The Debate

Why China’s Data Regulations Are a Compliance Nightmare for Companies

Legal ambiguities leave companies guessing where they must follow the laws and when they can just risk it.

By Daniel Rechtschaffen for
Why China’s Data Regulations Are a Compliance Nightmare for Companies
Credit: Illustration by Catherine Putz

Data is becoming the world’s most valuable resource. Since the beginning of this century, tech behemoths that run on data have overtaken traditional industries, shooting like meteors to claim the top spots of the world’s largest companies by market capitalization. And the far-reaching impacts of data are set to expand as governments worldwide begin prioritizing emerging technologies like AI, financial technology, and new energy vehicles. Data represents both the present and the future, and its significance to governments, companies, and individuals has given rise to wide-scale debate over how to manage the critical space it occupies.

The American Chamber of Commerce (AmCham) in Shanghai recently released a report on how China’s personal data regulations affect foreign firms. The country’s data privacy regulatory framework falls mainly under the 2017 Cybersecurity Law and its associated standards and guidelines, as well as a litany of earlier sector-specific regulations, like the Commercial Banking Law. AmCham Shanghai found that while companies understand the need for data laws, many elements of the legislative framework do little to protect data and instead harm the flow of business operations.

Chief among their concerns are vagueness and ambiguities in the laws themselves. The Personal Information Security Specification, which became a centerpiece of the data framework after its promulgation in May 2018, is a standard that offers guidelines on how companies can collect and process personal information. And yet while the Specification is only classified by China’s standards-setting authority as “recommended,” many companies said that regulators have indicated that it must be followed as a law.

Many companies also complained of sector-specific ambiguities, like in healthcare, where laws are unclear what parts of medical patient data must be anonymized. Someone with a rare illness can easily be identified by their medical records even if their name and ID number is redacted, but completely anonymizing this data makes it useless for healthcare R&D purposes.

These ambiguities create compliance nightmares for companies, who find themselves guessing where they must follow the laws and when they can just risk it. One food and beverage company said: “If we can comply with the recommendation without much cost, we will take it as a new standard. But if we have to pay a lot for it, we will wait and see.” Other issues, like data localization and overpriced annual security assessments, do little to make data more secure, and instead force onerous, expensive, and unnecessary requirements on companies.

Enjoying this article? Click here to subscribe for full access. Just $5 a month.

Many of these problems are a result of how China institutes new laws. As opposed to the EU, which has its own data framework, legislation in China is often left deliberately incomplete at its promulgation, with the intention of retroactively filling in the holes. Friendly voices argue that this allows lawmakers more flexibility to adapt laws as their effects become apparent, but in reality it causes a major headache for businesses — especially multinationals — who need legal clarity to mitigate risk and create compliance processes. It also sometimes results in inconsistencies between the national laws and their local implementation guidelines, which are typically published months, and sometimes even years, later.

China is by no means the only country struggling to regulate data. Two years ago, the EU instituted its sweeping General Data Protection Regulations (GDPR), which created a comprehensive data regulatory framework for firms operating in the EU. Thailand, Brazil, New Zealand, Japan, and India have all passed their own data protection laws in recent years, as did the U.S. state of California. Some are stricter than others, but for the most part the laws are clear and transparent. Companies are flexible: they can adapt to new regulatory environments, but legal clarity is a must.

Ambiguities in China’s data framework are easily fixable, and doing so is very much in Beijing’s interest since the majority equally impact both foreign and local firms. As the EU did with the GDPR, Beijing should offer more channels for company input during legislative drafting. Finding the balance in a regulatory framework that both protects data and allows for its commercialization is critical. It’s important that Beijing gets it right from the beginning.

Daniel Rechtschaffen is a government relations manager at the American Chamber of Commerce in Shanghai.