The Personal Data Protection Law (PIPL) in force in China since November 1, 2021 has brought significant changes to the Chinese personal data protection system by regulating and unifying many of its aspects. One of the regulated elements is the issue of cross-border data flows, the most important principles of which are established in Articles 38-43 of the PIPL. Among the requirements introduced is the need to undergo a government security assessment (security assessment), carried out by the state department for cybersecurity and computerization[1].
Zuzanna Choińska, graduate of the Faculty of Law and Administration of the University of Warsaw
The above-mentioned regulations are to be supplemented by the draft guidelines issued by the Cyberspace Administration of China on October 29 and submitted for public consultation (Outbound Data Transfer Security Assessment Measures), providing long-awaited details on the security assessment process that must be carried out before transferring a wide range of data outside China[2]According to the draft, the assessment measures will aim to “standardize data exports from China” and “protect personal information, national security and public interest”[3].
The proposed guidelines, combined with the entry into force of the PIPL, are definitely bad news for Chinese digital platforms. The new regulations give the Chinese authorities additional tools and resources, as well as new powers that can be used to subordinate technology companies operating on the Chinese market, in particular in terms of access to the personal data they process, which is a valuable raw material for technology development. This is another step by the government to gain greater influence on market competition and corporate finances.[4]In this way, Chinese companies are forced into the closest possible contacts with the authorities, which is supposed to bring benefits in the form of government support, but also requires giving up their autonomy.
The new regulations also pose additional, unfavourable requirements for third-country technology companies operating in the Chinese market. They increasingly face difficult choices balancing data localisation, fragmentation of operations, regulatory risk and reputational risk. However, the biggest problem is the excessive control by the Chinese authorities, as well as censorship and the resulting cost increases. All of these factors have already led to the withdrawal of some multinational companies, such as Yahoo and Epic Games. LinkedIn also recently ceased to operate due to the requirement for better content moderation, which Microsoft has not decided to comply with.[5]. In this way, step by step, technology companies will withdraw from the Chinese market, leaving room for domestic companies subordinate to the government.
The discussed guidelines are another step towards strengthening the influence of the Chinese government on the activities of the private sector, and especially digital platforms. Based on the project itself, it is impossible to predict what the final requirements will be. However, it can be assumed that conducting business by entities from third countries may be significantly hindered, or maybe even impossible, due to legal requirements. It will certainly become unprofitable, not only in economic terms.