China technology and data regulations: A changing environment for international firms

As China’s economy rapidly develops and technology becomes an ever-more important aspect of it, China’s policymakers have grown concerned about cyber security risks, leading to the development of a regulatory framework to mitigate such risks. The foundation of this approach is the Cyber Security Law of 2017. 

As this regulatory framework continues to develop and mature, new requirements for cyber security, information security and, in some cases, specific requirements for products sold in China, are being introduced. As these regulations are intended to help China manage strategic technology risks, they are a priority for China’s policymakers.

The regulations are transforming the way companies (both Chinese and international) use technology and handle information. Companies not only need to implement controls around technology and information, they also need to develop governance and compliance functions to ensure controls meet the new requirements. 

The framework has reached a stage where international companies operating in China now need to adjust and adapt work processes to manage their compliance commitments. This affects virtually all industries and sectors, but there are specific considerations that manufacturers should be aware of. Compliance requirements are not limited to just operations and information — they may also extend into technology-related products and services that manufacturers provide to Chinese customers.

Understanding what these regulations are and adapting to their requirements will be central to the long-term success of firms in China, and for those selling technology into the China market. 

Regulating technology in operations 

As China looks to manage its cyber security risks, it expanded and formalized an earlier regulation called the Multi-Layer Protection Scheme (December 2019 [MLPS]). The current version, 2.0, calls for all network operators (any organisation operating a network of computers) to perform a self-assessment of their systems against cyber security risks. Depending on the output of that self-assessment, systems may be classified from level 1 to level 5, with each level having increasingly complex and prescriptive cyber security controls requirements. Systems level 2 and above require an independent audit by a licensed audit firm. That audit will be reviewed and validated by the police, who will issue a certificate upon completion. 

China — much like other countries — is aware and concerned of the cyber security risks to operational technology (OT) systems. To address this, the MLPS does have a subset of control requirements for industrial control systems. For manufacturing processes involving hazardous materials or where an incident could have a broad impact, higher MLPS requirements are likely. 

Impact on operations: Compliance program development 

Most manufacturing firms are not subject to these kinds of technology regulations and developing a compliance program specific to China is challenging. Furthermore, the regulations are new, with little guidance on risk evaluation and system classification.

Manufacturing firms are quickly learning that MLPS compliance in China is a broad-based effort. It requires active participation not only from technology services teams, but also from legal, manufacturing and management teams. Moreover, the work is not restricted to the China-based offices: support from global and regional functions is needed to establish compliance and maintain it moving forward. Manufacturing firms in China should plan (and budget) for these growing compliance requirements, despite the current vague risk standards. These regulations are only expected to mature and expand over time. Establishing appropriate roles and responsibilities to comply with them is a necessity.

Regulating important information

With MLPS coming into effect in 2019, in 2021 China introduced a new directive focusing on regulating information. The Data Security Law (DSL) introduces broad requirements for handling information and, under some circumstances, establishes conditions for how that regulated information may be transferred outside of China. The intent of the DSL is to manage risks to China that may arise from the misuse of information that would affect national security and social stability.

The DSL focuses on three classes of information and sets requirements for two of them: “important” and “core” data. Unfortunately, there is little guidance on what would be considered “important” or “core” data. Generally, it is expected that information relating to central concerns of national security, social stability, and large volumes of personal data would fall into the “important” category. But specific guidance is only expected to come when local and sectoral regulators release catalogues with more specific definitions.

This ambiguity and the potential for data associated with manufacturing or market conditions in China could create a compliance problem for manufacturing firms. The objective is to comply with the regulations but developing internal guidelines might prove difficult without a clear definition. In some cases, companies may not be fully aware of the information they acquire, generate and process in China. This lack of insight into internal information processing may increase regulatory risks.

The Data Security Law: Impact on handling and processing information

The extent to which the DSL could drive change in how manufacturing firms handle information remains unclear. But even as the ‘what’ of DSL-regulated information is vague, companies can — and should — start with the ‘how’ of compliance. 

Compliance with information regulation requires a clear understanding of the information a company acquires, generates and/or processes in China. Information that touches on certain strategic industries or may have a national security and/or social stability impact is the most likely to be classified as important. As clear guidance remains unavailable and regulatory oversight remains in flux, manufacturing firms in those sectors need to focus on developing strong governance over information. 

No matter the scope of the regulatory definition of important data (or core data), manufacturing firms will need to be able to demonstrate either that it isn’t acquired/processed or that any acquisition/processing of it is done in a secure manner. Either approach requires a governance program based on effective data classification, a comprehensive understanding of what information the company has, and an ability to match regulatory requirements for information to functional controls. 

Regulating Personal Information 

The Personal Information Protection Law (PIPL) is more straightforward in that it creates a broad framework governing how personal information (and sensitive personal information) should be acquired, processed and transferred. It is not dissimilar from regulations and standards such as the European Union’s General Data Protection Regulation (GDPR) or Singapore’s Personal Data Protection Act (PDPA). However, China does have more requirements for explicit consent from the individual (or data subject) on the use and transfer of their personal information. 

The PIPL is broad and comprehensive and requires strong oversight of personal information. While many global firms comply with similar regulations in other countries, PIPL compliance requirements need to be met in China. That starts with China-specific policies governing the information, processes, and procedures for risk management, and the appropriate handling of security controls for this information. 

In some cases, at a volume level measured in the hundreds of thousands of records, personal information may be considered as important data. As China considers personal information a national security concern, the acquisition and transfer of large volumes of data are sure to be targeted for close regulatory oversight. The most important consideration is what volume of the Chinese public’s personal information a company acquires. 

Managing Personal Data in China

At the very first stage, all firms will need to update guidelines concerning the handling of personal information. That will include reviewing and updating consent for acquiring and processing personal data and establishing appropriate governance. 

If personal information acquired in China is transferred overseas, organisations should expect a complex registration and approval process. While this is still under development, a recent draft sets 100,000 (or 10,000 sensitive personal information) records as the threshold for a review process. This is a critical concern for some organisations and understanding and following the requirements will be an essential function for affected manufacturing firms. 

Regulating Products and Services

For manufacturing firms selling into the China market, the new regulatory framework introduces requirements for the use of security technology. Critical infrastructure in China, roughly defined as services and operations vital to society (telecoms, power, water, finance, etc.), must now ensure that the technology it uses does not create cyber security risks. 

The new Security Protection Regulations on the Critical Information Infrastructure (CII) of September 2021 introduce cyber security risk assessments and reviews for the use of foreign technology. This expands on the foundational Cyber Security Law requirements of 2017 and will present challenges to manufacturing firms with customers in China’s CII sectors. 

A further complication is the new Measures for Security Vulnerability Management of Network Products. This regulation mandates the timely reporting of system vulnerabilities to Chinese regulators by manufacturers and vendors. Compliance with this requirement will require relevant manufacturing firms to review their internal product vulnerability management analysis and develop processes for formal reporting to the regulator. 

Impact on Sales

International manufacturing firms whose products have security functions and/or are used in sensitive CII sectors should expect increased scrutiny on their products and operations. This may affect customers’ procurement processes, as they must ensure adhering to the regulatory requirements around cyber security.

Manufacturers should be aware that the criteria for evaluating their products in China are changing. Regulated and sensitive sectors will increasingly push vendors to explain how products can be deployed and used securely. It’s no longer sufficient to compete on quality: companies selling products in certain sectors in China must also compete around security.

Conclusion

As China views cyber security as another facet of national security, firms should be aware that these regulations are important and will be enforced. Companies operating in China or selling their products there need to adapt to these requirements or risk regulatory sanctions and losing market opportunities. 

This article was originally published in the German Chamber Ticker, the magazine of the German Chamber of Commerce in China, Issue Winter 2021.