By March 2023, all businesses will need the Chinese government’s approval for certain data transfers, which they can only get after undergoing a mandatory security assessment — even if their organization doesn’t have a Chinese presence. Nearly every multinational company that sells goods or services to Chinese customers stands to be affected.
The Cyberspace Administration of China (CAC) says it will conduct security assessments on all enterprises currently processing, handling or transferring Chinese personal information outside the country — known as “cross-border data transfers” (CBDT) under the Personal Information Protection Law (PIPL).
Companies wanting CAC approval to continue these transfers should make their requests as soon as possible to meet the March 1 deadline. Otherwise, they may have to halt the transfers or face potentially stiff penalties.
The ramifications may be more widespread than it might appear at first blush.
As an example, let’s consider a retailer that has no Chinese presence but can be accessed online by Chinese shoppers. Like with any other customer, when a Chinese customer makes a purchase, the retailer collects the personal and financial information it needs to complete the transaction and fulfill the order.
If this retailer handles or processes the data of more than 100,000 customers in China per year, the CBDT will now require it to localize its handling of these transactions. The retailer will need to use a Chinese website host, a Chinese data processor and Chinese customer support personnel, among other changes.
These are changes that stand to affect global business on a massive scale — and very soon. The government has already stepped up PIPL enforcement with significant penalties for companies found in violation.
Many multinational organizations are scrambling to comply within the short time frames. Those that until now have taken a wait-and-see approach to PIPL readiness may soon find themselves pondering changes in their China business model.
The CBDT regulation requires government approval for transfers of high-volume or sensitive Chinese personal information (PI) outside the country. The government has been regulating the use of Chinese PI for quite some time, so the CBDT represents an upward tick rather than a sea change.
For organizations deemed Critical Information Infrastructure Operators (CIIO), personal information isn’t the only kind of data at issue. These organizations will need CAC approval to transfer any data deemed “important,” PI or not.
Many multinationals wanting to avoid an interruption in their China business are preparing to submit their CBDT application this fall. Early submission may provide time to resolve any security issues the CAC assessment might find and gain approval before March 1, 2023.
Even so, meeting the CBDT deadlines will be difficult for most multinationals doing business in China. Your most effective course of action may be to lay plans as we describe here and begin taking steps to help reduce or localize your Chinese data processing.
Most large companies have begun exploring new ways to process Chinese data.
Doing so has ramifications beyond storing and processing Chinese data in China. It also entails using Chinese cloud environments, which will require licenses — and many procedures — to set up.
Many are working to localize their customer relationship management systems that handle customer data, for example.
For human resource information systems that process employee and associate data, they’re focusing on obtaining data owner consent, controlling or reducing the amount of data they collect and store, and backing up data within the country’s borders.
We are not yet seeing peer companies moving to localize research and development applications or ERP platforms.
We expect more guidance from China by year’s end regarding localization. Ideally, companies can prepare to localize but wait to act until more details are announced. Companies can also begin mapping their data and taking inventory of their systems to prepare for their CBDT security assessment.
Localization and a CAC assessment will be a must for:
The PIPL defines PI as “various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding information processed anonymously.” That means you may not need CBDT approval to process anonymized data.
“Sensitive” PI, under the PIPL, refers to
Personal information of people under age 14 also qualifies as “sensitive.”
Sending information from inside China to somewhere outside the country is only one type of data transfer that qualifies as cross border. The term also applies to remote access from outside China to systems hosted in China.
If your US-based retail store collects data from customers who live in China wherever they may transact or buy in the world, that’s cross-border. If your employees remotely process data that’s stored in China, that counts, as well.
Even if your company has no presence in China, you’ll still need to get the Chinese government’s approval for these transfers or find a way to localize. Recent guidance from China states that even Chinese PI sent from a company located outside of China to another company in the same corporation or group also outside China is subject to CBDT regulations.
CIIOs must process not only PI but also “important” Chinese data within the country’s borders, and may not transfer it to any other country. “Important” data, under the law, is that which, if breached or leaked, could potentially cause harm to China’s national or economic interests.
China’s Cyber Security Law defines CIIOs as organizations involved in:
This last category may well include financial services and certain technology companies.
So many questions have yet to be answered. For instance, what about banks that use enterprise resource planning (ERP) technologies to process non-personal data? If banks are deemed as CIIOs, does all their data including nonpersonal ERP data classify as “important”?
Should China require banks publicly trading in the United States to localize all their ERP data, these organizations would need to implement Sarbanes-Oxley (SOX) controls in China and have their finance executives sign off on those controls. That’s a lot of work. What’s more, they’ll need to find a China-based ERP solution or service.
We should know more in the coming months as companies submit their data-transfer plans for the Chinese government’s approval and as the government issues findings and perhaps more regulations and clarifications.
With all these changes, it’s no surprise that some companies are rethinking their approach to the largest consumer market in the world.
Executive leadership teams are asking strategic questions in light of the PIPL developments.
China is already cracking down on cyber and privacy law offenders, starting with its own companies.
Recently, the CAC imposed the largest fine outside the US, amounting to nearly 5% of the company's revenue. It found the China-based company to be in violation of three major Chinese cybersecurity and privacy laws, saying the company had mishandled personal information.
It comes on the heels of three years of escalating enforcement of the Cyber Security Law. Chinese regulators have conducted several sweeps of mobile-app stores and websites, including more than a million mobile apps and hundreds of sites in its scope. Regulators have also contacted hundreds of companies — including large, widely known US brands — requesting evidence of their CSL compliance.
Fines and penalties are not the only enforcement risk for companies falling short of their CSL or PIPL obligations. Companies could lose points in their social credit score, which they would need to report in their CBDT filings. The government could seize their computer equipment, block digital access to their services and, in the worst cases, arrest their company officers.
With a thoughtful, planned-out approach to PIPL and CBDT, your organization can better be prepared to meet the government’s demands and continue business with Chinese customers uninterrupted.
Having said that, we recommend building an overall plan first for compliance with the Cyber Security Law, Data Security Law and Personal Information Protection Law. Then proceed with your CBDT, CSL and DSL assessments as well as plans, designs and options for localization.
This is a lot to address before the March 1 compliance deadline. Steps we suggest include:
Know your data thoroughly. Which comes from China? Do you need it to do business? Try to reduce or anonymize your data transfers as much as possible to help reduce your likelihood of being tagged for inspection.
If you think you’ll likely need to localize your Chinese data processing and/or handling, establish a risk-based, accelerated plan.
Prioritize getting approval for your existing data transfers. Prepare to submit your requests by November.
Devise a backup plan in the event that your data transfer requests are refused. Add these transfers to your localization list.
Consider your company’s willingness and ability to take the risks of being out of compliance come March 1. How much risk can you tolerate? The answer may tell you what you need to do next.
Change the way you see risk. Change the way you see the future.