How global companies can comply with Chinese data regulations including PIPL, CSL, and DSL

Even minor errors and oversights can lead to large data breaches. In July 2021, Didi Global, the top Chinese ride-hailing company, was fined 8 billion Yuan ($1.2 billion) for violating data privacy laws. According to the Cyberspace Administration of China (CAC), Didi illegally collected users’ personal information, such as screenshots of their mobile phones, facial recognition data, and location data While, Didi likely had logical explanations and may have meant no harm by this, it matters little as they were breaching the law. Didi accepted the heavy fine from the CAC without any protest.

Expanding into China’s vast and lucrative market comes with a unique set of challenges, especially when it comes to data compliance. Failure to comply can lead to hefty fines, operational disruptions, and reputational damage. However, with the right strategies in place, businesses can ensure compliance while maintaining growth and innovation in China. In this blog, we’ll break down key Chinese data regulations, highlight major compliance requirements, and offer practical steps for global firms to stay ahead.

What laws in China regulate data protection?

China data Laws clearly state the responsibility of tech companies and other types of companies to ensure personal data compliance, and they are as follows:

  1. The Personal Information Protection Law (PIPL).
  2. Cybersecurity Law (CSL).
  3. Data Security Law.

The Personal Information Protection Law (PIPL)

This is China’s first comprehensive law on personal information protection. It applies to all personal data collected or processed by companies operating within China. Like other data privacy laws, this law gives Chinese citizens greater control over their personal information. They have the right to access it anytime, request corrections, and even permanently delete their data. China’s PIPL became effective on November 1, 2021.

Below are some other requirements of the PIPL:

Chinese residents who notice that their personal data has been mishandled are empowered by the PIPL to file reports with relevant authorities. Penalties for mishandling personal data can be as high as $7.5 million, or 5% of the annual revenue of the violating company (depending on which amount is higher).

The Cybersecurity Law (CSL)

Enacted in 2017, the Cybersecurity Law (CSL) focuses on safeguarding China’s online space and cloud services in China. It establishes guidelines for all Network Operators and Critical Information Infrastructure (CII) operators, whether foreign or Chinese.

Under the CSL, Network operators and CII operators must implement security protocols like security measures and assessments and promptly report cyber incidents to authorities. It empowers authorities to inspect and investigate network and CII operators to ensure compliance.

To bolster cybersecurity, the CSL mandates specific actions from network and CII operators, such as:

The penalties for violating the CSL can be as high as $150,000, or 1% of the company’s annual revenue, depending on the severity of the situation.

The Data Security Law (DSL)

It plays a significant role in safeguarding crucial data and data-related systems in China. The law sets forth stipulations for entities responsible for processing data. It applies to all data processors within China, regardless of whether the entity is Chinese or foreign.

The DSL requires data processors to take several measures to protect critical data, including classifying data, conducting security assessments, and reporting data security incidents. It also empowers authorities to inspect and investigate data processors. Other requirements of the DSL on data processors include the following:

The penalties for violating the DSL could be as much as $1.5 million, or 1% of the company’s annual revenue, depending on the severity of the offense.

How does PIPL affect companies operating in China?

Data residency for tech companies and other types of companies is key if you wish to operate in China. Here are a few ways China’s PIPL affects tech companies that you need to be aware of:

In contrast to the GDPR, it is necessary to obtain the consent of individuals before collecting, processing, or storing their personal data under the PIPL. Although the GDPR allows for implied consent in certain situations, the PIPL mandates direct consent.

The PIPL also gives significant authority to individuals regarding their personal data. It gives individuals the authority to access, correct, delete, and even port their personal data from one processor to another. They can also object to the processing of their personal data, and the data processor must respect their wishes.

As a tech company, you should also be aware that the PIPL requires processing companies to take more strategic and stringent measures to improve the data of their clients. It recommends measures such as encryption, pseudonymization, and data minimalization to achieve this.

It places some restrictions on the transfer of personal data outside China. To do this, you must obtain express permission from individuals or receive some other approval. You should pay special attention to this as a tech firm in China.

Finally, the PIPL empowers all relevant authorities to do the job of data protection in China. This makes the law even more effective, as the authorities can now enforce compliance.

What tech data needs to be protected?

Although data residency requirements differ by country, there are important tech data that need to be protected. Here is a list of them:

This includes details such as name, address, phone number, email address, social security number, and biometric data. It is regarded as personal information or data because they are linked to one person and can be used to trace a person.

It includes details such as bank account numbers, credit card numbers, and investment account numbers. These data should be properly safeguarded to prevent financial fraud attacks.

This includes information such as medical records, test results, and prescription information.

China’s cross-border data rules

China’s cross-border data rules can be found in her data protection laws such as the PIPL, Cybersecurity Law, and Data Security Law. These Laws were discussed in detail above. However, in this section, we will highlight some requirements stated in the PIPL, CSL, DSL, and CAC regarding cross-border personal data transfer:

What are the penalties for sending data overseas?

It is important to note that while the various Chinese data protection laws recommend several types of punishment for personal data violations, the penalty an organization may face for data violations will be determined by the nature of the violation, how serious it is, if the person is a repeat offender, etc. Here are some of the penalties a company that has violated the data protection laws can expect to face:

Follow Chinese regulations with InCountry

Managing a tech company and keeping up with constantly changing data protection laws can be overwhelming. The demands of running a tech business are already time-consuming for a CEO. Fortunately, InCountry is here to assist you in maintaining compliance with personal data regulations, allowing you to concentrate on growing your business.

With our Data Residency-as-a-Service, we can help your organization store, process, and share regulated data internationally while staying compliant with local data residency laws for tech businesses. This managed platform seamlessly integrates with existing systems in your organization, sparing you the need to create and oversee new infrastructure. Other benefits you enjoy by using our platform include:

Contact us today and let’s discuss your needs to show how much value we can contribute to your company.