China’s data regulations need more ‘clarity’, EU companies say in survey
- Member companies of an EU business association have asked for more detail on key terminology in China’s data security rules
- Perceived ambiguities have increased compliance costs and a heftier burden on business operations, according to a representative survey
A decisive majority of European companies has expressed a desire for China’s cybersecurity regulators to clarify legislation on cross-border data transfers to mitigate uncertainties in business operations and reduce compliance costs, according to survey results published on Wednesday.
The poll, conducted by the European Union Chamber of Commerce in China, showed that 81 per cent of participating companies would like further clarification on what constitutes “important data”, 59 per cent wanted the same for “personal information” and 39 per cent were hazy on the definition of “critical information infrastructure”.
Each of these terms appears prominently in the text of pertinent regulations, and an acute understanding of their meaning is essential for adherence.
Of the chamber’s more than 1,700 member companies, 762 were asked 19 questions from October 16 to 27. The poll was administered as Beijing intensifies its efforts to build a framework for data security through legislation, viewed as crucial for boosting the country’s digital economy and safeguarding national security.
“European companies would welcome more clarity on key terms related to cross-border data transfer, including precise definition of both ‘important data’ and ‘personal information’”, the chamber said in its published report on the survey.
07:30
Why China is tightening control over cybersecurity
Additionally, 41 per cent of companies in the survey said they would prefer any proposed new rules on cross-border data transfers to be synchronised with existing statutes.
To improve data regulation, China issued draft regulations on standardising and promoting cross-border data flows in September and closed the window for public comment a month ago. It provided a list of exemptions for security checks in transferring “important data” and personal information overseas, a move intended to alleviate worries over compliance.
However, the survey showed “a strong desire” for the exemption to be extended to personal information processing.
China’s ‘crisis of confidence’ curable, EU business head says in call to action
The vast majority of information flowing out of China consists of internal transfers to companies’ headquarters or other regional offices, the chamber said.
“These types of transfers pose a relatively low level of data security risk as companies can apply uniform data protection mechanisms both on the side of the sender and the recipient,” it added.
Chamber vice-president Stefan Bernhart said in the survey launch briefing on Wednesday that while companies are still looking for clarity, the most severe consequence of the latest data regulations is an increase in the costs of their China operations.
01:18
Chinese vice-premier urges Brussels to ‘exercise restraint’ in countering Beijing’s trade tactics
“For most companies, compliance costs have increased, and for our members, who are [mostly] small and medium sized enterprises, that is a cost that has an impact on their business in China,” Bernhart said.
Of the companies polled by the chamber, 59 per cent have seen a rise in compliance costs, and 31 per cent said they have had to improve their data security management.
Bernhardt noted that this also means many companies have to “localise” their data by setting up new data centres in the country or storing data without exporting it.
According to the report, 11 per cent of surveyed companies are expecting the cost of switching from their current data approach to comply with security assessments to cost up to hundreds of millions of Euros.
China aims to put auditors in cross hairs as national security concerns rise
While only 2 per cent of surveyed members said they have shifted investments to other markets as a direct result of data regulations, 41 per cent of respondents said they have localised or are considering localising their IT system.
The chamber also said companies that are most likely to be affected by China’s security checks would be large multinational companies that handle large volumes of customer or employee data, or businesses with data itself as their core product.
“The consumer sector naturally generates massive customer data,” said Dakai Liu, vice chair of the chamber’s cybersecurity working group. “And the accounting industry, because when you audit your client you are not narrowed down to one specific sector.”
He added that businesses related to the military, basic government functions, finance and energy will have higher risk exposure.
02:54
French and EU leaders visit China to discuss trade and the Russia-Ukraine war
But the impact of regulations on companies’ business strategy has been limited so far, the chamber said, and they also have had a positive impact on some businesses, as “31 per cent of respondents indicated that complying with them contributed to the strengthening of their own data protection mechanisms”.
Regulators were also asked to take more legitimate business needs into consideration and ensure a “positive spirit of opening up” is carried over to the sectoral rules.
‘We’re not optimistic’: China economists offer critical takes on FDI outlook
At the same time, it has placed renewed emphasis on national security, bolstering data protections across major industries ranging from telecommunications to finance. Companies looking to do business in China have been flummoxed by what appear to be contradictory goals.
