US firms say China’s ‘ambiguous’ data laws are creating a ‘uniquely restrictive’ environment

• ‘Complex’, unclear regulations have made compliance difficult and created policy uncertainties for US firms in China, says the US-China Business Council
• New laws and regulations are forcing companies – both foreign and domestic – to keep data related to local customers and operations inside the country

China’s data and cybersecurity regime is creating a “uniquely restrictive” business environment and American companies face higher operating costs due to its complexity, a US business lobby said in a report on Thursday.

Beijing passed two laws in September last year – the Data Security Law (DSL) and Personal Information Protection Law (PIPL) – that restrict cross-border data flows and enforce localisation.

The regulations, which build on the groundwork laid by the Cybersecurity Law of 2017, have wide-ranging implications for how companies operate in China.

Though Beijing said they are needed to protect personal data and strengthen national security, the “ambiguous” regulations have made compliance difficult and created policy uncertainties for US firms, the US-China Business Council said in a report based on interviews with 30 American companies.

“American companies want and need to leverage their global strength in China, but they worry that the costs, complexity, and nature of China’s data and privacy frameworks increasingly will limit their ability to do so,” said Matthew Margulies, senior vice-president at the council.

The new rules, which vary across regions and industries, are putting pressure on businesses, including hotels, which face additional scrutiny from regulators about their data practices due to the volume of personal information processed.

“As a result, virtually all large hotels will be subject to personal information volume thresholds, which impose obligations equivalent to important data requirements,” the report said. “These obligations include investing in costly hardware across hotels, undertaking new auditing practices, and hiring additional data governance personnel.”

Like the Cybersecurity Law, the DSL requires companies to take measures to protect “important data”, but it also adds a requirement to protect “core data”. That data refers to information involving national and economic security, people’s welfare or an important public interest.

Within the automotive sector, the broad scope of “important data” makes it hard for companies to follow because it covers information collected throughout the auto sector’s physical supply chain, including audiovisual data, auto-charging station data, data on the flow of people as well as traffic and map data, the report said.

The business lobby said China’s cybersecurity framework does not align with the other international equivalents, such as the European Union’s General Data Protection Regulation, which many American firms are familiar and compliant with.

In the finance sector, restrictions set by the People’s Bank of China in 2011 and 2019 on cross-border transfer of customer identification and transaction information obtained when conducting due diligence related to anti-money-laundering and counterterrorism financing is creating “ongoing challenges for international financial institutions using a global operating model”, the report said.

Current regulations also require companies to get government authorised security reviews and user consents before transferring data, which is not a common practice outside China, the council said.

A leading medical device manufacturer decided to stop developing a remote programme to manage its products in China, according to an example quoted in the report, as the “likelihood” of disruption to crucial cross-border data flows made offering the product “too complex, costly and potentially unprofitable”.

Another key concern of companies was data localisation, which requires information collected in China to be stored there, the report said. Localisation disrupts big companies’ global networks.

A US-China Business Council survey last year highlighted member concerns that companies with globalised systems could face delays or restrictions due to cross-border data transfer requirements when updating operating systems or directly interfacing with customers.

Author: Kandy Wong, SCMP