To print this article, all you need is to be registered or login on Mondaq.com.
The US congressional hearing of the TikTok CEO this March has
further divided opinion on data privacy and China. But what about
personal data privacy in China? What do foreign companies need to
know about data privacy when dealing with China?
Did you know that most multinationals in China have to file for
a security assessment or take equivalent actions as required by the
Cyberspace Administration of China (CAC) when
transferring personal data to outside of China, and that this
policy can be enforced since 1 March 2023, if not applied?
Which laws in China are about data
The Data Security Law, Cyber Security Law and the Personal
Information Protection Law forms a comprehensive legal framework in
the field of data security, that will protect data and tries to
solve data leakage.
Personal information and the security assessment by CAC
The Personal Information Protection Law demands that if personal
information is transferred out of China, that the processors obtain
separate consent from data subjects, that there is a personal
information protection impact assessment and that there is one of
the following three requirements fulfilled:
– a successful CAC security assessment issued;
– certification from CAC approved institution;
– data transfer agreement with the recipient conform the
template by CAC.
The Measures of September 1, 2022, made the security assessment
requirement applicable to any company that wants to transfer
‘important data’ outside of China. Due to broad
classification, most multinational companies would fall under this.
Hence the Measures gave a six-month grace period to comply, which
ended on 1 March 2023.
Revocation of business license and other heavy fines
For the Personal Information Protection Law companies could be
fined up to 50 million RMB, but also even harsher penalties as
suspending business, revoking business license, or even pursuing
criminal responsibility could apply.
Who has applied for security assessment by CAC
At the current date, not many foreign companies have filed for
data security assessments with the Beijing CAC.
Companies need to know how to protect whose data where
For companies it is key to know how data needs to be protected
in accordance with China’s laws. As there is a realistic chance
that TikTok will get into further scrutiny in the USA, it would not
be surprising if China will enforce its various Data Laws to punish
companies that are not compliant.
As revocation of business license is one of the potential
measures that can be applied, businesses could lose their right to
operate on the Chinese market. Being compliant is now more than
important than ever before, especially since the six-month grace
period regarding the Measures of the Personal Information
Protection Law is over. We can expect many companies to be getting
into trouble very soon.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from China
