China’s first comprehensive system of rules for data protection is included in the Cyber Security Law, which came into effect June 2017. These rules govern the collection of personal data over information networks. Data protection within China is becoming a more politicized issue. Chinese consumers, in fact, appear to have some concern surrounding the issue, as they do in other countries (though perhaps not to the same degree). For example, a consumer protection organization backed by the Chinese government is suing Baidu for collecting personal information without user consent.
Though multinational companies are used to data protection rules in most markets, China’s data protection rules rules appear to be more far-reaching than Europe’s General Data Protection Regulation (GDPR). Compared with the GDPR, China’s definition of sensitive data is more extensive. The standards for consent to collect personal information are stricter, and there are more specific security requirements. Companies should carefully analyze their business practices to determine if the rules are relevant and, where applicable, consider implementing company policies to ensure compliance with these rules as soon as possible.
The Basics of China’s Data Protection Rules
Network operators have particular data privacy obligations under the Cyber Security Law. A network is defined as a system of information terminals that stores, collects, processes, or exchanges information. The definition of network operator includes both the owners and administrators of these systems. Virtually all companies involved in any kind of internet-based services will be subject to the law.
Under the new law, personal information includes, but is not limited to, names, address, telephone numbers, dates of birth, identity card numbers, biometric identifiers, and personal activities. Network operators may not collect information that is not justified by the nature of the services that they provide. The network operator must gain the consent of the data subject prior to collecting personal information, and it must inform the data subject of the full nature and scope of the data collection activities.
Overseas Data Transfers
The Data Protection Provisions of the Cyber Security Law requires all data collected on Chinese data subjects to be stored within China. The law, therefore, suggests that foreign companies must keep all of the data collected by their subsidiaries within China. Foreign companies with no presence in China are still under the jurisdiction of the law if they are deemed to be conducting operations in China. This includes having a website in Chinese geared towards the Chinese market, allowing payments in RMB, or delivering commodities to China.
Overseas data transfers require the approval of the authorities. The network operators must first undergo a rigorous security assessment. They should assess the security measures taken by the recipient to protect the data and the risks of a data leak. The security assessment also includes an analysis of the risk to Chinese national security or the public interest.
If data is transferred to an overseas third party, the network operator must first seek the consent of the subject, even if it is transferred to an affiliate. The data subject must be notified of the nature and scope of the transfer, the details on what specific personal information will be transferred, and to where the data will be transferred. Where consent is demonstrably implied by the user’s actions, there is no notification of consent needed. For example, if the network operator facilitates an email being sent overseas, the consent of the user will likely be deemed implicit.
Network operators are subject to the data localization requirement, which requires all data collected on subjects within China to be stored within the country. They must also implement measures to ensure the protection and security of this data, in order to prevent a breach. If the data is breached and the company was found not to have implemented sufficient protections, it may face a fine or be unable to continue working as a network operator within China. Additionally, certain data is required to be encrypted and backed-up. While the law remains vague and will likely be clarified in future guidelines, the only data subject to this extra requirement is that which is deemed to be related to national security, national economic development, and the social and public interest.
Implications for Foreign Companies in China
The controls on international data transfers are a major stumbling block for multinational firms that rely on business data to make managerial, strategic, and accounting decisions. Unfortunately, companies will have to operate in somewhat of a grey area with regards to data transfers, as the law remains vague and is pending further guidelines.
Prior to entering the Chinese market, companies should consider how to write their company policies and procedures such that they comply with China’s data protection rules. For example, companies should have controls in place to prevent data transfers overseas without a careful review of the data contents and screening of the overseas data recipients.
 See https://www.csis.org/analysis/new-china-data-privacy-standard-looks-more-far-reaching-gdpr
 See https://www.freshfields.com/en-gb/our-thinking/campaigns/digital/data/where-are-we-now-with-data-protection-law-in-china/