China enacted a suite of laws in recent years that radically alter the digital landscape. If you plan on doing any sort of business on the mainland, getting across China data privacy laws is a must. The strict rules dictate how personal information is collected and managed, along with robust data governance and cyber security mandates. We run you though some of the most important data legislation.
Key China data privacy laws
China laid the foundations for its recent privacy data laws with its Cyber Security Law (2017). The CSL was China’s first comprehensive cyber security legislation. It contains the guiding principles for institutions using networks and information and communications tools in China. The notably-vague legislation outlined the need for businesses to act with lawfulness, legitimacy, and necessity in collecting and using personal data, as well as broad data security obligations and principles.
What the CSL didn’t contain was a lot of detail. Successive data privacy and cybersecurity legislation has built on this foundational legislation. Over the last few years, some major pieces of legislation in support of the CSL came into force. These key laws include the Cybersecurity Classified Protection Scheme enacted in 2019, the Data Security Law (DSL) enacted in 2021, the Personal Information Protection Law (PIPL) enacted in 2021, and the Algorithm recommendation regulations, which came into effect in March 2022. These four laws work to not just flesh out the CSL but complement each other.
China's full name for its algorithm recommendation law is the Internet Information Service Algorithm Recommendation Management Regulations. The law applies to any "personalised recommendations in mobile applications." Basically, the law controls how the algorithms that recommend content or place ads on internet platforms are deploted. The law gives users greater autonomy and control over the way their data is used by algorithms, as well as the content they see. The law also demands platforms are transparent and share details about how algorithms function. In addition, it bans algorithms being used to influence online public opinions. The law retroactively applies to previously-applied data laws, including the PIPL and DSL.
The PIPL restricts and regulates the use and collection of personal information. It has a particular focus on user notification and consent and shares some similarities with Europe’s General Data Protection Regulation, the so-called GDPR.
Data handlers must get an individual’s explicit consent to collect, process, or store their personal data. Details on what specific conditions need to be met to constitute clear consent are light. However, Article 14 outlines that it is essential that the individual is fully informed, and consent is given freely and unambiguously. “Extra consent” is required for “sensitive data”.
Like the GDPR, the PIPL has extraterritorial scope, meaning it applies to entities both within and outside of China that process personal information on people within China. Personal information includes any data that can be linked to a specific individual.
The DSL includes data localisation rules and transfer prohibitions on companies exporting "core national data or sensitive data generated from within China. The types of data that should raise red flags for a business would be anything that relates to infrastructure or natural resource extraction. If a company does want to export sensitive China-originated data abroad, they will require a security assessment and approval from the Cyberspace Administration of China.
It also bans data handlers from providing foreign government agencies with data stored on the mainland without Chinese government approval. This approval is required even if the data doesn’t fall under outlined “sensitive” data categories or is originally collected from outside of China.
This expansion of China’s extraterritorial reach over new categories of data raised a red flag for some global organisations. The law has the potential to conflict with the US’s ‘CLOUD Act’ (2018 Clarifying Lawful Overseas Use of Data Act’), which allows US authorities to demand access to electronic data wherever it is stored.
Companies face significant fines and penalties for breaches to China data privacy laws. If you're not compliant, you also risk getting "kicked out" of China. Individuals involved in a breach of these data laws, or who fail to cooperate with data requests by Chinese authorities, also face additional penalties or charges on a case-by-case basis.
Taking control of your digital activity
China's new laws make it even more important for businesses to have control and visibility across their digital activity. You're responsible for how third parties, including agencies, use the data of your customers. Transparency across your marketing and digital activity is a must have, not a nice to have: from the insights you leverage, to the technology you utilise, to how you handle data internally.
It's imperative to take ownership of your China digital activity, and become compliant with local law. But you may also need to rethink your digital marketing strategy. Content will become increasingly critical. With more limited targeting, and less opportunity to purchase insight or leads, organisations will need great content to bring clients across to brand–owned channels. At Sinorbis, we haven't just built a platform that's compliant with Chinese laws. We also offer a range of marketing services to support our customers and make China digital marketing simpler and more efficient. So get in touch!