Understanding cybersecurity and data protection in China

Before a UK company sets up in China, it’s key to weigh up cybersecurity risks – for this, early research and expert advice are both vital

In association with The Week and CBBC

China has established itself as a global superpower, growing its GDP to become the second-largest economy in the world behind the USA. Its influence on the global stage is expected to expand even further, with a recent McKinsey Global Institute report finding that between $22 trillion to $37 trillion could be at stake in the global economy by 2040 depending on China’s involvement.

Last year saw UK exports to the region worth £30.7 billion. Furthermore, China represented 4.4% of all UK exports and its sixth-largest export market (a sharp rise from being the 26th biggest in 1999). It’s a territory with significant potential for UK businesses, particularly those in the tech sector where China is hungry to embrace cutting-edge innovation.

Before a UK tech company sets up in China or enters into a partnership with a Chinese business, it’s vital to weigh up the risks and challenges from a data protection and cybersecurity perspective. For tech companies especially, where a strong digital foundation is required, there are not only complex rules and regulations to get to grips with, but also risks around control of your sensitive data and commercial information.

Plus, if you’re aiming to establish an IT presence in the region then you could find yourself behind China’s Great Firewall (GFW). The GFW heavily regulates and censors the internet, blocks access to many ubiquitous Western websites like Google, Facebook and Twitter, and slows down cross-border internet traffic. Foreign companies are required to adapt to these regulations if they want to do business in China.

 

Navigating cybersecurity and the cloud

The Chinese Cybersecurity Law governs cybersecurity and data in China and will shape how an organisation operates in the market. The law, established in 2017, has firm rules about the collection, use and transfer of personal data. For example, any data hosted in China that contains personal information on Chinese citizens, or data that’s deemed as sensitive, can not leave the country unless it has government approval. China’s personal data rules are similar to GDPR, and based on the subject giving opt-in consent.

If your business violates any of these laws then penalties may include fines or confiscation of equipment. It could also result in an ICP (Internet Content Provider) licence being revoked and its associated website being blocked. An ICP licence is required by every website in China and re-obtaining one can prove difficult and time-consuming. If you’re concerned about staying compliant then, fortunately, help is at hand. The China-Britain Business Council (CBBC) has produced an in-depth guide to cybersecurity law and data protection in the region. Also, the UK government website, Digital and Tech China has a dedicated resource to help answer questions about doing business with China. The site also includes specific guidance around cybersecurity law in the region.

There may be the temptation to navigate around these cybersecurity regulations by hosting company websites outside of China, but that presents a host of issues around usability. There’ll be latency as data navigates in and out of China’s networks via the GFW, crippling load speeds and shrinking SEO visibility. In a country that has almost 900 million mobile internet users (from a population of 1.4 billion), a sluggish website could end up derailing your progress. Partnering with a cloud service provider or a content delivery network (CDN) can help avoid this problem as your site will be available through a server in mainland China. However, keep in mind that any cloud provider must also be fully compliant with these regulations.

 

Privacy and data protection

An awareness of China’s National Intelligence Law is also a must for UK tech businesses. This law requires all organisations and citizens to cooperate with state intelligence agencies on request, and even guard the secrecy of any intelligence they become aware of or end up participating in. This could mean that any data your company holds in mainland China may have to be handed over to the Chinese government, regardless of which country that data came from.

It’s always worth consulting a lawyer before embarking on any Chinese venture. A good legal starting point is this report from Sweden-based law firm Mannheimer Swartling, which analyses how Chinese National Intelligence Law applies to companies owned by a Chinese parent company against those owned by a non-Chinese parent company.

These data rules may cause some technology firms to be anxious about whether their IP could be exposed when operating in China, however there are specific laws such as the Patent Law and Trademark Law to help protect intellectual property. It’s worth noting that China, like many markets, has a first-to-file trade mark registration system, meaning international trade marks are not automatically protected unless they are registered in China first. For advice on this, two good places to start are industry bodies techUK (which represents the tech industry in the UK) and the CBBC – both work with a range of experienced legal advisors to help companies navigate these challenges.

Taking steps to protect your assets, data and IP is crucial for any UK business considering setting up in the region. Counterfeiting and intellectual property rights (IPR) infringements are major issues in China, so it’s important to be watertight in that regard. The UK government has an IP Health Check tool that can answer your questions and provide guidance on protecting IP, while the Intellectual Property Office has an IP attaché team in China available to offer advice on navigating issues in the region.

 

UK law and support

Considering regulations back in the UK is also something businesses need to consider. If your business operates in China and your technology is drawn into human rights violations or contributes to the Chinese military then this can lead to reputational damage and potential legal implications if it’s deemed you have violated UK Export Controls. This is derived from China’s Military-Civil Fusion policy, which grants the government power to deploy technology developed within China for military purposes.

For UK tech companies with global ambitions, China is a region full of potential and opportunity. To unlock it, though, due diligence is required and a certainty that any venture has been thoroughly-planned and thought out. Managing cybersecurity and data protection issues are challenging enough on home soil; doing it overseas even more so. Fortunately, bodies like the CBBC and techUK, and the UK government’s Department for International Trade (DIT) offer businesses advice and guidance on protecting themselves and finding ways to expand into the Chinese market.