China’s cybersecurity and data protection regulation

Beside the EU internal market, China is, after the USA, the second largest export country for goods ”made in Germany”. Apart from shipping their goods to China, several leading German companies operate manufacturing sites in China. In addition, they offer goods and services related to Industry 4.0 or Internet of Things on the Chinese market. As manufacturing, products and services are becoming digitalised and are integrated into digital global networks, a huge amount of data is exchanged cross-border between China and regions outside of China. Consequently, when doing business in and with China, German companies must be aware of the cybersecurity and data protection regulations that exist in China as well. Otherwise, they risk fines and penalties.

Since 2016, the Chinese leadership is following its concept of the so-called ”cyber sovereignty”. Its basis is the development of a comprehensive regulatory regime for cybersecurity and data-related issues, which includes the use of digital technologies, the preservation of cyber resilience, and the processing of personal and non-personal data. This regulatory ambition is reflected in more than 180 laws, technical standards, and administrative measures to date. Further technical standards and administrative measures are already drafted and will soon be implemented.

The Framework: China Cybersecurity Law

In June 2017, the China Cybersecurity Law (CSL) came into effect. It provides the framework for China’s cybersecurity and data protection regulations. The CSL functions as a framework law for China’s cybersecurity and data protection legislation. It describes general responsibilities for public and private actors and specifies the overarching goals. However, it only becomes ”implementable” through technical guidelines, administrative regulations, standards as well as further laws.

Next step: data protection and regulation of cross-border data transfers

The National People's Congress of the People's Republic of China passed the Data Security Law on 10 June 2021. The law, which regulates the handling and security of data and is intended to promote data use, came into force on 1 September 2021. For the first time, the Data Security Law addresses various aspects of data security and data usage in one law. The focus is not only on the protection of personal and non-personal data against unauthorised access by third parties, but also on the complete control of cross-border data flows and, in certain cases, the possible access to all company data by the authorities.

Then, in November 2021, the Chinese leadership enacted the second important data legislation – the Personal Information Protection Legislation (PIPL). The PIPL was enacted to protect personal data, regulate the processing of personal data and promote the ”wise” use of personal data based on the Chinese Constitution. The law can be compared to the European General Data Protection Regulation (GDPR), as it, for example, requires data users to ask data owner for their permission before utilising data. The law applies not only to the processing of personal data of natural persons within the territory of China, but also outside China for the purposes of providing goods or services to natural persons in China. In addition, the PIPL also regulates the ”export” of data to companies in third countries and therefore, is of significant importance for companies offering cross-border services – such as operators of public airlines.

As data security is often directly linked to „national security” and the ”public interest”, the Data Security Law, in conjunction with the Personal Information Protection Law, runs the risk to complicate data transfers between China and third countries for German companies.

Outlook: Achieving the 14th Five-Year Plan will lead to more cybersecurity regulation

In March 2021, China outlined the 14th Five-Year Plan, which reflects China’s aspiration to achieve technological leadership and autonomy, especially in the area of digitalization and communication. To achieve this goal, the availability and utilisation of large amounts of data will be paramount. Therefore, one can expect the Chinese government to further introduce regulatory acts that limit the possibilities for companies to transfer their China-related data to third countries. This also might include data from R&D activities in China, which could fall under export control restrictions. Henceforth, when doing business in and with China, German companies have to be aware of the continuous development of new laws, technical standards and administrative measures.