China is establishing new regulatory pillars for its giant internet industry, but a new data security law and other rules are ambiguous in ways that leave companies fearful they may accidentally cross a line, lawyers say.
The data security law, which goes into effect on Sept. 1 (next Wednesday), requires all companies in China to classify the data they handle into several categories and governs how such data is stored and transferred to other parties.
Key categories include “national core data” and “important data”, for which mishandling could carry a penalties of up to 10 million yuan or even a criminal charge. But the government has not yet provided definitions for these or given further details on what type of data may fall into which category, lawyers say.
For example, the law says only that companies looking to transfer “important data” overseas must perform a security assessment each time.
“There is no list, there is no annex, there are no examples,” Nicolas Bahmanyar, senior consultant at Beijing-based law firm LEAF, said. “So we’re a little bit in the dark here.”
The country will also impose new rules aimed at protecting “critical information infrastructure,” on the same day, but experts say definitions for such infrastructure are equally unclear.
Operators of critical information infrastructure will face stricter data security requirements, particularly when it comes to cross-border data transfers. Beijing in 2017 provided a list of industries that it considered critical in broad terms such as “public communications”.
No guidelines yet
Industry-specific regulators are expected to release more detailed frameworks, but have not yet done so.
“Even if you could take inferences from what’s happening in the news, and then public announcements of enforcement actions against certain companies, there’s no official way of benchmarking yourself,” Alex Roberts, a corporate counsel at the Shanghai office of law firm Linklaters, said.
The legal moves reflect Beijing’s growing concern over the mountains of data private firms have amassed and whether such information could be at risk of attack and misuse, especially by foreign states.
China’s 2017 cybersecurity law requires firms to store data in China as well agree to security reviews, and will on November 1 be further complemented by laws governing how personal information is treated.
A senior engineer at a marketing agency in Shanghai said one of his clients hired a third-party auditor to assess whether his company could meet the new regulations for a project. He declined to be named as he was not approved to speak to the media.
“You need to prove how your data is stored, that you have a recovery plan, whatever happens your app is safe, and all your data is in China,” he said. “These processes are very bureaucratic and are meant to be for very large companies, which we are not.”
One closely watched case is that of Didi Global, which China’s powerful cyberspace regulator began investigating over data security risks last month, just two days after the company’s debut in New York.
The Cyberspace Administration of China is also investigating online recruitment platform Boss Zhipin, which is owned by Kanzhun and two commercial freight platforms run by Full Truck Alliance, citing national data security risks.
• Reuters, Kevin Hamlin and Jim Pollard