Skip to main content

Why China’s New Data Security Law Is a Warning for the Future of Data Governance

Stricter data privacy guidelines present new challenges for businesses operating in the world’s second largest economy.

Pedestrians walk past a stock market display board showing the Chinese state-owned commercial banking company Bank of China in Hong Kong on Sept. 24, 2020.

Pedestrians walk past a stock market display board showing the Chinese state-owned commercial banking company Bank of China in Hong Kong on Sept. 24, 2020." BUDRUL CHUKRUT/LIGHTROCKET VIA GETTY IMAGES

China’s two newest data security laws—the “Data Security Law” (DSL) and the “Personal Information Protection Law” (PIPL)—came into effect at the end of 2021. Building on the 2017 Cybersecurity Law, they include new guidelines for handling data, updated enforcement measures, and additional restrictions on the transfer of data outside of China. Notably, the DSL broadly expands the extraterritorial reach of China’s existing data rules, creating a critical new set of guidelines for companies doing business with Chinese citizens—both within and outside the country’s borders—to navigate.

These new restrictions paint a complicated picture for the future of data governance, continuing a trend toward more complex regulatory regimes, competing legal frameworks, and increased restrictions on international data flows. Governments continual adoption of similar measures will increasingly disrupt an era of relatively restriction-free cross-border data flows that has been critical to the growth and expansion of many international businesses. The key points and implications from each law are broken down below.

This report is a preview of research exclusively available for FP Insiders. Complete this brief form to continue reading.
By submitting this form, you agree to receive communications from Foreign Policy.

Thank you for your interest.

Please enjoy the full article below. The Data Governance Power Map is an exclusive benefit of the FP Insider subscription. For full access to power maps, special reports, and more, subscribe now. For full access to power maps, special reports, and more, upgrade now*.

*To upgrade your current subscription to Insider, please visit the My Account page, click the Subscription tab and click 'Upgrade'.

China’s two newest data security laws—the “Data Security Law” (DSL) and the “Personal Information Protection Law” (PIPL)—came into effect at the end of 2021. Building on the 2017 Cybersecurity Law, they include new guidelines for handling data, updated enforcement measures, and additional restrictions on the transfer of data outside of China. Notably, the DSL broadly expands the extraterritorial reach of China’s existing data rules, creating a critical new set of guidelines for companies doing business with Chinese citizens—both within and outside the country’s borders—to navigate.

These new restrictions paint a complicated picture for the future of data governance, continuing a trend toward more complex regulatory regimes, competing legal frameworks, and increased restrictions on international data flows. Governments continual adoption of similar measures will increasingly disrupt an era of relatively restriction-free cross-border data flows that has been critical to the growth and expansion of many international businesses. The key points and implications from each law are broken down below.

The Data Security Law

Passed on June 10, 2021, in effect since September 1, 2021

What’s New: New data classification categories aimed at protecting national security are loosely defined, leaving interpretation up to Chinese authorities.

The DSL references two main categories of sensitive data—national core data and important data—with new guidelines for governing each.

  • “National core data” is defined as data concerning national security, economic interests, Chinese citizens’ welfare, or the public interest, and is categorized as the most sensitive data type.
  • “Important data” is categorized as the second most sensitive data type but is not clearly defined in the text. Instead, regulatory authorities at the local level are expected to issue additional guidelines as to what constitutes important data for their jurisdiction, but the timeline for issuing the guidelines has not yet been determined.

The new data categorization system poses two primary issues for companies operating in China. The first is the lack of definitional clarity. There are fines of up to RMB 10 million (~$1.56 million) per infraction for mishandling national core data, but compliance will be difficult given the vague definition. The same holds true for important data, where violations can include fines of up to RMB 5 million (~$780,000), but definitions are even less clearly defined. Until concrete examples of the law being applied are available, or clarifying definitions are issued, businesses will be left with unclear information to make strategic adjustments in the interim. Second, allowing local regulatory bodies to determine what constitutes important data creates another layer of compliance requirements. It will also make operating across jurisdictions more complex if different definitions are adopted. Both international and domestic companies will now be forced to navigate existing national guidelines, alongside a yet-to-be-determined number of region- and industry-specific guidelines.

Old idea, new reach: The Data Security Law builds on the provisions of the Cybersecurity Law and expands China’s extraterritorial reach over new categories of data.

The DSL expands on previous data localization and data transfer rules and imposes harsher penalties for violations. Companies that handle these types of data (for example, those operating in fields related to physical or digital infrastructure or natural resource extraction) are responsible for ensuring that all data generated within China is stored within the country. A security assessment in accordance with the Cyberspace Administration of China’s guidelines is required before any China-originated data is transferred abroad.

Critically, all data handlers are prohibited from providing any data stored in China to foreign government agencies without approval from Chinese government authorities, regardless of the data’s sensitivity level and where the data was originally collected. This guideline is widely viewed as a direct counter-measure to the U.S.’s 2018 Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”). Under the CLOUD Act, U.S. law enforcement agencies are given the legal right to demand access to electronic data, no matter which country the data is stored in. China’s new legal requirements create the potential for international companies to be caught between conflicting demands from U.S. and Chinese authorities when it comes to access to sensitive data.

How it’s enforced: Fines and legal penalties for breaching the laws are significant, but initially enforceability is likely to be inconsistent.

Companies that provide national core data to foreign officials without approval from Chinese authorities are subject to fines as well as the potential forced shutdown of their businesses and potential criminal charges. For violations regarding important data, additional penalties may be added directly to the individuals involved as determined on a case-by-case basis by Chinese authorities. There are also penalties for companies that fail to cooperate with data requests from Chinese authorities on law enforcement or national security matters, but the extent of these penalties is not clearly defined. Instead, parties found to be in violation will be prosecuted in Chinese courts.

The Personal Information Protection Law

Passed on August 20, 2021, in effect since November 1, 2021

What it’s based on: Modeled after the EU’s General Data Protection Law (GDPR), the Personal Information Protection Law is China’s first comprehensive data protection law covering personal data.

The PIPL covers all data activities related to the personal information of Chinese citizens, whether it is originally collected within China or abroad. The law governs data collection from both public and private companies and includes provisions mandating that Chinese government agencies notify and obtain consent from individuals. However, the provisions related to Chinese government data collection do not apply in situations where it is necessary for “acting in the public interest.” In practice, this means that the law is unlikely to end the Chinese government’s extensive data collection practices ranging from collecting biometric data from facial recognition software to the myriad data points that make up citizens’ social credit scores.

Similar to the GDPR, the PIPL includes provisions granting the right to limit or refuse processing of personal information, the right to refuse automated decisions regarding personal data, and the requirement to obtain explicit consent before transferring personal data to third parties. It also includes more severe penalties for violation than the GDPR. Companies found in violation of the law face fines up to RMB 50 million (~$7.8 million) or 5 percent of revenue and risk suspension of their operations. Additionally, the legal ramifications may be reflected in companies social credit scores, which impacts their ability to access financing. Individuals can also be held liable for violations, with monetary fines up to RMB 1 million (~$157,000) as well as additional discipline determined by legal authorities.

Why it’s concerning: New deletion requirements on personal data and transparency rules could disrupt business models that rely on collecting and selling consumer data.

Under the PIPL, data handlers are now required to delete personal data after the stated purpose for collection has been completed. How this will be determined is left ambiguous, making it unclear whether this represents a legitimate data privacy benefit for individuals. Depending on when data needs to be deleted, and the stringency with which this provision is enforced, it could disrupt data economy companies that rely on storing, analyzing, and selling user data. Additional restrictions for safeguarding individuals’ data are determined based on the company’s categorization—whether it is a “major internet service platform,” has a “large number” of users, or engages in “complex business activities.” With these categories not clearly defined in the text, like many parts of the PIPL and DSL, they are likely to be interpreted at the discretion of Chinese authorities.

What this means: Transferring personal data outside of China is more difficult under the PIPL, and its adoption encourages other countries to enact similar personal data protection measures.

Transferring personal data within China or overseas now requires the data subjects’ informed consent. This is similar to a provision in the GDPR, which forced many businesses to add consent forms and update their data collection policies. For overseas transfer, companies are responsible for ensuring that the country that data is being sent to has data protection requirements at least as stringent as the PIPL. This requirement has been included in a variety of personal data protection laws globally, including in the GDPR, and EU authorities have enforced significant fines on companies that violate this provision. As more countries adopt similar provisions in their data protection laws, the pressure to pass comprehensive data protection laws globally mounts. The PIPL includes an additional restriction on companies that are deemed to be in possession of a “large volume” of personal data. For those companies, a mandatory security review by the Cyberspace Administration of China must be completed before transferring any data overseas.

The Big Picture and Implications for Businesses

The addition of new data classifications, legal jurisdictions, and data storage requirements imposes another layer of regulatory complexity for businesses operating in China.

China’s new data security laws increase the complexity of the data governance regulatory landscape. The size and significance of China’s economy, as well as the addition of both national- and regional-level guidelines, will potentially require major adjustments for data economy companies doing business in China.

China now joins the EU as a major economy with a comprehensive data governance framework, with India likely to be the next major economy to follow suit—its comprehensive Data Protection Bill is expected to be passed in the first half of 2022. As more countries pass data protection laws, effectively navigating the web of regulations will become a prerequisite for operating in the global digital economy.

For a full breakdown of the global data governance regulatory landscape, see FPA’s Global Data Governance Policy Database. And for a comprehensive breakdown of the key factors determining the future of international data governance, see FPA’s Global Data Governance Power Map.

Global Data Governance

FP Insider

Data governance has long been the domain of corporate and organizational strategy, lending a competitive advantage to those able to optimize their data collection, organization, transfer, and discovery practices. With the increasing digitalization of organizations and economies, data governance—and clear establishment of data collection standards, storage, transfer and use protocols—is becoming an increasingly pressing and global issue.

While intellectual property and proprietary data have long been governed through strict legal frameworks, relatively scant protections have existed for user data and personal information. This lax regulatory environment for consumer data in particular has enabled the rise and dominance of global tech companies from Facebook and Google to Baidu and Tencent and has spurred a wave of privacy-focused regulation around the world.

In FP Analytics’ Data Governance Power Map series, we examine the emerging laws, regulations, and technologies that are both enabling greater data collection and impacting cross-border data flows. FPA’s Power Maps catalog the data localization laws, comprehensive national data regulations, government data collection, and monitoring and surveillance technologies that are shaping the global data governance landscape and carrying wide-ranging impacts for individuals, companies, governments, multilaterals, and non-profits.

Notably, these emerging data regulations are fundamentally altering the way organizations of all types can operate internationally. Major data privacy frameworks developed by first movers are serving as templates for other national frameworks under development, many of which are being tweaked to suit prevailing governments’ domestic agendas. For example, the recent passage of the EU’s General Data Protection Regulation (GDPR) and China’s Cybersecurity Law—two of the most comprehensive packages of data privacy regulations—have already had cascading impacts on businesses and organizations in these markets and on all of their trading partners. In 2017, U.S. firms cited data localization policies as their number-one impediment to digital trade, and these types of protectionist measures are only growing. And that is just the beginning.

At the same time, many national governments are crafting exemptions to their data privacy laws, empowering them to expand monitoring capabilities and build up massive data collection infrastructure. Driven by economic and national security interests, governments are increasingly monitoring private citizens, requesting access to corporate data, and limiting encryption. This mass accumulation of data can have transformative impacts on societies, raising questions about what uses are, in fact, in the public interest.

FP Analytics’ Data Governance Power Map series breaks down key emerging trends in global data governance by:

  • Pinpointing emerging global data governance trends;
  • Cataloguing specific data localization and data privacy laws by country;
  • Mapping encryption policies around the world;
  • Charting the global sales of data collection and surveillance technology; and
  • Exploring the risks and implications for businesses and individuals.

FP Analytics provides the most comprehensive assessment and mapping of data localization and privacy laws to date, as well as one of the most complete assessments and mappings of government data collection and regulation trends around the world. It is a powerful tool for businesses and others seeking to understand how evolving global governance regimes are shaping our digital world.

FP Insider

Loading graphics

Welcome to a world of insight.

Explore the benefits of your FP subscription.

Stay updated on the topics you care about with email alerts. Sign up below.

Choose a few newsletters that interest you.

Here are some we think you might like.

  • Morning Brief thumbnail
  • Africa Brief thumbnail
  • Latin America Brief thumbnail
  • China Brief thumbnail
  • South Asia Brief thumbnail
  • Situation Report thumbnail

Analyze the world’s biggest events.

Join in-depth conversations and interact with foreign-policy experts with

BRUSSELS, BELGIUM - MARCH 29: US Deputy Treasury Secretary Wally Adeyemo and EU Commissioner in charge of financial services, financial stability and the Capital Markets Union, Mairead McGuinness (not seen) hold a joint news conference in Brussels, Belgium on March 29, 2022. (Photo by Dursun Aydemir/Anadolu Agency via Getty Images)
BRUSSELS, BELGIUM - MARCH 29: US Deputy Treasury Secretary Wally Adeyemo and EU Commissioner in charge of financial services, financial stability and the Capital Markets Union, Mairead McGuinness (not seen) hold a joint news conference in Brussels, Belgium on March 29, 2022. (Photo by Dursun Aydemir/Anadolu Agency via Getty Images)

Wally Adeyemo Confronts a Challenging Economic Moment

✓  

Registered

  |   Ask a Question Ask a Question   |   Add to Calendar
  1. Only FP subscribers can submit questions for FP Live interviews.

    ALREADY AN FP SUBSCRIBER?

  2. Only FP subscribers can submit questions for FP Live interviews.

    ALREADY AN FP SUBSCRIBER?

How is President Joe Biden’s White House staving off the current economic crisis? What has been the impact of U.S. sanctions on the Russian economy, and how can the United States do more t...Show more

Reporters-notebook-FPLive-site-3-2
Reporters-notebook-FPLive-site-3-2

With Russian President Vladimir Putin’s order of a partial mobilization of reservists to bolster his forces in Ukraine, Russia’s invasion has potentially entered an even more destructive...Show more

People wade across a flooded street after heavy rainfall in Karachi on July 25. ASIF HASSAN/AFP via Getty Images
People wade across a flooded street after heavy rainfall in Karachi on July 25. ASIF HASSAN/AFP via Getty Images

Pakistan has been plagued by economic crisis, political unrest, and now by catastrophic and deadly flooding.  At 34 years old, Bilawal Bhutto Zardari is the country’s youngest foreign min...Show more