Beijing With its new rules on data transfer, China is increasing control over the companies operating there and, according to experts, is driving digital unbundling from other countries. For German companies, the regulations that have been in force since September 1 could result in costs running into the millions, for example if it becomes necessary to set up separate data storage in China.
In the future, transfers of so-called “important data” and larger amounts of personal data abroad must be approved by the Chinese cyber supervisory authority CAC. Multinational companies would have to brace themselves for stricter enforcement and compliance with data protection regulations, says Rebecca Arcesati, an analyst at German China think tank Merics. This could “force more companies to store data in the country”.
She assumes that the CAC and other supervisory authorities have “great discretion” as to which data is classified as important and must therefore be stored locally in the future. In this way, politicians can determine the “degree of interoperability between China’s digital economy and the rest of the world” and thus accelerate digital unbundling.
However, many details are still unclear and local authorities often do not know how the regulations are to be implemented, says Jost Wübbeke from the consulting firm Sinolytics, which specializes in China. “It’s like the jungle right now,” he says. He expects an extremely fragmented, uncoordinated process in the coming years. This is particularly difficult for large companies with many subsidiaries.
Top jobs of the day
Find the best jobs now and
be notified by email.
Large companies and tech groups in the focus of cyber supervision
Wübbeke assumes that the supervisors will initially focus on the large companies. These include the tech companies Alibaba, Baidu, Tencent, but also other tech companies listed in the USA. Last year, the cyber regulator accused the taxi service provider Didi of endangering national security with its US IPO.
>> Read also: All-clear for US shares from Alibaba, Baidu, Tencent and Co.
When it comes to foreign companies, the expert sees car manufacturers and financial service providers in particular as the authorities’ target. Both industries process large amounts of sensitive data. Other critical sectors are energy supply, telecommunications, tourism, but also industrial companies.
In principle, every company that transfers data from China abroad is affected by the new law, be it personnel, customer, factory or operational data. This ultimately determines the CAC.
He assumes that certification by an external test institute will be necessary for approval. The easiest way to comply with the new law is to set up a cloud storage solution in China. However, this creates expensive duplicate structures that could cost millions of euros. Even the advice and any necessary certifications by test institutes can be expensive and not worth it for every company.
German car manufacturers with their own data centers in China
The large German companies such as the car manufacturers BMW, Daimler and Volkswagen already have their own data centers in China in order to comply with the increasingly strict data protection regulations there.
At Volkswagen, it is said that it is still too early to assess whether the new law will require additional infrastructure. While the company basically welcomes the fact that the new law now regulates data exchange more clearly, this would result in “expenses” in the short term.
Many aspects of Chinese data protection regulations are based on the German General Data Protection Regulation (GDPR). That is why German companies in China are “well prepared if they already manage their data protection matters in compliance with the GDPR,” says Susanne Rademacher, partner and China office manager of the law firm Advant Beiten. However, there are some additional requirements.
Small and medium-sized companies in particular would face “not inconsiderable challenges” due to the respective requirements and sometimes tight deadlines for implementation. In addition, some of the new regulations also apply retrospectively.
The German Chamber of Commerce (AHK) in China also knows how great the need for advice is among German companies. Several hundred participants took part in the events it offered on the subject of data and cyber security.
More: Test drive in “E-Town”: Why China could overtake Silicon Valley in robotic taxis