Fortune | Yvonne Lau | Sep 1, 2021
Starting Wednesday, companies—whether domestic or foreign—that collect data and have operations in mainland China will be subject to the new Data Security Law (DSL), which outlines how corporations should manage their data.
The new law also classifies data according to its relevance to Chinese national security, with harsher punishments—such as heavy fines or criminal liability—for companies that mishandle data deemed to be “important data” and “national core data.”
Yet the data guidelines don’t provide many details about what subjects are protected, leaving businesses in the dark as to how the rules will actually be implemented.
The DSL marks China’s first comprehensive data regulatory regime, one of three key frameworks that underpin the country’s data and cybersecurity governance. The new rules will work in tandem with China’s 2017 Cybersecurity Law, which requires firms to improve the security of their data networks; and the upcoming Personal Information Protection Law to be enforced Nov. 1, which sets new rules for how companies handle consumers’ personal information.
China has now entered a “heavily regulated information age,” says Jim Fitzsimmons, principal for cybersecurity at Control Risks, a consultancy. China’s new data laws come as the government is strengthening its grip on the nation’s Internet firms.
Beijing recently made clear its concerns surrounding data security after it cracked down on homegrown ride-hailing firm Didi, mere days after its blockbuster $4.4 billion NYSE initial public offering. State agencies in early July launched a regulatory assault on the company, initiating a data probe on national security grounds, then ordering China’s mobile stores to remove Didi’s app.
Despite the state’s regulatory commotion on data, the new law remains thin on details. Instead, it is a sweeping panoply of broad principles outlining how companies can and can’t use, store, process, transfer, and manage data—all in the name of national security. While the new law addresses genuine data security concerns that all countries face, it boosts the government’s control over otherwise private companies, says Karman Lucero, fellow at Yale’s Paul Tsai China Center.
China’s new data rules bar any company that manages and stores data in China from transferring data across borders without the prior, explicit approval of the authorities. Both companies and individuals can be fined for failure to comply with the new rules. And yet the law doesn’t outline how companies should obtain this approval or which agency they should approach to do so.
The scope of the DSL also grants the state extraterritorial reach, in theory. It allows regulators to take action if they deem companies’ data processing activities taking place outside the PRC to be a threat to the country’s national security. How this will actually be enforced is not clear.
The new data rules will also affect Chinese companies seeking initial public offerings in the U.S. Such firms will have to “seek the same challenging balance—between the competing disclosure requirements of China’s new DSL, plus U.S. listing rules” which are also becoming more stringent, says Winston Wenyan Ma, adjunct professor at the NYU School of Law and author of The Digital War: How China’s Tech Power Shapes the Future of A.I., Blockchain, and Cyberspace.