Data is increasingly seen as a source of value that companies worldwide are looking to leverage. However, there are risks of data being mishandled, and the European Union and China are putting regulations in place to regulate how data can be used as well as managed.

The Chinese cybersecurity law is designed to, amongst other things, ensure Chinese cybersecurity and protect national security under the basic principle of what’s generated in China needs to be stored in China.

In addition to the cybersecurity law, two additional laws will work alongside the cybersecurity law to regulate how data in China is to be managed: the Personal Information Protection Law (PIPL), focusing on how personal information is to be handled (similar to GDPR), and the Data Security Law (DSL), focusing on how important data is used, collected, developed and protected.

As a consequence, almost half of responding Swedish companies in China state that they are impacted by the Chinese cybersecurity legislations according to this year’s “Business Climate Survey for China 2021” conducted by Team Sweden in China*. Only 36 per cent of Swedish companies, who often need to engage with for example headquarters or customers outside of China, perceive no impact.

3058 China cybersecurity text 1.png

(Source: Team Sweden’s Business Climate Survey for China 2021)

All three investigated segments see a similar impact overall but with slightly different main challenges. Industrial companies primarily perceive challenges when it comes to the use of cloud solutions (26 per cent), while consumer and professional companies primarily see challenges in the use of VPN for business purposes (43 per cent and 30 per cent, respectively).

PIPL – The GDPR of China

The new Personal Information Protection Law (PIPL) of China went into effect on November 1st 2021 with many similarities to the European General Data Protection Regulation (GDPR). In addition to protecting individuals’ right to privacy, China’s PIPL also serves the purpose of regulating the processing and use of individuals’ personal data in the country, impacting Swedish companies who manage personal data of individuals in China.

PIPL emphasises that data handlers, as entities primarily responsible for the protection of individuals’ personal data, are to take responsibility for their own data handling activities and must take necessary measures to protect the safety of the personal data they handle. Potential penalties for violation not only include huge fines, but companies also risk being subject to termination of operations and revocation of business licenses.

PIPL does not only affect companies who process personal information within the country, but also those who process the same type of data of individuals in China from the outside. Swedish companies located in China as well as those operating from the outside therefore might also be impacted by PIPL if they handle such data, resulting in a need for Swedish companies to understand if and how they are affected by the newly adopted law. Notably companies processing personal data of individuals in China from the outside need to have a special agency or designate a representative within China to be responsible for relevant matters of personal information protection, and submit the name and contact information.

There are in essence three aspects that Swedish companies should investigate following PIPL:

  • Identifying and categorizing data assets and application scenarios concerning business and operations according to Chinese laws
  • Assessing whether an internal compliance team with managerial authorization responsible for data compliance is needed
  • Conducting an internal risk assessment, starting from the most sensitive areas that most easily get challenged
Restrictions on cross-border transfer of important data

On September 1st 2021, the new Chinese Data Security Law took effect, stipulating how data is used, collected, developed, and protected in China. The law includes regulations on how cross-border transfer of important data collected and generated by critical infrastructure and general data processors within China is to be managed.

There are, however, still uncertainties with regards to exactly what important data entails as it is not yet specified, with definitions to be provided by each region and department for relevant industries and fields in the future.

3058 China cybersecurity text 2.png

(Source: Team Sweden’s Business Climate Survey for China 2021)

Regulatory frameworks are also being put in place for companies to assess the possibility to transfer important data out of China. There are two separate frameworks for this dependent on whether the data is collected from critical information infrastructure operators (companies operating in specific industries or with specific technologies of which the destruction, lost function, or data leakage make seriously endanger national security, public wellbeing and public interest) or from general data processors (others):

  • Critical information infrastructure operators (CIIO): Cross-border transfer of important data collected or produced inside mainland China is governed by the Cybersecurity regulations and is to be stored within China by principle, requiring a security assessment before a potential cross-border transfer
  • General data processors: Security review measures are to be formulated by the state cyberspace administration for how transferring of data abroad should be managed

Even though not yet fully defined, the new Data Security Law has already gone into effect, and Swedish companies need to be ready to comply if they are impacted once definitions have been set. As a supplier to a company that falls under the scope of CIIO, Swedish companies might still be impacted by stricter assessments and may be required by their customers to support in security assessments by submitting documents or similar, even though they do not themselves fall under the scope.

To mitigate risk for violations connected to cross-border data transfer there is therefore a need for Swedish companies to:

  • Assess if they fall into the scope of critical information infrastructure operators
  • Keeping a close eye on the development of the data security law and be ready to comply when needed, also from requests by customers
  • Predefine ownership, access, and responsibilities of clients' data as part of commercial agreements
Cloud localisation dependent on importance of data for business in China

Cloud solutions and services are becoming increasingly important both for internal operations as well as for external services, such as software-as-a-service (SaaS). However, Swedish companies are already impacted by cybersecurity legislations today when using cloud solutions.

3058 China cybersecurity text 3.png

(Source: Team Sweden’s Business Climate Survey for China 2021)

The most common initial approach for many Swedish companies is to continue leveraging offshore servers to deliver services also in China. However, this may bring uncertainties regarding regulatory compliance and long-term commercial sustainability and can result in lower speed with a service that, in the worst case, might be blocked by the government.

However, there is a risk of setting up separate servers for the Chinese market as it can lead to separate islands of data. Impacted by the newly adopted data security law and the implications on data transfer, data localised in China might not be able to be transferred out of the country and, as a consequence, become isolated from the rest.

How to manage cloud setups depend as such largely on whether or not the business in China is seen as important enough to risk creating separate isolated islands of data. For this, there are initially four questions to consider:

  • How does the data fit into the overall model of your company?
  • Is your business in China important enough to create a separate setup for China?
  • What are the risks and benefits of setting up such a separate setup?
  • How can data transfer be managed no matter the model if you are dependent on a vast amount of data for your business?
Conclusion

The Chinese Cybersecurity law as well as the newly adopted Data Security Law and Personal Information Protection Law are designed to, amongst other things, ensure Chinese cybersecurity and protect national security, impacting Swedish companies operating on the Chinese market. Swedish companies therefore need to understand the implications of China’s cybersecurity legislations on their business, what risks they entail and how to manage them best.

*The Embassy of Sweden in Beijing, The Consulate General of Sweden in Shanghai, The Swedish Chamber of Commerce in China, Business Sweden.