Why China’s Data Regulations Are a Compliance Nightmare for Companies

Legal ambiguities leave companies guessing where they must follow the laws and when they can just risk it.

Data is becoming the world’s most valuable resource. Since the beginning of this century, tech behemoths that run on data have overtaken traditional industries, shooting like meteors to claim the top spots of the world’s largest companies by market capitalization. And the far-reaching impacts of data are set to expand as governments worldwide begin prioritizing emerging technologies like AI, financial technology, and new energy vehicles. Data represents both the present and the future, and its significance to governments, companies, and individuals has given rise to a wide-scale debate over how to manage the critical space it occupies.

The American Chamber of Commerce (AmCham) in Shanghai recently released a report on how China’s personal data regulations affect foreign firms. The country’s data privacy regulatory framework falls mainly under the 2017 Cybersecurity Law and its associated standards and guidelines, as well as a litany of earlier sector-specific regulations, like the Commercial Banking Law. AmCham Shanghai found that while companies understand the need for data laws, many elements of the legislative framework do little to protect data and instead harm the flow of business operations.

Chief among their concerns is vagueness and ambiguities in the laws themselves. The Personal Information Security Specification, which became a centerpiece of the data framework after its promulgation in May 2018, is a standard that offers guidelines on how companies can collect and process personal information. And yet while the Specification is only classified by China’s standards-setting authority as “recommended,” many companies said that regulators have indicated that it must be followed as a law.

Many companies also complained of sector-specific ambiguities, like in healthcare, where laws are unclear what parts of medical patient data must be anonymized. Someone with a rare illness can easily be identified by their medical records even if their name and ID number is redacted, but completely anonymizing this data makes it useless for healthcare R&D purposes.

These ambiguities create compliance nightmares for companies, who find themselves guessing where they must follow the laws and when they can just risk it. One food and beverage company said: “If we can comply with the recommendation without much cost, we will take it as a new standard. But if we have to pay a lot for it, we will wait and see.” Other issues, like data localization and overpriced annual security assessments, do little to make data more secure, and instead force onerous, expensive, and unnecessary requirements on companies.

  • Share this post

Leave a Comment