On 1 June 2017, the Chinese government put into effect the Cybersecurity Law, with the intention of bringing China in line with global cybersecurity and data privacy best practices that have been adopted elsewhere (such as the GDPR in Europe). The Law also includes penalties for non-compliance, including large fines (the maximum fine being RMB 1 million), suspension of business activities and even the closing of businesses and revocation of licences.
For any company conducting business in China, it’s important to be across the requirements of the Cybersecurity Law to avoid any potential legal issues or penalties due to non-compliance.
In this article, we’ll reveal the three most important China data security law considerations you need to be on top of if you’re marketing to China.
1. Personal information protection
Similar to the GDPR in Europe, the data security law in China prohibits the collection of information that is not relevant to the services the company provides. What's more, the Law places more emphasis on the protection of personal information (defined as anything that could be used to identify a person, such as name, date of birth, identification number, telephone number or address) and individual privacy.
For example, one key article by KPMG stipulates that “service providers that collect users’ information are required to inform and obtain consent from users”, and stricter provisions have also been imposed on the protection of such user data to ensure confidentiality.
What this means for foreign businesses operating apps or websites within mainland China is that before any user data is collected via these platforms, the user must be able to provide consent for such data collection. Users should also be told exactly how their data will be processed and used, to ensure this consent is informed. Businesses also need to ensure they are using a reliable hosting service that employs stringent cybersecurity practices in order to minimise any chance of a data breach.
2. Preservation of sensitive information
The data security law stipulates that any personal information or important data that is collected and generated within mainland China must be stored domestically.
What that means for foreign businesses is that bulk exportation of data outside China’s borders is prohibited (unless you have obtained special permission to do so). It is interpreted that businesses can still export data on an individual basis if the total number of records per year and any individual data transfer size does not exceed certain limits.
The law also includes a ban on the export of any economic, technological, or scientific data that would pose a threat to national security, diplomatic relations, the national economy, or the public interest.
3. Responsibilities of network operators
The Law has broadened the scope of who falls under the definition of a ‘network operator’, essentially meaning that any enterprise or institution that owns or administers networks or provides networks services can be deemed a ‘network operator’.
Network operators are required to undertake certain measures to safeguard their networks, respond to cybersecurity incidents and prevent cybercrime. This includes:
- having a tiered system for cybersecurity protection,
- implementing rules and regulations around operational processes to avoid data leaks or breaches,
- adopting various technologies to defend against cyber attacks, and
- backing up and encrypting data to maintain data availability and confidentiality.
This means foreign businesses need to ensure their security administration system and data protection capabilities are up to par before undertaking any data collection.
Recommendations for compliance with data security law in China
To comply with the data security law in China, we recommend reviewing and implementing the following steps:
- If you are collecting data via web forms make sure to implement a check box to explicitly obtain consent to collect and process this data. The consent copy should inform the user about the purpose behind the data collection and how it's going to be used.
- For international business that don't have a large footprint in China yet or are just starting out in this market, try to avoid or at least reduce the amount of personal data stored in China. For example, your Chinese website can be hosted outside of mainland China.
- Transfer the data at an individual level rather than exporting bulk data that is transferred on an aggregate level.
- Make sure your network service provider or hosting solution provider have comprehensive processes and technical solutions in place for strict data confidence.
How Sinorbis helps international businesses to comply with data security law in China
We have adapted our digital marketing platform to make it easy to comply with the new data security law in China, particularly in terms of collecting user consent . Our lead-generation forms, for example, have been updated to include this consent. We are also hosted by Alibaba Cloud, ensuring data is protected by the very latest in cybersecurity technology. A majority of our clients are also hosted in Hong Kong, meaning they effectively operate outside of China’s jurisdiction and are therefore not subject to the Law.
Ensuring compliance with China’s Cybersecurity Law can be difficult – particularly if you’re trying to figure things out on your own. With a reliable partner, however, this is a barrier that can be easily overcome.