The Chinese Cybersecurity Law and digital marketing

Disclaimer: This article should not be seen as legal advice. We strongly recommend to seek legal advice on applying the regulations to your specific circumstances, and disclaim any liability in connection with the use of this guide.

To protect personal information and privacy, the Chinese Communist Party issued the Personal Information Protection Law (PIPL) on August 20, 2021. It complements the the Cybersecurity Law (CSL) and the Data Security Law (DSL), which came into effect in 2017 and 2021, respectively. While China has been drafting a series of other related implementation regulations and national standards, these three are considered the cornerstones of the overall data protection and cybersecurity legal regime in China.

The requirements regarding personal data collection are surprisingly similar to the European Data Protection Regulation. Any company serious about the Chinese market should take these regulations serious and consider them part of the investment needed to succeed China along with a physical and legal presence. In this Article, we’ll cover the basic scope, risks, and risk mitigation measures companies need to be aware of.

For sales and marketing, the main principles can be summarized as follows:

  1. Personal data must be stored in Mainland China; transfers abroad must obey strict rules
  2. Data collection must be limited in scope and lifespan, and requires explicit user consent
  3. Data protection measures must be put into place

Affected Companies & Data

Like the European Data Protection Regulation (GDPR), the law defines personal data as any data that enables the identification of a person, either on its own or in combination with other data. Examples include name, identification number, birth date, email address, phone number, or IP address. This affects most digital sales and marketing tools, e.g.:

  • Marketing automation tools, e.g. for sending of email and SMS campaigns
  • Login and registration areas on your website (e.g. member/client areas)
  • Contact forms
  • CRM systems, e.g. Salesforce
  • Electronic payments
  • Ecommerce: order management, shipping and handling
  • Reservation Systems for event bookings
  • Online customer service tools
  • Any online membership database
  • Web analytics tools that detect personal data such as IP addresses

Similar to the GDPR, the CSL distinguishes between two kinds of data processors: Critical Information Infrastructure Operators (CIIOs) and Network Operators (NOs). CIIOs are organisations that

  • Belong to strategic sectors such as energy, finance, etc.
  • Operate an IT infrastructure platform
  • Collect and process high data volume (exact values to be defined)
  • Incur high monetary damages in case of a data breach (exact values to be defined)
  • Process data on behalf of a CIIO (the same requirements apply)

A Network Operator, on the other hand, is any company operating a network of interconnected computers. Most manufacturers and distributors fall under this category. They have to follow less strict requirements regarding data collection, security, and usage.

Without differentiating between the 'data controller' and 'data processor', the PIPL instead allocates liability and compliance requirements to a 'personal information handler', which refers to any organisation or individual that independently determines the purpose and method of processing in their activities of processing of personal information. This definition suggests that the term 'personal information handler' under the PIPL resembles the concept of 'data controller' under the GDPR.The following article will focus on this type, as it is more relevant to our clients and readers.

Key Risks

Companies that break the new law despite initial warnings may face various penalties:

  1. Fines and confiscation of illicit gains.
  2. Website and online systems suspension for rectification
  3. Revocation of business licence in China
  4. Detention

While the fines are lower than specified the GDPR, a website shut down or business license revocation of course pose major risks. As for the risk of detection, highly visible multinationals are of course most likely to be investigated. SMEs should beware of possible future rewards for whistle-blowers.

Risk Mitigation

Let’s look at the specific requirements under the main principles:

Personal data must be stored in Mainland China; transfers abroad must obey strict rules

Under the PIPL, personal information can only be transfered personal information overseas when if the operator meets at least one of the following conditions:

  1. having passed the security assessment organised by the national cyberspace authorities;
  2. having undertaken personal information protection certification conducted by professional agencies in accordance with the regulations of the national cyberspace authorities;
  3. having signed a contract with the overseas receiving parties in accordance with the standard contract formulated by the national cyberspace authorities, to stipulate the rights and obligations of the parties, and supervising their personal information processing activities to ensure that the personal information protection levels under the PIPL are met; or
  4. meeting other conditions stipulated by laws, administrative regulations or the national cyberspace authorities.

It must further take any necessary measure to ensure that the processing of the personal information carried out by overseas recipients meet the standards of personal information protection provided in the PIPL. They must also obtain consent of the data subject, providing the information to be processed, the processing purpose and method, the contact information of the overseas recipient, and how they can exercise their rights against the recipient. Furthermore, cross-border transfer of personal information is also subject to a personal information protection impact assessment.

It is therefore recommended to keep personal data on a locally hosted infrastructure in China, for instance on a local CRM system. Many companies still fail to comply with this regulation, as they use popular cloud services with servers outside China, e.g. Salesforce. To get prepared, multinationals like Apple are already moving their hosting to China.

Data collection must be limited in scope and lifespan, and requires explicit user consent

Consent collection requirements of the new law are very similar to the GDPR. It must be:

  • A “clear affirmative action” taken by the subject (user, customer, employee etc.)
  • Freely given, not forced
  • Explicit, specific, informed, and unambiguous
  • Documented in detail
  • Easily withdrawn

Pre-ticked checkboxes and implicit consent to collect data and to send marketing communications will not be acceptable anymore.

Furthermore, only data that is absolutely needed to realize the business function (e.g. product delivery) may be collected. For complex situations such as personal recommendations, this is tricky to define. In these cases, it’s best to check for any data point if it was needed for service at the time it was requested. Whenever the necessity is not clear, it’s better to drop the data point.

Data protection measures must be put into place

Where possible, use data collection and analytics tools that can be self-hosted in the Chinese cloud

Consider hosting all data collection systems in mainland China: establish local instances of your infrastructure. Liaise with all your third party service providers and make sure all personal data storage and processing is compliant, switch to compliant providers when required. Use a website IP location online tool to identify the hosting location, e,g, Iplocation. Foreign web analytics vendors (Hotjar, Mixpanel, Google Analytics, etc.) for instance, can be replaced with a self-hosted Matomo on your AWS China Cloud.

Aggregate data for headquarter reporting

If your cloud services (e.g. BI or CRM tools) only collect and receive data aggregates or anonymized information from your Chinese activities, you are likely lawful. Compliance risks start whenever the data contains information that can be directly linked to a specific individual, e.g. an IP address. It is generally recommended to reduce outbound transfers of such data to a minimum. Where needed, outsource the self-assessment to a certified service provider and document the need and level of related risks. Processes implemented in Europe for GDPR are a good baseline.

Avoid collecting data you do not need

Avoid collecting personal data that is not needed for your transactions and for improving your services and campaigns. Also, as long as the anonymization process is irreversible, the data transfer is compliant. For web analytics, avoid cookies that can be attached to a specific individual. In particular, avoid collecting IP addresses. Also avoid sending decipherable email address and other personal addresses in links (this is a general best practice that should be followed anyway).

Collect permission for new contacts and gain repermission for existing contacts

Go through all your data collection systems and make sure the user is fully informed on the scope of data collection and usage. Make sure consent is clearly collected, recorded and timestamped, keep screenshots of the consent form. Ask for explicit consent the moment you want to start collecting customer data. Communicate the process clearly and unambiguously, allowing the data subject to opt-in or opt-out its consent, access and control their own data at any time. Inform individuals of the scope of data collection, timeframe, and which parties the data will be shared with.

Neither the law nor the regulations are explicit for any data collected prior to the CSL. But like the GDPR in Europe, we can reasonably assume that the obligations apply retroactively to your existing database. You must then either

  • Delete all pre-existing personal information records, or
  • Repermit: go back to the individuals whose personal data you have stored, and collect their explicit consent

There is plenty of documentation on repermission techniques for email databases in context of the GDPR.

If you have been binding personally identifiable data to WeChat follower profiles, you can send a broadcast message asking for consent to all of the followers in this situation, just as you would do for email or SMS channels. But with low opening rates on average, we recommend more interactive methods such as automated conversations.

Finally, update your privacy policies to cover all points required by the law.

Make sure data is stored securely

Encrypt all data and use HTTPS for all your web properties and sFTP for file transfers. Set up a backup & system redundancy policy, encrypt backups and “cold store” them (disconnected from any network).

Set up network protection systems (such as firewalls, antiviruses etc.) to protect against the leakage / modification / destruction of data. Keep records of all network accesses (logs) and security incidents. Write down an internal security policy and train the employees accordingly (e.g. password rotation rules). Name in your organization an IT security manager in charge of defining and applying the processes, or outsource security management to a specialized provider.

The best protection is to setup clear, documented processes internally to ensure compliance: risk assessment checklists, training procedures and materials, establishing working groups and so on. These will show good will on your part should a check happen, maximizing your chances to only receive a warning and a rectification order should the authority interpret some of your activities in violation of the regulation.

All data must have a precise shelf life, limited to the shortest time needed to realize the purposes it was collected for. After the period has expired, the information shall be deleted or anonymized. We recommend auditing each tool with your marketing, IT, and legal counsel to understand what data is collected and if it’s processed and stored in a compliant way.