As China looks to more tightly regulate its burgeoning tech sector, some New Zealand businesses could be caught up in new privacy rules
Kiwi businesses who handle the personal data of Chinese citizens may need to seek legal advice over the country’s tough new privacy laws even if they are not based there, according to a new government briefing.
China’s data security law, which came into effect in September last year, and its personal information protection law, which entered into force in November, have been seen by some as part of a wider crackdown on its powerful tech sector – but there are nonetheless some flow-on effects beyond its borders.
In a market intelligence briefing for New Zealand businesses released this month, the Ministry of Foreign Affairs and Trade (MFAT) said the Chinese reforms were part of its elevation of data “to a key economic resource expected to drive future … growth”.
“In this context China’s new data governance framework can be seen as an attempt to establish a system of ‘law-based governance’ where the economic benefit of ‘safe’ data can be realised, while sensitive data are identified and protected.”
MFAT said China’s data security law was mainly focused on the regulation of data handling and processing that could have a national security impact, and covered all individuals, companies and government departments involved in the collection and use of data in the country.
Among the requirements for affected Kiwi businesses were the establishment of data security management systems and training, while a “hierarchical system for data protection” was also being set up to categorise data according to its importance in “economic and social development, as well as the degree of danger to national security [and] public interests”.
The personal information protection law had “some potentially far-reaching rules and obligations for those handling personal information in China or relating to Chinese citizens”, MFAT said, as it explicitly covered foreign organisations which processed personal data overseas in order to provide “products and services to Chinese consumers as well as analysing the behaviours of Chinese consumers”.
“Because many Chinese government authorities, including central ministries and local governments, possess some degree of legislative power, a vast array of lower-level rules and regulations could potentially be used to circumvent the [law].”
“The implication of this extraterritorial application is that foreign entities in this position will have to establish designated agencies or appoint representatives based in China to take responsibility for issues related to the handling and protection of personal information.”
The wide scope of the laws meant New Zealand businesses operating in China, or those outside China but handling data on Chinese citizens, would need to stay informed about their obligations and seek legal advice as appropriate.
While some have described the laws as among the most strict in the world, others have questioned how much of a difference it will make to the privacy of Chinese citizens.
Writing for Project Syndicate, University of Hong Kong law professor Angela Huyue Zhang said that while the personal information law required businesses and government agencies to obtain individual consent before processing personal information, they were exempted from doing so when there was a “statutory basis”.
“Because many Chinese government authorities, including central ministries and local governments, possess some degree of legislative power, a vast array of lower-level rules and regulations could potentially be used to circumvent the [law],” Zhang said.
The law also failed to create an independent data protection agency, she said, “leaving enforcement to a patchwork of national- and local-level regulators which tend to be thinly staffed”.