How Western companies are dealing with China’s data security laws

Business & Technology

The U.S.-China Business Council’s Matt Margulies and Hannah Feldshuh discuss the landscape of China’s changing security laws and legal provisions, and how U.S. companies can deal with data, privacy, and cybersecurity issues.

Below is a complete transcript of the China Corner Office Podcast with Matt Margulies and Hannah Feldshuh:

Chris: Hi, everyone. Thanks so much for joining us today on China Corner Office, a podcast powered by SupChina, the New York based news and information platform that helps the West read China between the lines. I’m Chris Marquis, a professor at the Cambridge Judge Business school and today we’ll be joined by Matthew Margulies, Senior Vice President at the U.S.-China Business Council and Hannah Feldshuh, a Business Advisory Services Manager also at the USCBC.

Both are based in Beijing, and we discussed the recent report they worked on, on China’s data security and privacy regime, a topic that comes up often in media reports of many companies doing business in China, from U.S. firms like Apple and Tesla to Chinese firms like Ant Financial and DiDi. Matt and Hannah provide a lot of very useful information for companies doing business in China. At a baseline, they discuss how the legal landscape of China’s data security regime is composed of three different laws. They provide the specific provisions of each and the different regulators that business has to deal with in regard to its data.

Matt and Hannah also discussed how companies can and are dealing with these data, privacy, and cybersecurity challenges, discussing a number of industry specific cases such as in the healthcare automotive and financial services sectors that show that the laws affect different industries differently. Some strategies the companies are using to deal with these laws include revamping their government repair strategies to work with their regional regulators on navigating potential issues. Some companies are also adjusting their data structures and creating new data plans. For instance, localizing storage of data and personal information gathered in China.

Matt and Hannah also discussed how, at worst, components of current regulation could result in the creation of corporate “in China for China data islands” that make portions of global businesses essentially inaccessible by headquarters or offices in other markets. This may stifle the way business is done in China for both foreign and Chinese companies, affect their innovation, limit what products are brought to market in China, and also how Chinese companies can go global.

We’ll lead to the report in the show notes and I encourage you to take a look for more details on what we discussed in this episode. Thanks so much and enjoy the show.

Chris: Matt and Hannah, welcome to China Corner Office.

Matt: Thanks for having us, Chris. Pleasure to be here.

Hannah: Yeah. Thanks, Chris. Great to speak with you.

Chris: Yeah. A lot of the companies I’ve been talking to have been discussing the recent data security regulations in China that have been unfolding over the last number of years. And reading this really interesting USCBC report you’ve worked on, I thought it’d be great to talk and learn more both about the report and about the findings of the report: who you talk to and what some of the interesting case studies are. I guess, first I’ll start, and I think with you, Matt, what motivated the USCBC to do this report now?

Matt: It’s a good question, Chris. Thank you. What we have found as an organization is that over time, our members, which are large U.S. companies, have really grown increasingly concerned with what we’ve called the uniquely restrictive direction in which China’s data and privacy and cyber security regimes are moving.

I think most of us are clear that the data and privacy is an issue that many countries are dealing with. China is not the only one dealing with this but China is doing so in a way that has presented a number of policy and regulatory challenges for companies. Since at least 2015, I think, as an organization but even prior to that, a number of our member companies have indicated that policies and regulations in this space are an ongoing and growing challenge for them. And so, when we, as an organization, look at how to try and work with the Chinese government to shape the policy environment, we’ve commented on a lot of Chinese regulations and policies and laws over that time to try and shape policies a little bit in the way that are a bit more business friendly, a bit more practical, and less security focused, to be honest.

But we found that since we started working on these policies, the environment has really continued to evolve in a way that presents a number of ongoing challenges. And so, we’ve found that the, let’s call it the advocacy space, the space for shaping policy has become somewhat stagnant for data security, for privacy, and for cybersecurity in China. We spent a lot of time advocating on these issues. Now let’s take a look at how companies are actually dealing with these issues. Let’s focus on advocacy and more on practical best practices. How can companies navigate these issues?

Chris: Yeah. And probably that will help you as well be more effective in your future advocacy, just getting a baseline of how companies are perceiving and working with these regulations. Hannah, I think you were actually involved in the data collection and writing of the report. And so, I’d love to learn a little bit from you about just how restrictive is China’s cybersecurity landscape in the last number of years and what are some of the key laws and regulations that apply to all companies, but particularly non-Chinese companies.

Hannah: Yeah. Thanks, Chris. I think we’re at a really unique moment, as Matt mentioned, where businesses are contending with the full range of China’s regime in this area. At this point in time, just to recap for listeners, China has now passed and implemented the cybersecurity law, the data security law, and the personal information protection law. Those three elements are often referred to as three legs of a stool or three pillars that establish how China will relegate responsibilities for the state and for companies with regards to the control of privacy, data, and cybersecurity as well as obligations on both the government’s and industries’ interaction with data collection and processing, and finally, privacy rights and obligations for users, regulators, as well as data processors. With that in mind, companies are contending with dealing with a really complex and increasingly complex landscape which has some key regulators to keep in mind as we get further into the discussion.

First up is certainly the CAC, the Cyberspace Administration of China, which has had a growingly important and influential role in both regulating and leading enforcement in this area. Then of course, there is industry specific regulators like the Ministry of Industry and Information Technology that help to articulate standards for companies operating in their sector and are influential as well in adding nuance to some of the key definitions of data that is subject to greater protections, both in terms of efforts around localization as well as cross-border data review. Finally, we also have, among others, the Ministry of Public Security that helps to assess cybersecurity systems and standards for businesses. Now, within this kind of umbrella of restrictions on companies we’ve got a couple of different regimes. Now, some of which I’ve already mentioned. So an approach to data security and privacy which should be somewhat more familiar, I suppose, to folks looking at trends in other markets but has definitely distinct elements.

And then in addition, a whole mass of more restrictive and prescriptive cybersecurity requirements under something called the Multi-Level Protection Scheme so, MLPS. More commonly referred to as MLPS 2.0 because we’ve had iterations of this that have built upon themselves which helps to rank companies’ systems based on risk and exposure if they are compromised.

Within this sort of network of laws, there’re a few things that I would highlight that make China distinctive and unique to navigate. The first is, of course, that there’s a growing number of laws that don’t necessarily work in confluence with each other: there’s remaining ambiguity. The second is a balance and focus on national security that elevates the importance of dealing with data in a sensitive way for companies because it increases risks of non-compliance.

Chris: Interesting. Can you maybe say a little bit more about what some of the specific concerns that companies might have? I mean, obviously, restrictive data or having to have all your China data in China or I can see in general what some of the issues might be. But some of the specific challenges that companies face from this complex environment were these different regulators and laws. I mean, it’s a very challenging environment, I’m sure. I’d love to hear just a little bit of maybe some specific examples of companies that have run into problems addressing that.

Hannah: Yes, absolutely. There’re a few areas of challenge I’d love to highlight because I think they’re pretty indicative of challenges that foreign businesses are having across sectors. The first is definitely restrictions on cross-border data flows. It’s important to note here that many of our, well all of our members, are reliant on a global business model to efficiently and innovatively carry out normal operations. That includes dispersing and differentiating data flows across markets with everything from HR functions to after sale services, to approaches to R&D in a way that’s pretty integrated and is also global in nature. China’s regime has an approach to cross-border data flows where government regulators are able to review or restrict certain types of data flows and the terms of that review and restriction are really not that clear at the moment because a lot of this restriction call all hinges on a term called important data, which will be in the future subject to greater restriction and review.

But as of yet, is still waiting to be defined by both sector and regional regulators. That’s one area where businesses are concerned about how that definition will play out and should those reviews be leveraged in a more restrictive way, which will greatly restrict foreign businesses’ capacity to make use of a globalized supply chain and data flows.

Now, we’ve already heard from some members that influencing things like product decision making, with one of our healthcare companies indicating that they’re just not confident around making use of global business flows for things like remotely managed medical devices, for example. Because they’re looking ahead and just saying, “You know what? We’re seeing trends of greater restriction in this area,” and they’re not as confident that there’s a business case for offering something that makes use of innovations in that way given current trends around data flows.

Chris: Yeah. Makes sense. I mean, I’ve been talking to a variety of companies that I would never think that this would actually impact their business. But for instance, one that helps companies with their sustainability progress and helps them in ESG issues and they said that actually they have a worldwide database and they have a China database because the two are not allowed to talk to one another. And so, you could see how this could be a real competitive disadvantage.

Along those lines, Matt, I’m interested in asking for your general perspective on how companies and countries can balance national security versus commercial demands. My exposure to this, in addition to just hearing about it from companies is, you see in the media companies like Tesla or Apple where they have to have their China data in China and that leads to a variety of reporting in their commercial interest. Is that in the Chinese national security interest? Does it put actually, U.S. interest potentially, at risk? I’d love to hear a little bit about how you and the USCBC is thinking about these issues to balance commercial and national security concerns.

Matt: Yeah. I think you have hit on the most difficult. It’s probably the most logical question to ask but it’s also the most difficult question to answer that I think every government globally is grappling with. There’s certainly no good answer and I think there’s no perfect answer, I should say, but I think it’s one where it really depends on each government’s risk tolerance, right? And their own views of how they manage their economy, how they view national security, and increasingly, the blend of economic security and national security. That’s something that for not many years ago, we talked about in very distinct realms but now, economic security has almost blended in a lot of places with national security, and data is one of the important components of economic security nowadays, it seems.

For China specifically, I would start by noting that China’s policy landscape in certain areas definitely draws heavily from regulation in other markets. Most notably for China’s Personal Information Protection Law, the PIPL, that Hannah was talking about. It’s drafted with significant influence from the European unions, privacy regulations, the GDPR. And so and so in some respects, there are many similarities, at least legally and on paper, to some privacy specific elements of regulation here in China and elsewhere. But I think China and the EU or China and the U.S. have very different regulatory systems, very different legal systems. So even if one law is drafted based on another, that doesn’t really mean they are the same thing. I think most of your listeners are probably aware that China does not necessarily have the same level of independence for its judiciary or just in general, the role of the state and regular commerce.

Chris: So that raises really interesting questions not only just about the regulation but then also about actually the implementation of it. I’ve recently relocated from the U.S. to the U.K. and people are frequently talking about GDPR also in the U.K. as well as the EU. It’s interesting because I was recently at a conference, and someone presented a paper on how actually the implementation of the GDPR is not as robust as one might think. Actually, there’s still a tremendous amount of tracking that goes on, tremendous amount of privacy violations, even in spite of that regulations. So it’s interesting to think about, sort of on the ground, how these are being implemented.

Hannah, I’d like to turn back to you actually. You started talking a little bit about healthcare and as I, again, sort of from the media, which is where most of my information comes from, I mentioned Tesla and the auto industry. Because of location and various other privacy type of issues and obviously, the media was around Ant IPO, DD, these companies may be having some sensitive data that if they’re in the U.S. markets that might actually be a security concern. I’d love to hear about some other industry specific issues, auto, financial services, sound like two that are interesting to me, but I’d love to hear about other ones as well that you think might be of particular interest to the listeners.

Hannah: Yeah. I would say, first of all, it’s a great question and certainly China is not unique in having different sectors that either are more heavily regulated or that have a confluence of factors that make data regulation more complex. I would say throughout the course of our benchmarking and speaking to members on this issue, a few that clearly bubble to the top as having unique challenges included hospitality sector, financial services, healthcare certainly, and automotive.

To walk you through a little bit of what I mean by that, first off, healthcare sector suffers from needing and being heavily reliant on clinical trial data for innovation and for new product offerings. In addition to central level regulations that regulate and control cross-border data flows as well as show trends of data localization and ambiguities that are challenging to navigate, the healthcare sector also faces additional restrictions on transfer of clinical information and certainly, human genetic information that can make even routine processes including providing required data to a foreign regulatory agency challenging.

That’s one side of the equation of how those sector specific challenges could play out. But on the other side of things, we have something like the automotive sector which has also had a more robust regulatory response. But the challenges have been less so around additional restrictions of cross border data transfers but more so that we’ve seen early and more restrictive definitions around what would be defined as data that should be subject to more restrictions. What is “important data” has been more upstream and downstream than some people frankly anticipated, but certainly, one might hope to see across all sectors.

Financial services is maybe the most challenged among the all that I mentioned because not only have, since 2009, they’ve been subject to additional requirements around data localization and restrictions on cross-border data flows but they also are under additional scrutiny from sectoral regulators and then central regulators that makes it a complex relationship to navigate. Particularly, given that most financial businesses are also subject to more stringent review and regulatory obligations in their headquarters’ country of origin as well.

Chris: Right. I mean, mind boggling to me the complexity and challenges in responding to this. And so I’m curious, from the companies that you talk to or other observations of companies that you work with in addition to studying your report in detail, what responses do companies have to this? I mean, what are their, in some ways, what are the different paths that they can take to deal with this complex environment?

Hannah: It’s a good question and one certainly that I know that companies are asking both internally and then through organizations like USCBC because it’s hard to know how to respond to something, a regime that is still emerging and that lacks some key definitions. But generally speaking, I heard a couple of responses that seem to be pretty common.

The first was thinking about how you make use of your government affairs professionals to try and get more answers either on a local level or in special economic zone, etc. So revamping government affairs strategies and including perhaps more prominently cyber data and privacy issues as a component of that. Some of the other elements are about rethinking or mapping out data governance more generally. So both following the trend of where exactly your data goes and really understanding that particularly, in a more cross-functional or comprehensive way but also using that information to stress test and build systems resilience internally.

A third area, I guess, is also thinking about and investing in personnel. So whether that’s a chief privacy officer who’s on the ground or more of a committee structure that takes advantage of the different functions within companies and organizations. We are definitely seeing that companies are thinking more creatively about how they’ll invest in good human resources to address this problem. Probably the biggest ticket item as a budgetary expenditure is definitely thinking about data presence and data centers and where are those are located and what will build the best systems resilience and ability to respond to new regulatory demands in terms of where physically companies are locating their data.

Chris: Right. I’d love to hear a little bit about how companies are then… I think a lot of the companies you represent are multinational, I’d be assuming given the name USCBC — many of them probably have their headquarters in the U.S. and then they have operations probably from small to very large operations in China. How are they managing this with their headquarters? I mean, you can imagine for corporate strategy reasons, privacy reasons, lots of reasons, the headquarters probably wants to have the data centrally managed but these laws, actually in many cases probably prevent that. What have you been hearing as far as how the China staff is intersecting with the headquarters on these topics of data privacy and data security?

Hannah: Sure. I think it depends. Just broadly speaking, I would say it’s challenging to reach consensus as to what is the appropriate approach here. Because yes, as you mentioned, there may be differences in company expectation and culture, and certainly a difference in how most companies would be thinking about compliance with regards to data in other markets, where maybe they aren’t having the same conversations as the ones that are now originating in China offices.

But I think it’s important to note that not all companies are the same and certainly not all companies have the same concerns. There are factors that will change and differentiate how that conversation plays out including market exposure in China, product offering certainly, and then also risk tolerance. That risk tolerance is also driving a difference in conversation and comfort level in either reaching consensus or what that consensus looks like.

Chris: Yeah. Can you say a little bit more about that risk consensus? I mean, I can understand the market exposure, so if you have a huge China market, obviously you’re going to be more likely to follow the China specific regulations because you want to continue operating there and thriving. But I’m curious to hear how companies might vary on their risk tolerance, where some, maybe they embrace these regulations and are more open to them. Whereas maybe some are like, “Well, okay, I’m going to slowly move out of the China market.”

Hannah: Yeah. I would say first off, we don’t quite seem to be moving out of the China market phase at the moment.

Chris: Good. Good to hear.

Hannah: But I think the difference in risk assessment and how that’ll impact operations has a lot to do with future product offerings, innovation strategy, etc. But there are a few things I’d note there, a company that internally has more risk tolerance is probably just doing some of the more internally facing preparatory steps that I indicated. Mapping their data, stress testing their systems, basically doing good data governance work but not necessarily making any broad changes to their larger data governance structure or business calculus.

But that’s not universally true, companies that are more nervous about this for a variety of reasons, including some of the factors that both you and I mentioned, are looking to essentially duplicate systems in China and the phrase we use in the report, which I hope is easy to remember is, “in China for China data islands.” But essentially, what that means is duplicating processes including data centers, etc., but also things like HR personnel, R&D, after sales services, etc. So that their China markets are more separate from other global operations but as a result, hopefully, have more resilience to some of the concerns that these more risk averse companies are seeing and projecting.

Chris: Great. Interesting. Yeah. The “in China for China data islands” really captures it very nicely. Matt, love to turn back to you to talk a little bit about future trends. Is this something where you think that the cybersecurity landscape is likely to continue on, an increasing data landscape with Chinese characteristics or possibly move to be more in sync with the global environment? I mean, you mentioned GDPR earlier so what’s your sense of the future trends in this area?

Matt: Yeah. It’s easy to say that things will go poorly and that the general environment in China is increasingly leaning more towards an environment that prioritizes security with respect to data security and privacy. I wouldn’t actively disagree with people that hold that view because it’s difficult to find bright spots or successes in addressing policy concerns raised by us and others on those issues.

But I do want to say, we also do hear from other stakeholders that really do recognize that there is an inherent conflict between openness and data flows and business investment and planning with basically closing China off into what Hannah referred to as a data island. I think there isn’t an answer in the Chinese system yet, which is why it’s taken so long for certain regulations and key concepts to be defined.

If I had to answer now, I’d say that what it means for the future, it means that China is a high cost, complex legal and regulatory environment that companies need to pay attention to. China is not cheap. It’s not been cheap for a long time, certainly not China of the 1990s or early 2000s. The lawyers are expensive, business models might end up needing to shift. But to go back to my original point, in many respects, China is an outlier from many other countries in terms of other regulatory issues. Whether that’s free capital flows across borders, whether that’s COVID zero and all of the lockdowns we’re seeing now two plus years after COVID really took off across the world, or even whether that’s on market access issues and the role of the state in commerce.

So in general, I would expect that China’s uniqueness will continue in the data and regulatory space but one maybe where China integrates elements of the global economy but also over emphasizes or strongly focuses on the national security limits and reduces any exposure to what they would view as destabilizing.

Chris: Great. I’d love to just sort of our last area of discussion, we’ve talked about companies that are already, in many ways, doing business in China. For companies that are thinking about maybe entering the China market, what are some of the recommendations you might have for them vis-a-vis these data security and privacy issues? Maybe Hannah, we’ll start with you.

Hannah: Sure. It’s a good question, it’s a complicated question, and this is not necessarily something that a larger, more established company already in China isn’t doing. But I think, proactively, understanding what your data flows look like and how much exposure exactly you would have under the Chinese system, so what sensitive data you actually process and at what volume is a really important consideration. That may sound like a simple suggestion but I think for many companies, especially ones with complex networks of vendors, suppliers, customers, it’s not immediately apparent, at least not universally immediately apparent, what those data flows look like. Understanding those and having a good sense of internal best practices as well as data governance practices is going to be important in being able to respond in real time as some of these key definitions and additional changes are being rolled out.

Chris: Great. Thanks. How about you, Matt? Do you have anything to add on that?

Matt: I think Hannah did a pretty good job addressing that. I would just go in wide-eyed and aware that it can be a complex legal environment and so… I mean, for any company in any industry, if you want to be successful in China you need to be committed too. You need to be resourced up to do it here, right? It’s not something that you can generally bootstrap or do lightly. And so, be prepared for that endeavor and then I think, you should definitely go for it.

Chris: Great. How about the international data agreements? We’ve sort of touched on these a little bit, Matt, maybe I’ll stay with you if you don’t mind. China is implementing it, its data security issues, how do international data agreements shape those?

Matt: That’s a good question. I think looking at it from a number of angles, we are the US-China Business Council, so we are rightly biased by looking at this through a narrow lens of U.S. and China. I imagine listenership comes from a number of different locations. But looking at least from the perspective of the U.S. and China, frankly, it’s at the heart of U.S. China competition, right? It’s at the forefront of all this. For a while, for a long time now, we, as an organization, and the American business community have been calling for the United States itself to pursue data based trade agreements across Asia. We’ve called for the U.S. to pursue accession to, at the time what was called TPP, the Trans-Pacific Partnership, now the CPTPP. We’ve called for the U.S. government itself to develop our own U.S. federal privacy laws to give us a standard to point to in discussions with the Chinese.

Because right now, we don’t have that in the U.S. so it makes it more difficult to push back on areas of policy that we don’t agree with. Just in the last month or so, the department of commerce actually made an announcement for new plans to co-op an ASEAN initiative called the Cross Border Privacy Rules, CBPR, which I think would seek to establish some privacy principles in the U.S. alongside a few other ASEAN countries. But importantly, that this initiative from the U.S. will almost certainly exclude China and Russia which do have access to CBPR if they desire. It’s all playing out right now but there’s a competition for it and China has made overtures to try to join TPP or CPTPP. And so, it’s to be determined how that goes but it’s certainly an important element of the U.S. China competition that is going to be here for a while.

Chris: Great, thanks. How about you, Hannah? Do you have any comments on this international data agreement topic?

Hannah: Yeah, sure. Thanks, Chris. Also, I thought Matt did a great job of addressing this comprehensively. So maybe the angle I’ll take on this is of, for example, the agreements that Matt mentioned. So particularly I think, CPTPP is a good example. How much would that change China’s obligations with regards to its domestic implementation? I’m of the opinion, at least, that it wouldn’t have a huge degree of influence just due to the structure of the digital elements of that agreement which are pretty broad and allow for broad exceptions for national security reasons, for public policy objectives, which I think regardless of the business community reaction to current regulatory trends in China, regulators and certainly trade negotiators could argue China is meeting or working to meet, etc. I think I agree with Matt that there needs to be further efforts in this area to have it be more tailored to the type of concerns that, at least our members, U.S. businesses in China are raising.

Chris: Yeah.

Matt: Chris, I would just add one other thing is on January 1st of this year, 2022, the RCEP agreement, RCEP, which is a largely Asia focused trade agreement, much lower standard than CPTPP but it focused on integrating Asian economies, went into force. China is one of the members of that, as are South Korea, Japan, and a number of other countries in ASEAN. Through our conversations, we came to understand that the Chinese government’s view was that they required no changes in their own domestic data regulation and privacy regulation in order to comply with the RCEP agreement even though there were stipulations in RCEP that indicated some level of environments or data flows. To Hannah’s point, I think the international trade environment may shape how companies view data security and privacy but the domestic environment here in China, at least for now, seems to be fairly set.

Chris: Got it. Just as a final question then, Matt. Based on all this research, understanding, report writing, working with companies, what all else is the USCBC doing to support Chinese companies dealing with these ongoing challenges as they try to succeed in business in China?

Matt: Sure. Just one quick clarification, supporting American companies in China.

Chris: Yes. Yeah.

Matt: What I would say is, we’re doing podcasts like this. We’re sending our message into the system. We wrote this report. We’re not shy about our reporting and our information, right? This is public. We submitted it to the U.S. government, we submitted it to European governments, we submitted it to the Chinese government so the message is out there. We write letters, we comment on Chinese regulations and policy developments, and at the end of the day, China wants to be a competitive investment environment and they recognize the importance of foreign businesses as a component of that investment environment. And so, we have an important voice, an important message we like to share with them, and so we take that message to the media, to the government directly, and to anybody that’s willing to listen. It’s been an uphill battle but we’ll continue to focus on it.

Chris: Great. Well, thank you so much. I mean, even though an uphill battle, it’s a really important effort and set of information that you provide and services as well. So thank you both, Matt and Hannah, for joining us on China Corner Office.

Matt: Thanks a lot, Chris.

Hannah: Thanks for having us.