How global companies can comply with Chinese data regulations including PIPL, CSL, and DSL

Even minor errors and oversights can lead to large data breaches. In July 2021, Didi Global, the top Chinese ride-hailing company, was fined 8 billion Yuan ($1.2 billion) for violating data privacy laws. According to the Cyberspace Administration of China (CAC), Didi illegally collected users’ personal information, such as screenshots of their mobile phones, facial recognition data, and location data While, Didi likely had logical explanations and may have meant no harm by this, it matters little as they were breaching the law. Didi accepted the heavy fine from the CAC without any protest.

Expanding into China’s vast and lucrative market comes with a unique set of challenges, especially when it comes to data compliance. Failure to comply can lead to hefty fines, operational disruptions, and reputational damage. However, with the right strategies in place, businesses can ensure compliance while maintaining growth and innovation in China. In this blog, we’ll break down key Chinese data regulations, highlight major compliance requirements, and offer practical steps for global firms to stay ahead.

What laws in China regulate data protection?

China data Laws clearly state the responsibility of tech companies and other types of companies to ensure personal data compliance, and they are as follows:

1. The Personal Information Protection Law (PIPL).
2. Cybersecurity Law (CSL).
3. Data Security Law.

The Personal Information Protection Law (PIPL)

This is China’s first comprehensive law on personal information protection. It applies to all personal data collected or processed by companies operating within China. Like other data privacy laws, this law gives Chinese citizens greater control over their personal information. They have the right to access it anytime, request corrections, and even permanently delete their data. China’s PIPL became effective on November 1, 2021.

Below are some other requirements of the PIPL:

• Obtain consent from individuals before collecting their personal information.
• Use personal information only for the purposes for which it was collected.
• Take steps to protect the security of personal information.
• Provide individuals with access to their personal information and the right to correct or delete it.
• Notify individuals of any data breaches.

Chinese residents who notice that their personal data has been mishandled are empowered by the PIPL to file reports with relevant authorities. Penalties for mishandling personal data can be as high as $7.5 million, or 5% of the annual revenue of the violating company (depending on which amount is higher).

The Cybersecurity Law (CSL)

Enacted in 2017, the Cybersecurity Law (CSL) focuses on safeguarding China’s online space and cloud services in China. It establishes guidelines for all Network Operators and Critical Information Infrastructure (CII) operators, whether foreign or Chinese.

Under the CSL, Network operators and CII operators must implement security protocols like security measures and assessments and promptly report cyber incidents to authorities. It empowers authorities to inspect and investigate network and CII operators to ensure compliance.

To bolster cybersecurity, the CSL mandates specific actions from network and CII operators, such as:

• Installing security protection measures.
• Conducting security assessments.
• Reporting cybersecurity incidents to the authorities.
• Cooperating with the authorities in cybersecurity investigations.

The penalties for violating the CSL can be as high as $150,000, or 1% of the company’s annual revenue, depending on the severity of the situation.

The Data Security Law (DSL)

It plays a significant role in safeguarding crucial data and data-related systems in China. The law sets forth stipulations for entities responsible for processing data. It applies to all data processors within China, regardless of whether the entity is Chinese or foreign.

The DSL requires data processors to take several measures to protect critical data, including classifying data, conducting security assessments, and reporting data security incidents. It also empowers authorities to inspect and investigate data processors. Other requirements of the DSL on data processors include the following:

• Classifying critical data and implementing appropriate security measures for each category of data.
• Conducting security assessments of critical data systems and facilities.
• Reporting data security incidents to the authorities.
• Cooperating with the authorities in data security investigations.

The penalties for violating the DSL could be as much as $1.5 million, or 1% of the company’s annual revenue, depending on the severity of the offense.

How does PIPL affect companies operating in China?

Data residency for tech companies and other types of companies is key if you wish to operate in China. Here are a few ways China’s PIPL affects tech companies that you need to be aware of:

• Consent for collecting & processing data.

In contrast to the GDPR, it is necessary to obtain the consent of individuals before collecting, processing, or storing their personal data under the PIPL. Although the GDPR allows for implied consent in certain situations, the PIPL mandates direct consent.

• Gives individuals significant control over their personal data.

The PIPL also gives significant authority to individuals regarding their personal data. It gives individuals the authority to access, correct, delete, and even port their personal data from one processor to another. They can also object to the processing of their personal data, and the data processor must respect their wishes.

• More stringent Securities Measures.

As a tech company, you should also be aware that the PIPL requires processing companies to take more strategic and stringent measures to improve the data of their clients. It recommends measures such as encryption, pseudonymization, and data minimalization to achieve this.

• Cross-border transfer.

It places some restrictions on the transfer of personal data outside China. To do this, you must obtain express permission from individuals or receive some other approval. You should pay special attention to this as a tech firm in China.

• Empowers Authority to do the job.

Finally, the PIPL empowers all relevant authorities to do the job of data protection in China. This makes the law even more effective, as the authorities can now enforce compliance.

What tech data needs to be protected?

Although data residency requirements differ by country, there are important tech data that need to be protected. Here is a list of them:

• Personal Information/Data

This includes details such as name, address, phone number, email address, social security number, and biometric data. It is regarded as personal information or data because they are linked to one person and can be used to trace a person.

• Financial Information/Data

It includes details such as bank account numbers, credit card numbers, and investment account numbers. These data should be properly safeguarded to prevent financial fraud attacks.

• Medical information

This includes information such as medical records, test results, and prescription information.

• Confidential business information: They include information such as trade secrets, product plans, customer lists, etc.
• Intellectual property: This includes patents, trademarks, and copyrights.

China’s cross-border data rules

China’s cross-border data rules can be found in her data protection laws such as the PIPL, Cybersecurity Law, and Data Security Law. These Laws were discussed in detail above. However, in this section, we will highlight some requirements stated in the PIPL, CSL, DSL, and CAC regarding cross-border personal data transfer:

• Before sending personal information outside China, the data sender must get the person’s clear and free agreement. This agreement should be specific and well-informed.
• The sender must ensure the personal data stays safe while being moved. They must use the right safety steps that match the possible risks.
• The data receiver should be in a place with strong data protection laws. These laws must guard people’s privacy and be enforceable.
• If the sender hires others to deal with the data, these others must also follow the rules mentioned.
• Before sending personal data out of China, the sender should do a special check to see how it might affect data security. This check must find and assess any risks to the data.
• If the transfer involves data from more than 1,000,000 people in China or important data, the sender must first get permission from the CAC.

What are the penalties for sending data overseas?

It is important to note that while the various Chinese data protection laws recommend several types of punishment for personal data violations, the penalty an organization may face for data violations will be determined by the nature of the violation, how serious it is, if the person is a repeat offender, etc. Here are some of the penalties a company that has violated the data protection laws can expect to face:

• Fines: For PIPL, the fine could be as high as $7.5 million or 5% of the organization’s annual revenue. For CSL, it could be as high as $150,000 or 1% of the company’s annual revenue. Finally, for DSL, it could be as high as $1.5 million, or 1% of the company’s annual revenue.
• Suspension of business activities: The authorities may also decide to completely suspend the business operations of a tech company, depending on the nature of their offense.
• Revoking business license: If a tech company is found guilty of violating personal data, they may face the consequence of having their business license revoked. This outcome would result in the natural end of the business.
• Imprisonment: For major cross-border data transfer issues, an offender may be imprisoned depending on the seriousness of the offense committed.

Follow Chinese regulations with InCountry

Managing a tech company and keeping up with constantly changing data protection laws can be overwhelming. The demands of running a tech business are already time-consuming for a CEO. Fortunately, InCountry is here to assist you in maintaining compliance with personal data regulations, allowing you to concentrate on growing your business.

With our Data Residency-as-a-Service, we can help your organization store, process, and share regulated data internationally while staying compliant with local data residency laws for tech businesses. This managed platform seamlessly integrates with existing systems in your organization, sparing you the need to create and oversee new infrastructure. Other benefits you enjoy by using our platform include:

• It aligns with multiple data residency laws like GDPR, CCPA, PIPL, etc.
• It ensures data protection via encryption, access control, and physical security.
• It delivers high performance and availability, even for extensive data.
• It is easily scalable to accommodate the increasing needs of your organization.
• It offers a budget-friendly option for meeting data residency needs.

Contact us today and let’s discuss your needs to show how much value we can contribute to your company.