TheJakartaPost
Please Update your browser
Your browser is out of date, and may not be compatible with our website. A list of the most popular web browsers can be found below.
Just click on the icons to get to the download page.
China’s coming data laws leave firms with more questions than answers
Change Size
C
hina is establishing new regulatory pillars for its giant Internet industry, but a new data security law and other rules are ambiguous in ways that leave companies fearful they may accidentally cross a line, lawyers say.
The data security law, which goes into effect on Sept. 1, requires all companies in China to classify the data they handle into several categories and governs how such data is stored and transferred to other parties.
Key categories include "national core data" and "important data", for which mishandling could carry a penalties of up to 10 million yuan (US$1.54 million) or even a criminal charge. But the government has not yet provided definitions for these or given further details on what type of data may fall into which category, lawyers say.
For example, the law says only that companies looking to transfer "important data" overseas must perform a security assessment each time.
"There is no list, there is no annex, there are no examples," says Nicolas Bahmanyar, senior consultant at Beijing-based law firm LEAF. "So we’re a little bit in the dark here."
The country will also impose new rules aimed at protecting "critical information infrastructure," on the same day, but experts say definitions for such infrastructure are equally unclear.
Operators of critical information infrastructure will face stricter data security requirements, particularly when it comes to cross-border data transfers. Beijing in 2017 provided a list of industries that it considered critical in broad terms such as "public communications".
Industry-specific regulators are expected to release more detailed frameworks but have not yet done so.
"Even if you could take inferences from what's happening in the news, and then public announcements of enforcement actions against certain companies, there's no official way of benchmarking yourself," said Alex Roberts, a corporate counsel at the Shanghai office of law firm Linklaters.
The legal moves reflect Beijing's growing concern over the mountains of data private firms have amassed and whether such information could be at risk of attack and misuse, especially by foreign states.
China's 2017 cybersecurity law requires firms to store data in China as well agree to security reviews and will on Nov. 1 be further complemented by laws governing how personal information is treated.
A senior engineer at a marketing agency in Shanghai said one of his clients hired a third-party auditor to assess whether his company could meet the new regulations for a project. He declined to be named as he was not approved to speak to the media.
"You need to prove how your data is stored, that you have a recovery plan, whatever happens your app is safe, and all your data is in China," he said. "These processes are very bureaucratic and are meant to be for very large companies, which we are not."
One closely watched case is that of Didi Global, which China's powerful cyberspace regulator began investigating over data security risks last month, just two days after the company's debut in New York.
The Cyberspace Administration of China (CAC) is also investigating online recruitment platform Boss Zhipin, which is owned by Kanzhun and two commercial freight platforms run by Full Truck Alliance, citing national data security risks.
In a separate development, China has issued draft guidelines on regulating the algorithms used by internet service providers to make recommendations to users, part of efforts to protect the privacy and data security of users, the internet regulator said on Friday.
Service providers must abide by business ethics and principles of fairness and should not set up algorithm models that entice users to spend large amounts of money or spend money in a way that may disrupt public order, the CAC said in a statement.
Algorithms should not be used to create fake user accounts and users should be given the option to easily turn off algorithm recommendation services, it said, adding that the draft is open for public feedback until Sept. 26.
The move comes amid a wide-ranging crackdown by Beijing on its internet sector, which has seen authorities target and punish companies on issues ranging from monopolistic behavior to consumer privacy.
Earlier this year, the Chinese Consumer Association criticized internet companies for misusing personal data and "bullying" people into purchases and promotions. State media have since issued multiple calls for regulating the use of such algorithms.
Internet companies globally use algorithms to predict user preferences and make recommendations. In China, this would include firms such as e-commerce giant Alibaba Group, ride-hailing firm Didi Global and TikTok owner ByteDance.
China recently passed a data security law that will go into effect on Sept. 1 to protect internet users' rights in cyberspace and impose curbs on its fast-growing internet industry.
