The year 2021 was – not only, but also – a turbulent year in the areas of cyber security and data protection in China. In addition to increased enforcement of the Multi-Level Protection Scheme (MLPS) in China, the implementation of which has been legally binding for companies in China since 2017 (see our webinars), many new regulations in the area of data protection have been published or are already effective. The Personal Information Protection Law (PIPL) and the Data Security Law (DSL) are the most important of these. Both have been in force since fall 2021 and will form the basis for further regulation in this area.
The laws only provide an approximate framework that leaves much room for interpretation and requires further legal clarification. Above all, operators of critical infrastructure, and thus indirectly also their suppliers, are subject to stricter technical, organizational and procedural requirements. But other data processors will also have to adapt to new regulations. It is already foreseeable that
- the transfer of important and personal data abroad will be further regulated and controlled,
- data localization requirements will occur above certain data volumes,
- more documents will have to be produced in Chinese to prove data protection measures,
- controls on legal data collection and use will be strengthened,
- controls for compliance with legally mandated cybersecurity measures (implementation of the MLPS) will be strengthened, and
- more often and increased fines will be issued for cybersecurity and data protection violations.
We expect that the outstanding issues will be addressed in 2022 so that the practical implementation of the PIPL and the DSL can and should take place in the companies.