A report released Wednesday says China’s evolving data, privacy, and cybersecurity regimes will come at a high price for companies doing business there.
The report, How American Companies are Approaching China's Data, Privacy, and Cybersecurity Regimes, was produced by the U.S.-China Business Council, which represents more than 260 U.S. companies that operate in the China market.
“The American business community in China must now navigate an increasingly complex regulatory environment that includes new and growing requirements ranging from data localization, government reviews of certain data flows across borders and prescriptive cybersecurity requirements for hardware and software procurement,” states a release from the USCBC.
“American companies recognize the legitimate need for data, privacy, and cybersecurity safeguards in China and globally," USCBC President Craig Allen said in the release. "Our members seek to comply with those safeguards without hindering mutually beneficial, long-term, digitally driven growth.”
USCBC senior vice president in China Matthew Margulies also said in the release, “American companies want and need to leverage their global strength in China, but they worry that the costs, complexity and nature of China’s data and privacy frameworks increasingly will limit their ability to do so.”
China has developed vast data, privacy, and cybersecurity regimes over the past five years “in the hopes of protecting personal data and strengthening national security,” the report states.
Researchers conducted interviews with officials from more than 30 U.S. companies, asking about their data privacy, and cybersecurity compliance challenges as well as their plans for dealing with the Chinese efforts.
“While many countries have also begun regulating data more tightly, the environment in China is uniquely restrictive,” the report states. “New laws, regulations and standards are particularly challenging for multinational firms operating in China because their operations, products, and services rely on fast and fluid cross-border data flows.”
Douglas Barry, USCBC’s vice president for communications and publications, told Globe Banner the report will have “extensive distribution within China, including ministries with regulatory and compliance authority.” He said it was seen by a massive audience.
“I calculated from the press generated by the report just today that 25.5 million people around the world have access to key points,” Barry said. “China watchers and policy people in the U.S. will be interested in seeing how China is reacting to national security concerns. Others may see it as China pursuing its own version of decoupling by placing restrictions on how data can be used, especially by U.S. and other foreign companies.”
The report focused on “core challenges.”
“Data localization, prescriptive cybersecurity rules and restrictions on cross-border data flows, a combination of data localization rules, prescriptive cybersecurity requirements, and cross-border data transfer security-review requirements makes China one of the most restrictive major economies in data and cybersecurity governance," the report said.
“Draft policies stand to further this trend, significantly increasing the cost of doing business in China, disrupting global systems, and limiting the types of goods and services foreign companies can bring to the country," it added.
“Regulatory ambiguity, [which is] the practical details of several of the most consequential laws and regulations are unclear or undefined, including the definitions of key terms, the agencies of jurisdiction, whether rules are mandatory or voluntary, and the scope and thresholds of data localization and cross-border data transfer reviews," the report noted. “While USCBC expects these rules to be published in the future, companies are already experiencing associated enforcement challenges."
The report noted that “inconsistent regulatory enforcement [means] companies increasingly report pressure to comply with regulations despite the lack of practical steps for doing so.
The level and type of enforcement vary across both regions and industries, leaving companies unsure how to comply," the document said. "Companies’ responses to this evolving legislative and regulatory landscape vary greatly depending on the industry and types of data they collect in China. At minimum, all interviewed companies indicated that they are mapping their data flows and assessing their business structure for any necessary adjustments."
What impact does USCBC hope to have?
“Mainly that China authorities will positively respond to the foreign business communities calls for more clarity and specificity on how to comply,” Barry told Globe Banner. “The regulations in general are overly broad and vague. No company wants to be out of compliance. Some experts say it will take years to sort it all out, and that’s a long time to operate with such uncertainty. What are the costs of compliance? They are sure to be considerable, but nobody knows for sure.”
He said it’s unclear if the Chinese government will react or respond.
“We don’t know,” Barry said. “However, we often weigh in with comments on pending rules and regulations that affect our members. We’ve had some success with our advocacy efforts.”
The report was compiled by Antonio Douglas and Hannah Feldshuh “during the past several months,” Barry said.
Feldshuh is a manager on the business advisory services team in the USCBC Beijing office. “Before joining USCBC, she worked in policy research and public affairs consulting,” her online biography states. “She has also interned at both the U.S. Trade Representative and the Center for Strategy and International Studies.”
Douglas is a business advisory services manager for USCBC.