- Majority of applications still mired in procedure
- Though far from ideal, data anonymization, partial localization offered as potential solutions for MNCs
- Lawyer calls for balance between security and development
A year into the implementation of China’s security assessments of data export activities, multinationals in China are hearing back from the Cyberspace Administration of China (CAC) on the results of their applications. While a few MNCs granted approval had reason to celebrate, most received bans in some form, four lawyers familiar with the matter told PaRR.
“We’re seeing more cases of rejection from the CAC recently,” three of the lawyers said.
In some commonly seen business scenarios, the regulator has issued partial bans that prohibit certain types of data from being exported while allowing the remainder to freely cross borders, three of the lawyers said. Taking human resource management as an example, the prohibited information included personal identification (ID) numbers, bank accounts, and social security information of employees based in mainland China.
For business scenarios involving more sensitive data, the regulator has been banning all relevant data from cross-border transfers. For example, healthcare professional (HPI) information collected in China by pharmaceutical companies was prohibited from being exported, one of the lawyers said.
The CAC has also issued conditional approvals on some applications, two of the lawyers said. This happened when the CAC adjudged the need for some companies to export certain data as insufficient, preferring the companies opted to localize such data instead, they said.
During the review, the CAC placed emphasis on examining whether companies have obtained "separate consent" from data subjects prior to cross-border transfer, two of the lawyers said. However, the requirement of “separate consent” is very hard to meet in many cases, e.g., when it pertains to historical data, one of the lawyers said. This has led to CAC to decline applications without proper documentation related to "separate consent", they said.
“This is rather devastating [news] for MNCs whose business models inevitably involve some form of cross-border data transfer, either with their headquarters or with overseas business partners”, one of the lawyers commented.
Companies hit with bans are technically obliged to immediately cease all data export activities or face hefty fines. However, in practice, it is difficult for companies to shut down systems and halt operations. This has put them in a precarious position in which they are exposed to potential enforcement action, lawyers noted.
“Some of my clients have expressed anxiety about it”, one lawyer said.
Around 40-50 companies – both MNCs and domestic entities – have received a final passing decision from the CAC as of mid-August, two of the lawyers noted. An estimated 3000 applications have been filed with provincial-level data regulators since the ‘Measures for the Security Assessment of Cross-border Transfer of Data’ (the Measures) came into effect last September, one of the lawyers said
Most of the applicants are mired in back-and-forth communications with local cyberspace administrators and their applications have yet to be submitted to the central CAC for a formal review, lawyers said. Some will go through four or five rounds of submissions being withdrawn and refiled following revisions required at the local level – a process that can last months, lawyers said. According to the Measures, applications need to be filed with the local regulator before being transferred to the central agency for a formal review.
When handling applications, the CAC also seeks comment from other ministries, including the company’s sector regulator, the Ministry of Commerce (MOFCOM), and the National Development and Reform Commission (NDRC), two of the lawyers said.
Under such a layered and stringent review process, MNCs are left with essentially two choices – either continue data exports while instituting mitigation efforts such as data anonymization, or embrace data localization (partially or completely) by housing their servers and data centers in China, Liu Xinyu, partner at Zhong Lun Law Firm said.
The first choice, however, is difficult to implement as under the legal definition of anonymization set forth in China’s Personal Information Protection Law (PIPL), anonymized data must remain so, irreversibly, which is not technically feasible at present, Liu said.
The option of completely hiving off China operations from global operations via localization has costs that can vary from a couple of million to hundreds of millions in Chinese Yuan, depending on the size of the company, another Shanghai-based data lawyer said.
In addition to the cost, separating China-based operations from the rest of the world often collides with the ideology of many MNCs, which prefer integrated management systems for their global presence, Liu and the second Shanghai-based lawyer said. Not to mention that localization also means switching global suppliers of IT systems and infrastructure to local ones, and the choices are very limited if not absent, the second Shanghai lawyer added.
For companies receiving partial bans, their choices are slightly more diverse; they can opt for partial localization whereby their China-based subsidiaries make some system adjustments that shield certain types of data from global access, Liu said. But this route also requires significant manpower input as it will entail significant communications among compliance teams, IT teams, and other business departments, Liu said.
While the current situation is seen as "frustrating" to some, a Beijing-based lawyer expected the review process to be expedited and standardized after they "get the ball rolling", citing recent policy moves by the Chinese government.
On 13 August, China’s State Council issued guidelines aimed at attracting more foreign investment, including a pledge to explore convenient and secure mechanisms for cross-border data flows. And on 17 August, Bloomberg reported that the CAC has been reaching out to several MNCs to discuss ways to navigate China's data security rules.
Regulators are also “crossing the river by feeling the stones”, accumulating experience, and contemplating the proper standard for the reviews, the Beijing lawyer said.
It is possible the CAC will issue a second guidance as the number of applications for data export grows and more companies receive a final outcome, a third Shanghai-based lawyer said.
It is hoped the regulator will find a way to strike a balance between security and development in the near future, the Beijing lawyer said.