff and data centers or choosing to diversify away from China somewhat, the reactions are mostly dependent on the category of data a company holds, and for many businesses, this remains unclear.

Where the impact of the data laws is clear is on multinational businesses with revenue centers in China, and some level of ‘important data.’ For example, businesses such as manufacturing or pharmaceuticals require the free flow of data between R&D centers around the world, and although for such companies there is a value to having a presence in China, it could also create a distinct drawback if communications are not smooth.

“Companies are required to undertake substantial work on lots of aspects of localization and data security,” says Peng. “This requires a deeper understanding of China law and that has increased operational costs and the need for professional support. Transparency is an issue and this has necessitated forming stronger ties with local partners and companies that are more tailored to the China market.”

The representative of an MNC who wished to remain anonymous, discussed how the situation has impacted on the company’s cybersecurity operations. “We work worldwide and that means we have cybersecurity staff monitoring our systems throughout every timezone,” they said. “It’s partly good practice but also a good cost-saving exercise as it means we don’t need people on call at all times. But you can’t do that in China. We have to have a separate team here and also can’t do live sharing of data with the rest of our global operations. This both increases our costs and our ability to operate seamlessly.”

Reactions from other MNCs have been mixed. Microsoft has been gradually pulling some of its operations out of China in recent years, as well as creating China-only alternatives. LinkedIn sunset its localized Chinese version in late 2021, with Microsoft launching InJobs in Chinese app stores as an alternative, although it has yet to see any real success. Microsoft also closed all of its physical stores in China in July.

Yahoo exited the China market around the same time as Linkedin, citing an “increasingly challenging business and legal environment.” In August, IBM announced that it is shuttering the majority of its research and development work in China, at the cost of 1,000 jobs.

German automaker Volkswagen has chosen a different route and committed more resources to staying in the China market, creating supply relationships for software including semiconductors with companies such as Horizon Robotics for their China production. In mid-2023, it also invested $1.1 billion in a new development and procurement center for EVs in Hefei, and early this year committed a further $2.68 billion to expanding these operations, increasingly isolating its technological development in the country.

Apple has made a similar commitment to the market, striking a deal with Chinese regulators to store Chinese user data in domestic servers located in the southwestern province of Guizhou. US-based EV manufacturer Tesla has also expanded their deal with Chinese internet giant Baidu to gain access to its mapping license for data collection on China’s public roads, which should boost the company’s chances of deploying full self-driving technologies in China.

“From a Chinese point of view, the types of deal between Baidu and Tesla can also be a boon to local employment by creating jobs in the local tech and security space,” says Creemers.

Some businesses have also run afoul of the new regulations. One such example was a raid on the Beijing office of and a subsequent $1.5 million fine for US corporate investigations firm Mintz Group, for doing “unapproved statistical work.” The issues at the heart of the incident have not been made fully clear, but they are known to be data-related.

To mitigate risks and ensure compliance, it seems clear that companies need to invest in localized data centers and develop robust data governance frameworks that align with Chinese regulations. Particularly affected MNCs also have to consider how they push back against the lack of transparency and clarity in the laws. Many of these companies would usually be outspoken with their criticisms in Western markets, but due to the nature of the Chinese system, a more measured and constructive approach is required.

The response for now has largely been focused on clarification and improving cross-border data legislation. “Companies facing difficulties with identifying their data will continue to push to improve the rules,” says Nunlist. “They are mildly optimistic that they might get what they want, but it will most likely be on a granular or case-by-case basis.”

Making amendments

There are areas for optimism in China’s data legislation development. Further updates to data classification rules are expected soon, but specific timelines are unclear.

“The interaction between China data laws and international laws will continue to be a key area of development and negotiation,” says Roberts. “While the pace of international cooperation remains uncertain, it is absolutely the sort of harmony that businesses are looking for.”

But there are also concerns over China’s desire to pursue a better balance of development and national security, which, despite an increasing number of mentions in official statements in recent years, wasn’t emphasized at the recent Third Plenum.

“Broadly speaking, we’ve seen the state remember that development is the purpose, and the CAC has been quite explicit in their support for a better balance,” says Nunlist. “But it would have been nice to see more from the Third Plenum in this regard.”

Letter of the law

China’s data rules are not entirely without precedent, as can be seen in the GDPR, and there appears to be positive momentum towards improving the way the system works. However there remains a lack of transparency and clarity on implementation requirements, which makes life difficult for companies, both domestic and international. Data is the commodity of the future and companies naturally don’t wish to feel that their data is at risk.

“China is expected to further refine and expand the data regulatory framework to keep pace with rapid technological advancement, and more detailed regulations are likely to be introduced to deal with the sustainable use of big data and deployment of emergent technologies like AI,” says Roberts. “But the hope is that we can get clear guidelines and explanations on cross-border data flows and enhanced compliance measures, and shift towards a more adaptable approach for easier business compliance.”

But what is unlikely to change is China’s desire to ring-fence the data that is generated within its borders. “China is clearly positioning itself to present an alternative regulatory regime to how data can be managed,” says Nunlist.