By Leon C.G. Liu, Jared T. Nelson, Vincent Schroder, and Romain Perray
Three Key Trends for Companies Operating in China
China is currently undergoing an unprecedented period of swift changes and developments for data privacy, security, storage, and cross-border transfers. New laws, regulations, guidelines, and official statements have been issued at a rapid-fire rate with significant new rules available at a pace nearly matching the famous speed of technology developments in data-related industries. Although the recent changes have made significant and wide-spread new requirements for companies, three key trends are clearly emerging: data localization, new procedures and limitations on cross-border transfers, and a continuing expansion of expected government access.
The first two issues are two sides of the same coin, with localization being the requirement to store data in China, and related restrictions on cross-border transfers being applicable to the movement of data, mainly, from China to other jurisdictions. Although there are subtle differences between these two concepts, the primary impact is likely to be felt on the costs and logistics structures for data systems of multinational companies operating in China, which are increasingly having to arrange for local data storage and processing within the country in order to meet current and anticipated requirements in the laws.
A continuing expansion of expected government access to corporate systems is both a related concept to and a side effect of localization and transfer restrictions. This area has been the target of public concerns by internet free speech and privacy advocates, but the core of the government’s insistence on increased access has been a focus on security. To this end, China has recently taken steps towards requiring decryption and other technical support from some types of companies to prevent or investigate terrorist activities, clarifying procedures for remotely accessing foreign data during criminal investigations, and requiring a broad swath of companies to provide “technical support and assistance to public security organs and the State security organs in the activities of protecting national security and investigating crimes”.
Two Important Considerations
Given the rapidly changing rules, the priority for companies operating in China has been to institutionalize an approach that incorporates the overall trends and anticipates the coming requirements. For example, there has been a clear legislative trend for data localization and restrictions on cross-border transfers for some key industries, with important parts of these rules still under development to be finalized later in the year. Companies that made early adjustments for this trend while it was still emerging have been able to enjoy significant benefits from the speed and connectivity of local networks while also avoiding the need to make rushed changes under pressure from new legal requirements.
A second critical consideration by leading companies is how to incorporate these issues into the global context of redesigning data systems for recent critical international developments. In addition to the dramatic changes in China, most companies are already preparing for the newly amended Japanese Act on the Protection of Personal Information, the APEC Cross-Border Privacy Rules system, Australia’s new data breach notification laws as well as the European Union’s General Data Protection Regulation (GDPR).
The GDPR, for example, introduces strict data security standards, notably in terms of the increasing need for high levels of IT security especially for ransomware such as the recent Petya attack. In addition, it requires businesses around the globe to adjust to its extended territorial scope of application, its rigid substantive rules governing the processing of personal data, the far-reaching rights of individuals, as well as the demanding procedural regulations and drastic sanctions or penalties potentially imposed in response to violations. These wide-spread global changes are challenging, but also present an opportunity for companies to unify a data strategy across jurisdictions and plan for clear international trends, and China now is an important part of it.
One Immediate Next Step
A key first step for any company facing these types of challenges, with the assistance of trained legal eyes, is to conduct a data inventory and mapping exercise in order to better understand its current data systems as well as critical details of information lifecycles. These types of exercises, which may seem simple from the description, can take days or weeks of efforts to clarify key details of the large variety and many types of data such as financial and accounting systems, customer relationship management tools, payment processing software, website and interface applications, email servers, and various other internal or vendor-operated systems requiring detailed understandings in order to set up an effective plan and reduce global compliance risks.