On 15 March 2022 GRC World Forums launched PrivSec China, a one-day livestream experience exploring China’s privacy and security regime.
The event brought together China experts and senior professionals to discuss the new reality of doing business under China’s increasingly tough data protection and cybersecurity rules.
China has enacted several important pieces of legislation in recent years and Chinese authorities have issued plenty of regulations and guidance.
However, many difficult questions remain about the scope and applicability of China’s new legal framework. Speakers at PrivSec China provided some clarity and reassurance that—if followed carefully—the rules should not present a barrier to entry into the Chinese market.
Making Sense of the New Rules
PrivSec China began with an overview of China’s privacy and security framework, hosted by Carolyn Bigg, Partner at DLA Piper Hong Kong.
A key part of data protection compliance is understanding what types of data your company holds. And it’s important to remember the overriding purpose of China’s privacy and security laws.
“The mindset from the government is trying to create more value from the data, but the bottom line is national interest. The regulation on personal information is just a base for how to make the digital economy healthier,” said Bobby Hsu Piao-Hao, Senior Lead Specialist in Privacy & Data Protection Compliance at TPV Technology Group.
Another session looked in detail at China’s Personal Information Protection Law (PIPL), sometimes called “China’s GDPR.”
Scott Warren of the law firm Squire Patton Boggs pointed out that the PIPL and the GDPR share many concepts such as “data subject rights, access rights, and extraterritoriality.”
But despite these similarities, compliance with the GDPR does not equate to compliance with the PIPL.
“We realised there are some companies who are following GDPR in Europe and aren’t looking into China’s requirements,” said Mareike Seeßelberg, Manager at Chinabrand IP Consulting.
“This is something companies should do right now—understand what data they collect from China and what legal basis they have for it.”
Digital Trust Europe
Digital Trust Europe will take place through May, June & July 2022, visiting five major cities;
Digital Trust Europe will also be available to a global audience via livestream. Each city will co-host four events; PrivSec World Forum, FinCrime World Forum, ESG World Forum and Cloud Modernisation Summit.
International Data Transfers
One session looked specifically at new Chinese rules on international data transfers that have been causing some concern and confusion among data protection professionals.
China’s PIPL imposes some strict rules around how companies transfer data out of the country. But the idea that the law prevents companies from transferring any data was “misinformation,” said DLA Piper’s Carolyn Biggs.
“Most data from most organisations can leave China, provided certain compliance steps are taken,” Biggs said.
But certain types of data are more tightly controlled than others.
“For important data, you need to have a risk assessment, and localisation is a standard requirement,” said Dr Amigo L. Xie, Partner at K&L Gates. “To transfer important data outside China a security assessment is required.”
Could these strict requirements disincentivise international companies from operating in China? Not necessarily, said Michael Xu of AllBright Law Offices.
“I think China is willing to keep foreign businesses in China, but what they need them to do is business in a different way,” Xu said.
“It will cost time, money and energy to comply with those laws, but eventually when they have done adjustments they will do business just like in the past.”
The Geopolitical Dimension
When thinking long-term about your business strategy in the Chinese market, compliance with privacy and security law is hugely important. But there’s another vital consideration over which you have far less control: politics.
The final session at PrivSec China considered how geopolitical relations between China and the West could impact businesses.
“I think it’s useful to get the quantitative aspect of this and see how political business is becoming in China,” said Jacob Gunter, Senior Analyst at the Mercator Institute for China Studies.
“41% of European companies say business has become more political in the last year, and think that the sources of that politicisation from the Chinese government and media.”
Recent events could cause further issues for Western companies’ Chinese operations.
“A lot has happened in last few weeks,” said Stefan Dodov of BCC Global. “Sanctions in general will have an impact on foreign businesses in China.”
PrivSec China was a perfect example of how online or face-to-face events are perfect for taking in a broad variety of perspectives and thinking critically about complex issues.
Delegates saw how professionals are grappling with China’s legislation “on the ground,” could ask questions, and got to know some of the leading thinkers and practitioners in Chinese privacy and security law.
PrivSec China: Catch-Up & Watch On-Demand
- Are You a Critical Information Infrastructure Operator?
- China’s Network Data Security Regulations: Clarity at Last or Another Compliance Nightmare?
- China’s Personal Information Protection Law (PIPL): What Businesses Need to Know
- Doing Business In China: The Geopolitical Dimension
- How to Operationalise China’s Privacy and Security Laws
- In-house or Outsourcing? How do you digitize your privacy protection plan?
- International Data Transfers Under Chinese Law
- LinkedIn and Yahoo Pulled Out of China. Will Your Business Survive China’s Increasingly Tough Digital Regulations?
- Making Sense of China’s Privacy and Security Laws
- Privacy Management in Action: Is technology ready to support us?