The US congressional hearing of the TikTok CEO this March has further divided opinion on data privacy and China. But what about personal data privacy in China? What do foreign companies need to know about data privacy when dealing with China?

Did you know that most multinationals in China have to file for a security assessment or take equivalent actions as required by the Cyberspace Administration of China (CAC) when transferring personal data to outside of China, and that this policy can be enforced since 1 March 2023, if not applied?

Which laws in China are about data

The Data Security Law, Cyber Security Law and the Personal Information Protection Law forms a comprehensive legal framework in the field of data security, that will protect data and tries to solve data leakage.

Personal information and the security assessment by CAC

The Personal Information Protection Law demands that if personal information is transferred out of China, that the processors obtain separate consent from data subjects, that there is a personal information protection impact assessment and that there is one of the following three requirements fulfilled:

- a successful CAC security assessment issued;

- certification from CAC approved institution;

- data transfer agreement with the recipient conform the template by CAC.

The Measures of September 1, 2022, made the security assessment requirement applicable to any company that wants to transfer 'important data' outside of China. Due to broad classification, most multinational companies would fall under this. Hence the Measures gave a six-month grace period to comply, which ended on 1 March 2023.

Revocation of business license and other heavy fines

For the Personal Information Protection Law companies could be fined up to 50 million RMB, but also even harsher penalties as suspending business, revoking business license, or even pursuing criminal responsibility could apply.

Who has applied for security assessment by CAC

At the current date, not many foreign companies have filed for data security assessments with the Beijing CAC.

Companies need to know how to protect whose data where

For companies it is key to know how data needs to be protected in accordance with China's laws. As there is a realistic chance that TikTok will get into further scrutiny in the USA, it would not be surprising if China will enforce its various Data Laws to punish companies that are not compliant.

As revocation of business license is one of the potential measures that can be applied, businesses could lose their right to operate on the Chinese market. Being compliant is now more than important than ever before, especially since the six-month grace period regarding the Measures of the Personal Information Protection Law is over. We can expect many companies to be getting into trouble very soon.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.