Over the last five years, China has constructed vast data, privacy, and cybersecurity regimes in the hopes of protecting personal data and strengthening national security. While many countries have also begun regulating data more tightly, the environment in China is uniquely restrictive. New laws, regulations, and standards are particularly challenging for multinational firms operating in China because their operations, products, and services rely on fast and fluid cross-border data flows. The US-China Business Council (USCBC) has spoken with over 30 American companies to better understand their data, privacy, and cybersecurity compliance challenges as well as their plans for dealing with policy uncertainty in this important market.
- Data localization, prescriptive cybersecurity rules, and restrictions on cross-border data flows: A combination of data localization rules, prescriptive cybersecurity requirements, and cross-border data transfer security−review requirements makes China one of the most restrictive major economies in data and cybersecurity governance. Draft policies stand to further this trend, significantly increasing the cost of doing business in China, disrupting global systems, and limiting the types of goods and services foreign companies can bring to the country.
- Regulatory ambiguity: The practical details of several of the most consequential laws and regulations are unclear or undefined, including the definitions of key terms, the agencies of jurisdiction, whether rules are mandatory or voluntary, and the scope and thresholds of data localization and cross-border data transfer reviews. While USCBC expects these rules to be published in the future, companies are already experiencing associated enforcement challenges.
- Inconsistent regulatory enforcement: Companies increasingly report pressure to comply with regulations despite the lack of practical steps for doing so. The level and type of enforcement vary across both regions and industries, leaving companies unsure how to comply.
Companies’ responses to this evolving legislative and regulatory landscape vary greatly depending on the industry and types of data they collect in China. At minimum, all interviewed companies indicated that they are mapping their data flows and assessing their business structure for any necessary adjustments.
The long-term consequences of China’s data, privacy, and cybersecurity regimes remain to be seen. If the policies are implemented rigidly, a possible outcome is the creation of data islands that force companies to localize technology, people, and processes, disconnecting them from global operations. This could force companies to make separate product offerings or conduct separate research and development in Chinese and global markets. This range of impacts might hurt the competitiveness of China’s business environment to the detriment of Chinese consumers, corporate competitiveness in China, and the country’s integration with the global economy.