Over the past years, China has made significant efforts to strengthen its governance system for cybersecurity, data, and personal information protection. Complementing the Cybersecurity Law (CSL), the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) came into effect at the end of 2021, stipulating a series of obligations not only for actors based in China but also for those based elsewhere yet processing data or personal information generated in China. These obligations also cover basic practices such as uploading Chinese data into clouds hosted abroad, managing Chinese human resources, or selling products through Chinese e-commerce platforms. As a result, many EU SMEs operating in/with China reached out to the EU SME Centre with questions about whether they would be able to continue their businesses as usual. In practice, though facing higher compliance requirements and costs, and except for certain data-intensive sectors (such as ICT, automotive and life sciences), EU SMEs are less affected than Chinese domestic companies and large MNCs – especially if they already comply with the GDPR. This report illustrates why.
After introducing the legal framework, its applicability as well as terminology, this report digs into the specific provisions of China’s CSL, DSL, and PIPL, as well as other key regulations, departmental rules and technical standards which are gradually shaping China’s governance system. The aim is to provide a practical and easy-to-navigate overview of the compliance requirements that EU SMEs need to follow, from the perspective of cybersecurity, data security and personal information protection.
Special focus is dedicated to:
- Localised data storage requirements – usually not applicable to EU SMEs as they are not Critical Information Infrastructure operators nor process generic data nor personal information below a certain threshold;
- Cross-border data transfer procedures – with most SMEs being in the position to use the least strict methods, i.e., Standard Contract Provisions or certification, instead of security assessment;
- Compliance tips and actions that EU SMEs should take to prevent disruptions to their businesses in China.
The third section of this report also includes a list of 15 Frequently Asked Questions, focusing on practical issues and scenarios commonly encountered by EU SMEs. These include, for instance, how to upload on servers hosted abroad information from Chinese business activities or staff, how to deal with website cookies, how to limit impact through anonymisation of personal information, whose responsibility is engaged when working with third-party vendors, what requirements SMEs must follow when selling via Chinese e-commerce platforms, etc.
Finally, two annexes complement this report. The first is a detailed list of the factors that guide the identification of important data – indeed one of the key issues that have received the highest degree of attention by European companies in China; the second annex provides a detailed overview of how networks, data and personal information are further categorised into different classes and grades based on their risk and impact – e.g., the Multi-Level Protection Scheme 2.0.
Background and legal framework
1.1 Main actors involved
Key regulatory content and requirements
2.1. Applicability and key subjects
2.2. Definitions and classification of data and personal information
2.3. Obligations and requirements
Data security requirements
Personal information protection requirements
2.4. Data storage and cross-border transfer requirements
Localised storage of data and personal information
Cross-border transfer of data and personal information
2.5. Penalties for non-compliant cases
Tips and Frequently Asked Questions
3.1. Compliance tips for EU SMEs
4.1. Annex 1 – Guidelines for the identification of important data
4.2. Annex 2 – Classification and grading of networks and data