Cybersecurity, Data, and Personal Information Compliance for EU SMEs in China

Report| 8 September 2022

The security of data, together with its flow and accessibility across borders, is a fundamental element of business and innovation activities.

Companies constantly use data generated from R&D or collected from customers in different locations to improve their products or develop new ones, often relying on teams based in other countries.

Sign up and benefit from our entire range of free services

If you sign up today you’ll be able to

  • Access to tailored advice through our Ask-the-Expert tool
  • A library of over 200 publications
  • Practical business tools
  • A network of trade promotion and business support partners
  • A comprehensive database of service providers with contact information

Over the past years, China has made significant efforts to strengthen its governance system for cybersecurity, data, and personal information protection. Complementing the Cybersecurity Law (CSL), the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) came into effect at the end of 2021, stipulating a series of obligations not only for actors based in China but also for those based elsewhere yet processing data or personal information generated in China. These obligations also cover basic practices such as uploading Chinese data into clouds hosted abroad, managing Chinese human resources, or selling products through Chinese e-commerce platforms. As a result, many EU SMEs operating in/with China reached out to the EU SME Centre with questions about whether they would be able to continue their businesses as usual. In practice, though facing higher compliance requirements and costs, and except for certain data-intensive sectors (such as ICT, automotive and life sciences), EU SMEs are less affected than Chinese domestic companies and large MNCs – especially if they already comply with the GDPR. This report illustrates why.

After introducing the legal framework, its applicability as well as terminology, this report digs into the specific provisions of China’s CSL, DSL, and PIPL, as well as other key regulations, departmental rules and technical standards which are gradually shaping China’s governance system. The aim is to provide a practical and easy-to-navigate overview of the compliance requirements that EU SMEs need to follow, from the perspective of cybersecurity, data security and personal information protection.

Special focus is dedicated to:

  • Localised data storage requirements – usually not applicable to EU SMEs as they are not Critical Information Infrastructure operators nor process generic data nor personal information below a certain threshold;
  • Cross-border data transfer procedures – with most SMEs being in the position to use the least strict methods, i.e., Standard Contract Provisions or certification, instead of security assessment;
  • Compliance tips and actions that EU SMEs should take to prevent disruptions to their businesses in China.

The third section of this report also includes a list of 15 Frequently Asked Questions, focusing on practical issues and scenarios commonly encountered by EU SMEs. These include, for instance, how to upload on servers hosted abroad information from Chinese business activities or staff, how to deal with website cookies, how to limit impact through anonymisation of personal information, whose responsibility is engaged when working with third-party vendors, what requirements SMEs must follow when selling via Chinese e-commerce platforms, etc.

Finally, two annexes complement this report. The first is a detailed list of the factors that guide the identification of important data – indeed one of the key issues that have received the highest degree of attention by European companies in China; the second annex provides a detailed overview of how networks, data and personal information are further categorised into different classes and grades based on their risk and impact – e.g., the Multi-Level Protection Scheme 2.0.

Contents

Executive summary

Background and legal framework
1.1 Main actors involved

Key regulatory content and requirements
2.1. Applicability and key subjects
2.2. Definitions and classification of data and personal information
2.3. Obligations and requirements
   Cybersecurity requirements
   Data security requirements
   Personal information protection requirements
2.4. Data storage and cross-border transfer requirements
   Localised storage of data and personal information
   Cross-border transfer of data and personal information
2.5. Penalties for non-compliant cases

Tips and Frequently Asked Questions
3.1. Compliance tips for EU SMEs
3.2. FAQs

Annexes
4.1. Annex 1 – Guidelines for the identification of important data
4.2. Annex 2 – Classification and grading of networks and data

Sign up and benefit from our entire range of free services

If you sign up today you’ll be able to

  • Access to tailored advice through our Ask-the-Expert tool
  • A library of over 200 publications
  • Practical business tools
  • A network of trade promotion and business support partners
  • A comprehensive database of service providers with contact information

Sign in or create an account to
access the report
for free