Since the ultimate goal of any business is to better serve its clients, collecting information from them is inevitable. However, clients’ information often contains sensitive personal information, so the collection, processing or sharing of such data require prior consent and follow certain procedures. In cases of non-compliance, significant fines up to 5% of a company’s annual revenue may be imposed, as well as a dozen other potential sanctions.

Therefore, it is critical for businesses to fully understand data compliance legislation, and to adopt a well-structured compliance system.

The Data Security Law (DSL) and Personal Information Protection Law (PIPL) were promulgated and implemented in 2021. Together with the Cybersecurity Law, which took effect in 2017, the three laws constitute the basic legal framework on data governance in China. They have different emphases: the National Security Law, the Cybersecurity Law and the DSL focus on the protection of national security and public interests, whereas the PIPL focuses on protection of personal information rights and interests during the processing of personal information.

Under the above-mentioned legal framework, various legislative departments and regulatory agencies have issued implementation requirements. Meanwhile, industry-specific regulatory commissions and industry organisation bodies are also updating industrial rules accordingly, and national standards are being formulated, offering practical guidance. For example, the Cybersecurity Review Measures was promulgated on 4 January 2022, and came into force on 15 February 2022.

In general, the legal framework in the field of data governance has taken shape, with specific regulatory rules and practical guidance gradually established and improved.

According to incomplete data collected by the 21st Century Economic Herald, administrative penalties related to violation of information collection imposed by the People’s Bank of China (PBoC), the China Banking Regulatory Commission and the State Administration of Foreign Exchange totalled 119 in 2021 alone, with the total amount of fines reaching RMB46.5 million (USD6.9 million).

The above-mentioned penalties generally relate to financial institutions’ failures to conform to the regulations of either personal data protection or cybersecurity. Such violations mainly include: failure to collect and use personal information in accordance with regulations; inquiry of personal information or corporate credit information without consent; failure to inform the subjects before disclosing their personal misconduct information; or leaking of customer information.

The PIPL and the DSL necessitate that a security management system be set up to ensure the secure management of data in their lifecycle, including their collection, storage, use, processing, transmission, provision and disclosure. Data security management should be incorporated into the entire workflow and pervade each specific business process.

In particular, data compliance requirements in the banking and financial sector are higher than those in other industries. The PBoC issued the Financial Data Security – Guidelines for Data Security Classification on 23 September 2020, administered by the China Financial Standardisation Technical Committee (CFSTC). The guidelines stipulate that financial data should be classified into different levels, each demanding different sets of general compliance obligations and respective requirements throughout the data lifecycle, including their collection, use, storage, transfer and deletion.

Although the guidelines are more suggestive than compulsory, they could nevertheless serve as an important reference before an official data compliance regulation is introduced in the banking sector, especially considering that the CFSTC is governed and managed by the PBoC and so recognised to a great extent foreshadow upcoming industrial regulations.

Highlights of data compliance review by stock exchanges and the CSRC. Any company seeking an initial public offering (IPO) on Chinese stock exchanges must pass a strict pre-IPO compliance review according to rules set up by the China Securities Regulatory Commission (CSRC), offering the public a chance to gauge the level of compliance of a given company as the stock exchange ensures its compliance with data protection laws enacted in late 2021.

Pursuant to incomplete data analysis of IPO cases from 2017 to 2022, the review inquiries of stock exchanges in data compliance differ with times and industries. Prior to the enactment of the DSL and PIPL in 2021, the commercial side of compliance was accorded more attention. In the past 15 months, however, data security management, data lifecycle management and updates of data laws and regulations became the primary concerns, demonstrated by the following trends.

Setting up a data security system to ensure compliance. There are roughly two lines of inquiry, the first being whether a system has been set up to secure data collection and processing; and second, whether there have been any incidents or sanctions in respect of data security.

Compliance management throughout data lifecycles. Data collection is the beginning of data lifecycles, and is thus critical to overall compliance. Frequent inquiries made by stock exchanges include whether the source of data is legal, regardless if date were actively collected or purchased. For companies planning to be listed, stock exchanges tend to focus on whether the scope of actual use of data exceeds the pre-agreed limit. Therefore, the source, category, manner of collection and authorisation of use are all subject to review.

Data processing is another crucial step. When reviewing high-tech companies, stock exchanges closely scrutinise the processing of data for any overuse or other forms of infringement. If data processing constitutes an inseparable component of a company’s main business, the stock exchanges will examine whether its data processing practice differs significantly from the common practice of the industry, and whether industry practice in turn conforms to the law.

Quick response to legislative updates. With the legislation on data protection continuing to evolve, stock exchanges scrutinise whether a company can promptly adapt to changes brought by future legislation, and whether it has implemented appropriate mechanisms to detect potential risks of non-compliance.

Conforming to the data protection law is a compulsory obligation of all businesses operating in China. The authors believe it is essential for companies to set up a sound data compliance mechanism, complete with well-rounded business processes and data lifecycle management. The mechanism should be reviewed annually and updated when necessary.