Are China’s New Data and Cybersecurity Regulations a Wolf in Sheep’s Clothing?

As the Year of the Sheep gets underway, it is already apparent that the Chinese government will not be living up to the meek reputation of its zodiac representative—at least not as far as data and cybersecurity are concerned.

In January, the State Administration for Industry and Commerce of the People’s Republic of China published a new law, the Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers, which will become effective on March 15. The Measures reflect several provisions of 2014’s Law on the Protection of Consumer Rights and Interests, which requires businesses to obtain consumer consent before collecting their personal information and adopting measures to keep it secure.

However, the Measures go beyond that law, defining what constitutes personal information for the first time in Chinese law: “a consumer’s name, gender, occupation, date of birth, identification card number, address, contact information, status of income and assets, health status, and consumption habits.” Previously, various Chinese regulations broadly defined personal information as any identifying information.

Companies that fail to comply with the Measures may be subject to civil liability as well as stiff penalties, including imposing fines of up to $80,000, forcing an organization to close for remediation, or revoking a company’s business license. Although the Measures are directed at consumer transactions, they likely will serve as a touchstone among the patchwork of other Chinese regulations that govern the collection and use of personal information.

In addition, China has proposed some troubling cybersecurity rules. Last week, the government published a second draft of anti-terror legislation that would require companies to keep their servers and user data inside the country. The law would also compel technology firms to share their encryption keys with the government and install security “backdoors,” jeopardizing the security of their data. The draft is expected to become law in two shakes of a lamb’s tail (within the next few weeks or months).

To avoid being led like lambs to the slaughter, companies should monitor these developments and ensure their policies governing the collection and use of personally identifiable information comply with the law. They should also investigate what, if any, data they currently store in China and consider whether they should transfer it to another jurisdiction.

If transferring data isn’t feasible, companies and their counsel should explore creative technology approaches to processing and reviewing data on-site.