The implementation of new standards on the protection of personal information in China will further strengthen data localisation requirements in a jurisdiction that already has one of the strictest regimes in place for cross-border data transfers.
Recent supervisory efforts by Chinese regulators have mostly targeted China-based technology companies that are listed overseas, but all commercial entities in China that transfer data overseas will be subject to these new heightened standards. Businesses will likely have to implement additional data management processes and potentially restructure to bring their operations into compliance.
Data security compliance scrutinised
The introduction of the Data Security Law (DSL), which took effect on September 1, 2021, and the Personal Information Protection Law (PIPL), which will come into full effect on November 1, 2021, has cast a spotlight on how U.S.-listed Chinese companies handle personal information. Cross-border data transfers and the disclosure of personal information to foreign government agencies, which are both subject to regulatory requirements under the DSL and the PIPL, have emerged as hot-button issues with Chinese regulators.
The Cyberspace Administration of China (CAC) has launched investigations into data security issues at several U.S.-listed Chinese companies. Last month, the CAC commenced an investigation into ride-hailing app Didi Chuxing, days after the company completed an initial public offering in New York. The investigation will be completed some time next month. The CAC is also conducting data security reviews of apps operated by Full Truck Alliance Co and Kanzhun Ltd, which are also U.S.-listed Chinese companies that handle substantial amounts of personal information in China.
Chinese regulators have not disclosed specific details about the scope of the investigations, but they are likely to pay close attention to whether cross-border data transfers comply with Chinese laws and the kind of data that is disclosed to U.S. securities regulators as a part of continuing disclosure obligations required by U.S. securities laws.
The implementation of the DSL and the PIPL place yet more emphasis on data localisation requirements in China, which are already among the most restrictive in the world. The Cybersecurity Law imposes various approval processes and regulatory restrictions on overseas transfers of personal information, and organisations must also comply with sector-specific regulations. The CAC has also issued a number of draft measures in recent years requiring network operators, which would include most businesses that handle data, to submit to screening processes prior to transferring data outside China.
The PIPL, once fully implemented, will extend data localisation requirements to most commercial entities in China. Organisations subject to the PIPL will only be permitted to transfer data outside China via three approved methods: passing security assessments by the CAC; obtaining an internationally accredited certification for personal information protection; and entering into contracts with overseas recipients. Businesses must also obtain consent from data subjects for cross-border data transfers.
China-based companies will likely have to implement detailed compliance measures and potentially restructure to bring their operations into full compliance.
Companies move to comply
Some multinationals are taking steps to ensure they can evidence their compliance with relevant data security requirements. Canadian doughnut chain Tim Hortons is in the process of setting up a separate entity in China to hold personal information that would provide services to its China-based franchise, THIL. Tim Hortons is seeking to list THIL in New York via a special purpose acquisition company (SPAC).
Amid scrutiny by Chinese regulators of personal data protection compliance at U.S.-listed Chinese companies, THIL’s listing process and its steps to comply with relevant Chinese privacy laws are likely to be watched very closely by regulators and investors alike.
Reuters recently reported that Didi Chuxing is in talks with Westone Information Industry Inc, a Chinese state-owned information security firm, to handle its data management activities, as a part of efforts to bring the company’s operations into compliance with Chinese privacy laws. Plans under consideration include arrangements that would give Westone access to personal information held by Didi and allow it to use its encryption algorithms to prevent potential data breaches. It is unclear whether Westone would have additional influence over data governance decision-making at Didi. The ride-hailing company has reportedly submitted multiple proposals to Chinese regulators in recent weeks detailing data security compliance plans.
The CAC is becoming very proactive about monitoring compliance with Chinese laws on data privacy. Recent investigations launched by the regulator suggest that it will focus heavily on monitoring cross-border data transfers. Investigations have thus far seemed to target U.S.-listed Chinese technology companies, but all multinationals that transfer abroad should ensure they have brought their operations into compliance with the DSL, the PIPL and other applicable sector-specific requirements.
Multinationals may also need to consider the potential impact that data localisation could have on their broader data governance frameworks. Outsourcing data management to third parties could present issues pertaining to compliance with data privacy laws in other jurisdictions or hinder an organisation’s ability to implement enterprise-wide governance policies.