Trends in 2024 of data regulation - China Tech Governance Review Vol.3
The biological clock of Chinese people is accustomed to the Lunar New Year as a mark of division the old year from the new. After all, who doesn't like to envision the new year in the family reunion and festive atmosphere?
Perhaps now is a good time to look ahead before we dive into holiday mode, to see what we can focus on and anticipate in the Year of the Dragon. In this article, I will direct our attention to the aspects of China's tech sector regulation that have garnered considerable attention from overseas: data protection administrative enforcement and cross-border data transfer control, providing some practical sharing and trend analysis, maybe with some sharp commentary - I do not mind too much being the one to point out the elephant in the room.
I. Administrative enforcement in the field of data protection
In China, there are several administrative enforcement authorities in the field of data protection, including the Ministry of Industry and Information Technology (MIIT), the Cyberspace Administration of China (CAC), the public security departments, and the regulatory departments of specific industries. The public security departments primarily focus on cybercrime activities and the black and gray markets, which will not be elaborated on here. This section mainly analyzes the noteworthy regulatory enforcement trends of MIIT and CAC for this year:
The regulatory supervision by MIIT is mainly reflected in the governance of apps, with specific regulatory tools being app filing and special governance actions for apps.
App Filing: According to an administrative regulation issued by the MIIT in July 2023 ("Notice on Carrying Out the Filing Work of Mobile Internet Applications"), operators of applications (including programs installed on smart terminals and mini-programs or quick apps that are based on application software open platform interfaces and do not require installation) that provide internet information services within China must complete filing through network access service providers and application software open platforms. Otherwise, they cannot use domestic servers, be listed in domestic App stores, or use domestic payment interfaces. App filing is essentially an extension of the website ICP (Internet Content Provider) registration from the PC internet era to the mobile internet era. This regulation mainly targets apps that contaminate the market ecology and trigger crimes such as telecommunications fraud by disguising and counterfeiting to be listed in app stores with illegal and inappropriate content (such as gambling, fraud, pornography, pirated films and television, and viruses). It does not affect overseas apps that do not use domestic cloud services or operate domestically (domestic users can still download them by changing the app store region, of course, those who need a VPN will still need one). According to the regulation, September 2023 to March 2024 is the grace period, allowing existing apps to complete their filing during this time. Currently, major domestic cloud service providers and distribution platforms provide detailed and comprehensive operational guidelines, with the overall review time ranging from 5 to about 20 working days, and it is of long-term validity. Since the regulation specifies that from April 2024, MIIT will organize app filing inspections and enter a phase of normalized enforcement starting in July, it is necessary for businesses or individuals operating apps in China to pay attention to this timeline.
Special governance actions for Apps infringing on users' rights and interests: Since 2019, the MIIT has been organizing and continuously carrying out app governance actions through the construction of a national app technical testing platform, periodically publicly reporting a list of apps that infringe on user rights and demanding rectification within a specified period. According to our statistics on the MIIT's public reports, in 2023, a total of 9 batches involving 341 apps were reported, a slight increase compared to the number in 2022 (324 apps). The violations mainly involve (1) forcing, frequent, excessive permission requests, (2) over-scope and illegal collection of personal information, (3) deceiving, misleading, and forcing users (e.g., forcing or inducing users to download and install apps or redirect to other marketing pages). The problematic apps are mainly distributed in Beijing, Shanghai, Guangdong, Zhejiang, Fujian, and other first-tier cities or economically developed provinces. Notably, since the second half of 2023, the frequency of reports has increased, from once every 1.5 to 2 months to as fast as once every half month. On January 22, the MIIT issued the first batch of reports for 2024, focusing on violations such as frequent pop-ups and shake-triggered jumps that affect normal use.
Since the second half of 2023, the CAC has shifted its enforcement focus towards personal information protection, especially in areas of livelihood and consumption that are more perceptible to the public. I believe this is closely related to the emphasis on livelihood issues at the national conference on cybersecurity and informatization work in July 2023, where the Minister of the Central Propaganda Department reiterated President Xi Jinping's directives: in addition to the routine tasks of "risk prevention and security," cyberspace work also includes "strengthening governance to benefit the people's livelihood" and "enhancing vitality to promote development." This shift also relates to the fact that the its works of regulating cross-border data transfers did not go well in the first half of the year (I will elaborate on this below). Specifically, its enforcement has taken mainly two forms:
Inspection of personal information rights and interests issues related to Apps: For example, local Cyberspace Administrations in Zhejiang and Chongqing respectively announced at the end of last year and the beginning of this year the investigation and rectification of two batches of apps with non-compliance issues regarding personal information protection, demanding timely rectification. The differences between the CAC's and MIIT's app enforcement may include: (1) different channels for complaints and reports, possibly corresponding to different processing pipelines and divisions of labor; (2) the CAC focuses more on the collection and use of personal information, while the MIIT pays more attention to a broader range of user experience and rights protection; (3) the MIIT, as a central institution, publishes related information uniformly and has formed a pattern of regular enforcement, whereas the CAC primarily conducts sporadic enforcement at the local level and lacks a unified information publication channel. Despite these differences, there is a general industry perception of somewhat overlapping enforcement and unclear division of responsibilities between the two.
Personal information protection enforcement in the field of life and consumption, represented by the special action of the Shanghai Municipal Cyberspace Administration: Since June 2023, the Shanghai Municipal Cyberspace Administration, in conjunction with the Municipal Administration for Market Regulation, has carried out a compliance inspection action on personal information protection for consumer scenario service providers, lasting about half a year. The involved scenarios mainly include restaurant chains, parking QR codes, children's training, real estate agencies, supermarket shopping, and online micro-loans. According to official data, during the special action, a total of 6,043 enterprises were inspected, over 520 enterprises were legally interviewed, and more than 50 cases of personal information protection were investigated. The Shanghai Municipal Cyberspace Administration has not disclosed specific penalties, and the description in its announcement indicates that the current stage still primarily involves interviews and training guidance. It is reasonable to expect that the Shanghai Municipal Cyberspace Administration will continue this form of enforcement in 2024, possibly with more flexibility and scenarization, and other local Cyberspace Administrations may also adopt and promote this model.
A new regulatory tool that has attracted significant attention from the practical field this year is the "Personal Information Protection Compliance Audit." On August 3, 2023, CAC released the "Administrative Measures for the Compliance Audit of Personal Information Protection (Draft for Comments)," which requires personal information processors handling the personal information of more than 1 million people must conduct a personal information protection compliance audit at least once every year. Other personal information processors must conduct a compliance audit at least once every two years. This document also specifies the audit scope and key situations. However, the industry has not yet formed a clear consensus on how to implement these audits specifically. It is expected that even if this legal document is officially issued, there will be a period for exploration and buffering.
In addition, the following areas are highly likely to be under strict regulation this year:
Financial Industry - Financial Business Data Security: In July 2023, the People's Bank of China issued the "Administrative Measures of the People's Bank of China for Data Security in Business Fields (Draft for Comments)" This document specifies more detailed classifications, hierarchical management, and normative requirements for each processing link of banks' business data than before. Although it mentions the integrated utilization of data without leaving the system environment, the overall tone still emphasizes security protection and strengthening the responsibility of supervisors. It is expected to become a focus of data security regulation once officially issued.
Internet Industry - Protection of Minors: According to the "Regulation on the Protection of Minors in Cyberspace," which came into effect on January 1, 2024, the obligations of four types of entities (manufacturers and sellers of smartphones and other smart terminals, providers of social media and other internet services, online platforms with a large number of minor users, and processors of personal information of minors) in terms of internet information content norms, online protection of personal information, and anti-addiction measures have been strengthened. Service providers who seriously infringe on the physical and mental health or legal rights and interests of minors could face fines of up to 50 million yuan or 5% of the previous year's turnover, as well as suspension of business operations.
Pharmaceutical Industry and Connected-Automated Vehicle Industry: Due to the sensitive nature, large scale of data involved, and the application of emerging technologies (such as AI research and development, and autopilot systems), these industries will also continue to be a focus of regulation.
II. Cross-border Data Transfer （"CBDT"）
For a long time, regarding the several legal documents for regulating cross-border data transfers, particularly data export activities, that CAC has successively introduced since the second half of 2022 and formally implemented in 2023, both the academic and practical fields within China have seen very limited public empirical analysis and discussion on their actual implementation effects. So, what is the situation really like?
As usual, I'll start with some brief background information. According to the current regulatory framework for data export in mainland China, the export activities of two types of data (personal information and important data) are subject to regulation, corresponding to three export pathways: Standard Contract for Cross-border Transfers of Personal Information (SCC), Personal Information Protection Certification (PIPC), and Data Export Security Assessment (DESA). These three pathways, ordered from highest to lowest in terms of procedural complexity and overall cost, are DESA, PIPC, and SCC. According to regulations, the export of important data must go through DESA, while the export of personal information, depending on the sensitivity and quantity of the data, is subject to one of the three pathways. In theory, even if you, as a personal information processor, are transferring just one piece of personal information abroad, you are at least required to enter into an SCC with the overseas recipient.
Based on our incomplete statistics from publicly available information (as such information is sporadically released by Cyberspace Administratios at various levels and regions), the implementation of these three pathways over the past year is as follows:
Data Export Security Assessment (DESA): As of January 2024, there have been at least 937 companies that have applied, with at least 74 having passed the security assessment, making the pass rate less than 7.9%.
Personal Information Protection Certification (PIPC): Currently, the only qualified certification body is the China Cybersecurity Review Technology and Certification Center (CCRC). As of December 2023, five companies have received the first batch of certification certificates.
Standard Contract for Cross-border Transfers of Personal Information (SCC): The disclosed sources of information are primarily the "first batch" or "first case" example notifications published by the Cyberspace Administration offices of various provinces, as well as a small number of press releases from intermediary agencies about their project performance. As of January 2024, the number of companies that have publicly disclosed the completion of SCC filing does not exceed 20. The number of applications is unknown.
Although the above numbers are theoretically incomplete and still on the rise, overall, such scale and the actual data export activities present a significant asymmetry. This largely indicates that the regulations have not been widely recognized and accepted by market entities, and the scant number of approved cases clearly fails to match the demand for data export. Another issue that emerges is that among these approved cases, there are almost no real commercial transactions of data—most are non-profit collaborations or cross-border data activities between affiliated entities.
It is also difficult to infer that the central decision-making body is satisfied with such implementation results; otherwise, the issue of CBDT would not have been described as a "problem" in the "Improving the Level of Opening-up" section of the report from the Central Economic Work Conference last December, with a resolution to "seriously address"(“认真解决”) it.
There can be many perspectives from which to analyze the current issues with data export regulation, but I would like to mention one that is probably the most significant: the lack of economic consideration and commercial operability in the mechanism design. For example:
the threshold for triggering the DESA is low and the conditions for what constitutes an data export are too broad, leading to a generalized application. This means that a large number of activities that are not actually high risk (such as the cross-border transfer of employee information by multinational companies) are required to be reported according to the regulations. The subsequent review process is stringent and time-consuming, and even with the support of external professional legal teams, revisions and the repeated supplementing of documents are quite common.
Another example for SCC, an official English version of the SCC has not been provided, and if any materials for filling are originally in English, applicants are required to submit a translated Chinese version. There is very little room for modification or supplementation to the contract template, and the detailed and strict clauses on security technology and personal information protection requirements lead to significant additional procedural or ancillary process costs (such as the need to prepare detailed assessment reports on personal information protection in advance).
As for the PIPC, it is challenging to understand the actual costs incurred by certified companies from public information, and the fact that one certification body certifies only five companies in a year raises questions about the process's efficiency and effectiveness.
Therefore, it is not difficult to understand the complaints from foreign-invested enterprises, especially large multinational corporations with over 1,000 employees, which are the main applicants for the DESA. For instance, last November, the European Union Chamber of Commerce in China released a survey report on the impact of China’s data policies on European businesses. The report's findings indicate that the vast majority of the European companies surveyed (96%) primarily transfer data across borders for internal data transmission to the company's headquarters or other regional branches, hence the related data risks are relatively low. However, the current data policies significantly affect businesses, as many companies (or at least some of their entities) (30%) are required to conduct DESA as per the regulations. This has led to an increase in compliance spending (59%) and has also placed companies under pressure due to data localization, as well as information technology systems or overall operational stress (41%).
What can we expect this year?
My view is that the CBDT problems are to be alleviated to some extent.
On one hand, last September, the CAC issued a draft of a legal document, intending to somewhat relax the current Cross-Border Data Transfer (CBDT) regime. We have done a detailed introduction and analysis of this in the previous China Tech Governance Review Vol.1, mainly clarifying some exemption scenarios and adopting a negative list model for the definition of important data. I also recommend a great analytical article by the Peterson Institute for International Economics for reference. The latest news is that the Director of the Department of Foreign Investment Administration under the Ministry of Commerce expressed at a State Council press conference on February 5th, 2024 that the CAC is studying to refine this regulation document and preparing to promote its issuance. Meanwhile, the CAC is already trying to optimize this regime through some local pilots:
Guangdong-Hong Kong-Macao Greater Bay Area: In December last year, the CAC and the Hong Kong SAR Government's Innovation and Technology Bureau jointly issued a guideline, introducing a more streamlined SCC applicable to the Greater Bay Area. This has simplified some requirements and also waived the obligation to submit personal information protection impact assessment reports to regulatory authorities. However, this scheme is currently only being piloted for CBDT scenarios between Guangdong and Hong Kong.
Beijing: According to disclosures by the Beijing Municipal Cyberspace Administration in January this year, the Beijing Free Trade Zone located in Daxing District, Beijing has established a CBDT Service Center, aiming to implement the facilitation of CBDT activities in Beijing. This Service Center is reported to have serviced complex data export business scenarios for more than 40 companies across 7 provinces and cities including Beijing and Shanghai, and is recently working with the Beijing Municipal Cyberspace Administration to establish a "quick channel" for data export of multinational pharmaceutical companies.
Shanghai: On February 6th, 2024, the Shanghai Municipal Government released an implementation plan to advance the high-level opening-up of the Shanghai Free Trade Zone. In the "Standardizing and Promoting Cross-Border Data Flow" Section, it explicitly proposes that the Shanghai Free Trade Zone will take the lead in formulating a catalog of important data. It is also worth mentioning that the list of responsible authorities for this entire Section includes not only the Municipal Cyberspace Administration but also the Municipal Data Administration (although listed behind the Municipal Cyberspace Administration).
On the other hand, there is no indication that the CAC will intensify its regulatory enforcement and carry out substantial penalties. So far, there have been no cases of administrative penalties due to the failure to perform data export procedures, nor any recent reports or news of the CAC proactively enforcing CBDT regulation (on the contrary, there are quite a number of feedbacks from the industry that the relevant enquiry hotlines are not accessible). Compared to the enforcement of the EU's General Data Protection Regulation (GDPR)—for example, Meta was fined 1.2 billion euros last year due to data transfer compliance issues—the CAC's approach could be described as mild. Since the implementation of the related regulations, the focus in various regions has been on promoting key enterprises to voluntarily declare their data transfers, rather than forcing all enterprises to do so or intimidating them with penalties. This is also one of the main reasons why the industry is still patient with changes in CBDT regulation. Given the current domestic economic downturn and the loss of foreign investment, it is likely that this trend will continue this year, and the decision-making level is also giving more attention to the management of regulatory expectations.
However, why say "to some extent"? Because in my opinion there are still at least the following aspects to be seen whether there will be substantial improvement, otherwise the "problem" may still be difficult to "solve" completely:
Regulatory Transparency: The CAC has never been able to provide public and specifically clear practice guidelines. Even professional law firms and consulting service companies struggle to develop unified and standardized service plans and process standards due to a lack of sufficient public information and inconsistencies in the requirements of local cyberspace administrations, which has also caused confusion on a large number of practical issues at the implementation level. Even based on the currently few approved cases, there should be summarized to form some experiences and more understandable guidelines that help to simplify processes and procedures. Last year, the Shanghai Municipal Cyberspace Administration formed compliance guidelines for personal information protection in online food ordering services after the enforcement mentioned above, but for the more significant issue of CBDT, similar documents have not been seen. In addition, the publication of CBDT regime implementation was poor. In the absence of a unified information disclosure platform, the information about CBDT released by local cyberspace administrations is fragmented and scarce without an unified platform for publication, of which many are limited to announcing a "first case" or "first batch" without follow-up, which also causes difficulties for empirical research. It is hard for me to assess how much practical value these vague, formalistic "good news" reports lacking in substance have in promoting compliance practice.
Appropriateness and Proportionality of Regulatory Requirements: The principle of proportionality is an important legislative principle in the field of administrative law, indicating that the exercise of administrative power by administrative entities should not cause harm to the counterpart that exceeds the value of the administrative purpose. Administrative law scholars from Germany and France might describe it as that the government should not take any administrative action whose overall cost is higher than the overall benefits. Specifically, there should be appropriateness between the administrative entity's purpose and the means to achieve it. Moreover, if there are many measures available to achieve the administrative purpose, the most necessary ones should be chosen, i.e., those that do not cause harm to the public or cause the least harm. For example, the police cannot require a business to install security equipment worth USD 20,000 for property valued at USD 10,000. I noticed that in November last year, the MIIT issued the "Administrative Penalty Discretion Guidelines for Data Security in the Industrial and Information Technology Fields (for Trial Implementation)(Draft for Comments)," aiming to guide the MIIT in exercising administrative penalty discretion legally and appropriately, and to unify the scale of discretion. It made detailed and explicit provisions regarding jurisdiction, penalty situations, and discretion rules, which is a good sign. Unfortunately, I cannot yet confirm whether the CAC and some think tanks or experts it relies on are truly clear and aware of this principle.