Sinorblog / Digital Marketing in China / 3 must-known facts about data security law in..
5 min read

3 must-known facts about data security law in China

July 24, 2019 |   Dandan Cheng

On 1 June 2017, the Chinese government put into effect the Cybersecurity Law, with the intention of bringing China in line with global cybersecurity and data privacy best practices that have been adopted elsewhere (such as the GDPR in Europe). The Law also includes penalties for non-compliance, including large fines (the maximum fine being RMB 1 million), suspension of business activities and even the closing of businesses and revocation of licences.

For any company conducting business in China, it’s important to be across the requirements of the Cybersecurity Law to avoid any potential legal issues or penalties due to non-compliance.

In this article, we’ll reveal the three most important China data security law considerations you need to be on top of if you’re marketing to China.

(Important note: This post provides a general overview only, and in no way constitutes legal advice. Please talk to a legal adviser about any changes you will need to make to your cybersecurity practices and privacy policy.)

1. Personal information protection

Similar to the GDPR in Europe, the data security law in China prohibits the collection of information that is not relevant to the services the company provides. What's more, the Law places more emphasis on the protection of personal information (defined as anything that could be used to identify a person, such as name, date of birth, identification number, telephone number or address) and individual privacy.

For example, one key article by KPMG stipulates that “service providers that collect users’ information are required to inform and obtain consent from users”, and stricter provisions have also been imposed on the protection of such user data to ensure confidentiality.

What this means for foreign businesses operating apps or websites within mainland China is that before any user data is collected via these platforms, the user must be able to provide consent for such data collection. Users should also be told exactly how their data will be processed and used, to ensure this consent is informed. Businesses also need to ensure they are using a reliable hosting service that employs stringent cybersecurity practices in order to minimise any chance of a data breach.

One example of a foreign company that has done a good job of overhauling its privacy policy in response to the new data security law is Starbucks. Their new policy – compiled with the help of one of China’s top law firms – goes into significant detail about how data is collected, used, processed and stored. It even explains what cookies are, so users have a full understanding of how Starbucks gathers data.

While we’re not saying your privacy policy needs to be as comprehensive as Starbucks’, it’s provides a good example of a privacy policy that will be sure to cover all your bases.

2. Preservation of sensitive information

The data security law stipulates that any personal information or important data that is collected and generated within mainland China must be stored domestically.

What that means for foreign businesses is that bulk exportation of data outside China’s borders is prohibited (unless you have obtained special permission to do so). It is interpreted that businesses can still export data on an individual basis if the total number of records per year and any individual data transfer size does not exceed certain limits.

The law also includes a ban on the export of any economic, technological, or scientific data that would pose a threat to national security, diplomatic relations, the national economy, or the public interest.

3. Responsibilities of network operators

The Law has broadened the scope of who falls under the definition of a ‘network operator’, essentially meaning that any enterprise or institution that owns or administers networks or provides networks services can be deemed a ‘network operator’.

Network operators are required to undertake certain measures to safeguard their networks, respond to cybersecurity incidents and prevent cybercrime. This includes:

  • having a tiered system for cybersecurity protection,
  • implementing rules and regulations around operational processes to avoid data leaks or breaches,
  • adopting various technologies to defend against cyber attacks, and
  • backing up and encrypting data to maintain data availability and confidentiality.

This means foreign businesses need to ensure their security administration system and data protection capabilities are up to par before undertaking any data collection.

Recommendations for compliance with data security law in China

To comply with the data security law in China, we recommend reviewing and implementing the following steps:

  • Update your privacy policy or establish a policy on cross-border data transfer. This policy should outline explicitly the scope, purpose and type of personal information you are collecting, as well as contain information about the country or region of the data recipient.
  • If you are collecting data via web forms make sure to implement a check box to explicitly obtain consent to collect and process this data. The consent copy should inform the user about the purpose behind the data collection and how it's going to be used.
  • For international business that don't have a large footprint in China yet or are just starting out in this market, try to avoid or at least reduce the amount of personal data stored in China. For example, your Chinese website can be hosted outside of mainland China.
  • Transfer the data at an individual level rather than exporting bulk data that is transferred on an aggregate level.
  • Make sure your network service provider or hosting solution provider have comprehensive processes and technical solutions in place for strict data confidence.

How Sinorbis helps international businesses to comply with data security law in China

We have adapted our digital marketing platform to make it easy to comply with the new data security law in China, particularly in terms of collecting user consent . Our lead-generation forms, for example, have been updated to include this consent. We are also hosted by Alibaba Cloud, ensuring data is protected by the very latest in cybersecurity technology. A majority of our clients are also hosted in Hong Kong, meaning they effectively operate outside of China’s jurisdiction and are therefore not subject to the Law.

Ensuring compliance with China’s Cybersecurity Law can be difficult – particularly if you’re trying to figure things out on your own. With a reliable partner, however, this is a barrier that can be easily overcome.

Don't forget to share this post!

Ready to get started?