China’s digital data sovereignty laws and regulations

Alona Chumak

China has long been recognized as a country that takes data privacy and data sovereignty very seriously. China has been through several iterations to enable cross-border data transfers for multinational companies. In March 2024, the Cybersecurity Administration of China introduced the Provisions on Promoting and Regulating the Cross-border Flow of Data (New Provisions), which eased the stringent requirements for cross-border data transfers. This development allows multinational businesses to manage their data more efficiently while staying compliant, but there are also many instances when data has to stay within China.

In this article, we will explore key data sovereignty compliance laws in China and demonstrate how InCountry can assist your company in adhering to these regulations.

What is China’s data sovereignty?

Data sovereignty originates from the broader principle of state sovereignty, which asserts a state’s full authority to govern its territory without external interference. When applied to the digital space, data sovereignty means that any data generated or stored within a particular location is subject to the data protection laws of that jurisdiction. Just as a state exercises complete control within its borders under state sovereignty, data sovereignty ensures that local privacy laws and regulations govern data within a specific territory.

In China, the following are major data privacy laws that a multinational must be aware of to avoid having issues with the law:

  1. Cybersecurity Law (CSL 2017).
  2. Data Security Law (DSL 2021).
  3. The Personal Information Protection Law (PIPL 2021).

We shall extensively discuss these laws and their implications for multinational businesses. It is essential to state here that the goal of China’s data sovereignty laws is to protect the personal information of its residents and for National security purposes.

Why is data sovereignty an important point in China?

China’s Data sovereignty is a big deal for the following reasons:

National security and control

China asserts control over data within its borders to protect sensitive information and ensure national security, guarding against espionage, cyberattacks, and foreign influence. This control also supports the government’s surveillance efforts and helps maintain social stability by tightly managing information flows.

Protection of personal data

Besides national security concerns, China also seeks to protect the private information of its residents through these data privacy laws. With the enactment of laws like the Personal Information Protection Law, China focuses on ensuring that personal data is handled according to national standards, safeguarding privacy within the framework defined by the government.

Economic and technological independence

China’s data sovereignty law helps boost its domestic tech industry. By mandating that data remain within the country’s borders, Chinese companies handle valuable information that foreign firms would otherwise hold. This approach nurtures the growth of homegrown technology and positions data as a critical asset for China’s digital economy. By maintaining control over this resource, the Chinese government can harness its economic potential, drive innovation, and ensure that the benefits of data-driven growth remain firmly within the nation.

Regulation of foreign companies

Data sovereignty provides China with a straightforward means to regulate the activities of foreign companies within its borders. By enforcing its laws on these entities, China ensures compliance with regulations such as data localization and government access to information. This framework prevents foreign companies from circumventing Chinese oversight, reinforcing the nation’s control over data generated on its soil.

Who must comply with data sovereignty in China?

Having established why data sovereignty is such a big deal in the second-most populous country, we shall now highlight those legally bound to comply with these laws in China.

From Chinese multinationals like Alibaba, Tencent, etc., to domestic companies, they are all compelled to comply with the provisions of China’s data sovereignty requirements.

These include multinational corporations like Microsoft and Apple, financial institutions, cloud service providers, etc. All these companies are expected to comply fully with China’s data sovereignty laws.

Industries such as telecommunications, energy, finance, transportation, and healthcare are classified as Critical Information Infrastructure Sectors. Operators in these sectors are subject to stricter data sovereignty requirements, including enhanced security measures and data localization mandates.

Companies that process data on behalf of other businesses, including IT service providers and consultants, must comply with data sovereignty laws if they handle data generated in China. This also applies to vendors and subcontractors who may have access to sensitive data.

Government agencies and public institutions in China must also comply with data sovereignty laws, ensuring that data related to public administration and national security is stored and protected within the country.

China’s data sovereignty laws

As previously mentioned, three key data privacy laws are central to China’s data sovereignty framework. These laws are as follows

  1. Cybersecurity Law (CSL 2017).
  2. Data Security Law (DSL 2021).
  3. The Personal Information Protection Law (PIPL 2021).

We shall review each of these laws in more detail in this section.

Cybersecurity Law (CSL 2017)

This is a comprehensive legal framework aimed at regulating cyberspace and enhancing the security of information networks in China. Enacted in 2017, the CSL addresses a wide range of issues, including data protection, cybersecurity, and the management of critical information infrastructure. It is an important part of China’s broader strategy to maintain control over their data and protect national security. Here are some important provisions that you need to know to stay out of trouble:

Critical Information Infrastructures (CIIs) include vital sectors such as telecommunications, finance, energy, transportation, healthcare, and government services. Under the Cybersecurity Law, operators within these sectors must adopt enhanced security protocols to safeguard their networks and data. Additionally, CIIOs must conduct regular security assessments, implement robust protective measures, and fully cooperate with government inspections and audits.

The Cybersecurity Law requires that personal information and crucial data collected or generated by “Critical Information Infrastructure Operators” (CIIOs) within China be stored domestically. If such data needs to be transferred abroad, it must pass a security assessment and receive approval from the appropriate authorities. It also sets strict guidelines for cross-border data transfers.

The law sets strict guidelines for collecting, storing, and using personal information. It requires companies to secure user consent before gathering any data and ensure that it is adequately protected. Organizations must implement robust measures to guard against data breaches, unauthorized access, and the misuse of personal information. Failure to comply with these requirements can lead to substantial fines and penalties.

All network operators, not just CIIOs, are obligated to implement comprehensive cybersecurity measures, which include monitoring their network security, safeguarding against data breaches, and preventing the misuse of their networks for illegal activities. Additionally, the law mandates that organizations promptly report any cybersecurity incidents.

The Cybersecurity Law gives the Chinese government extensive authority to access data held by companies operating within China, including the power to require technical support and assistance in matters of national security or criminal investigations. Additionally, the law strengthens China’s censorship framework by compelling companies to monitor and censor content considered illegal or harmful to national security, social order, or public morality.

Violating the Cybersecurity Law can result in substantial penalties for companies, including hefty fines, operational suspensions, and even the revocation of business licenses. Individuals found responsible may also be held personally liable. In more severe cases, where actions are seen as threatening national security or public order, violations can escalate to criminal prosecution.

The Cybersecurity Law is a key part of China’s broader strategy to tighten state control over the digital landscape, especially in areas vital to national security. It is closely linked to the country’s efforts to guard against cyber threats, espionage, and the influence of foreign entities.

Data Security Law (DSL 2021)

Enacted on September 1, 2021, the Chinese Data Security Law (DSL) provides a comprehensive framework for regulating data handling, safeguarding national security, and managing the increasing role of data in the digital economy. This law is a key component of China’s broader strategy to tighten control over data within its borders, aligning closely with other major regulations like the Cybersecurity Law of 2017 and the Personal Information Protection Law of 2021. We shall review its key provisions below:

The DSL mandates that data be categorized based on its significance to national security, public interest, and economic development. This classification allows the government to apply varying levels of protection depending on the data’s sensitivity and potential impact. Certain types of data, considered crucial to national security, economic stability, or public welfare, are subject to more stringent controls.

In keeping with its plan to maintain control over its residents’ data, the DSL grants the Chinese government extensive authority to access data when necessary for national security, public order, or economic management. Organizations are required to comply with government requests for data access, including sharing information with state entities. 

Like the Cybersecurity Law, the Data Security Law mandates data localization for critical information. This requires that important data generated within China be stored domestically, keeping it under Chinese jurisdiction. For data that must be transferred outside of China, a security assessment and approval from the relevant authorities are required. 

Under the DSL, data considered important to national security is given the highest level of protection. It establishes a robust framework for monitoring, controlling, and safeguarding this type of data. The DSL has significant implications for foreign companies operating in China, especially those in sensitive industries. These companies must ensure their data handling practices comply with national security requirements or risk increased scrutiny and regulatory action.

While prioritizing security, the DSL also encourages the use of data to foster innovation and economic growth. The law supports the development of new data-driven industries as long as they operate within the regulatory framework. It emphasizes the importance of balancing data security with the promotion of the digital economy.

Companies operating in China need to make substantial adjustments to their data management practices to comply with the Data Security Law. This involves implementing data localization measures, conducting security assessments for cross-border data transfers, and strengthening overall data security protocols.

As you can imagine, the law also imposes higher compliance costs, particularly for companies that manage large volumes of data or operate in sectors deemed critical by the Chinese government. To meet these stringent requirements, businesses may need to invest in new technologies, hire specialized personnel, and implement complex processes. Alternatively, they can streamline their data management by partnering with a technology company like InCountry, which offers cost-effective solutions while ensuring top-notch compliance with data management regulations.

The Personal Information Protection Law (PIPL 2021)

The Chinese PIPL regulation is probably the most popular Chinese data privacy law. It became effective on November 1, 2021, as China’s first legislation dedicated to protecting personal data. The PIPL shifts the focus from the earlier discussed privacy laws, which primarily addressed information networks and national security. Much like the European GDPR, the PIPL is centered entirely on safeguarding the personal information of Chinese residents. Its scope extends to any organization that collects, processes, or stores personal data of Chinese residents, regardless of whether the company operates within China or abroad. Below, we will examine some of the law’s key provisions.

It secures the rights of Chinese residents whose data is collected, processed, or stored by companies. Some of the rights it secures are as follows:

  1. Right to access and correct personal data.
  2. Right to request the deletion of your personal data.
  3. Right to object to the use of your data for a specific purpose.
  4. Right to restrict what your data can be used for by the company in possession of your data.
  5. Right to data portability, to transfer their personal information from one data controller to another.

The PIPL mandates that personal data can only be processed with an individual’s informed consent, which must be specific, explicit, and freely given. The law also grants individuals the right to withdraw their consent.

The PIPL requires that personal data be processed only for specified, legitimate purposes and only to the extent necessary to achieve those purposes, following data minimization principles. Data processors must implement robust technical and organizational measures to safeguard personal data from unauthorized access, disclosure, modification, and loss, including conducting regular security assessments and audits. Additionally, organizations that handle large volumes of personal data or engage in complex processing activities are required to appoint a Data Protection Officer (DPO) to ensure compliance with the PIPL.

The PIPL sets stringent requirements for Chinese cross-border data transfers of personal information. Before transferring data outside China, data exporters must conduct security assessments and secure approvals from the relevant authorities. Additionally, organizations transferring data internationally can also use government-approved standard contractual clauses or certification mechanisms to ensure they meet the PIPL’s compliance requirements.

Organizations involved in high-risk data processing activities, such as large-scale data processing, automated decision-making, or processing of sensitive data, are required to conduct Data Protection Impact Assessments (DPIAs) to evaluate and mitigate potential risks.

Non-compliance with the Personal Information Protection Law (PIPL) can lead to severe penalties, including fines of up to 50 million RMB (about $7.7 million) or 5% of the entity’s annual revenue. Individuals responsible for violations may also face personal liability, including fines and restrictions on future employment. Companies that breach the PIPL may be blacklisted by regulatory authorities, which can hinder their ability to operate in China. Additionally, violations may be publicly disclosed, damaging the company’s reputation.

The PIPL shares many similarities with the GDPR, such as its focus on individual rights, data minimization, and strict cross-border transfer rules. However, it also reflects China’s distinct regulatory approach, emphasizing national security and state control over data. By contributing to the global conversation on data governance and privacy, the PIPL establishes China as a key player in shaping international data protection norms. Its extraterritorial scope means that companies around the world must consider its implications when handling data from Chinese consumers.

Data sovereignty requirements in China

As with most countries with data sovereignty laws, the Chinese government requires that personal data collected from Chinese citizens be stored and processed within the country, except for the few exceptions made in March 2024. This ensures compliance with Chinese laws and prevents foreign entities from accessing or controlling the data. The Key requirements here include:

These measures safeguard citizens’ privacy and national security by ensuring data remains under Chinese jurisdiction.

How InCountry helps companies stay compliant with Chinese data sovereignty laws

InCountry goes beyond simply guiding you through China’s data sovereignty regulations; we take full responsibility for ensuring your data complies with the strict requirements. Unlike a map that points the way, we actively manage your data, keeping it secure and compliant every step of the journey. Our data residency service allows you to store data within China while accessing it from anywhere in the world, freeing your company from the complexities of navigating these regulations. This enables you to focus on what truly matters to your business.

Moreover, our advanced encryption and data vault services provide robust security for your data, both at rest and in transit. 

Contact us already, and let’s explore how we can add value to your company by ensuring your data remains both secure and compliant.