China’s internet regulator is reaching out to foreign firms, including Walmart Inc. and PayPal Inc., to discuss ways to navigate Beijing’s new data-security rules, an effort to reassure multinationals worried about their ability to operate in the world’s No. 2 economy under the latest regulations.
Officials from the Cyberspace Administration of China met with executives from dozens of international firms to ease their concerns about the new data regime ahead of a final November deadline for implementation, people familiar with the matter said. Regulators took questions, offered guidance on how to adhere to the rules and acknowledged the challenges of clinching approvals for overseas transfers of sensitive information, said the people, asking not to be identified talking about a private meeting. They discussed creating a fast-approval mechanism for routine transfers, as well as a curated “white-list” for data categories or even specific companies, one of the people said.
The new data laws have sparked widespread anxiety at foreign firms and triggered drastic changes in a handful of cases. The law firm Dentons split off its Chinese operations this month, while Morgan Stanley shifted more than 200 technology developers — about a third of its tech cohort — out of mainland China. Beijing’s new rules give President Xi Jinping’s administration the power to shut down or fine companies that leak or mishandle sensitive information. Penalties include fines and suspensions.
Every company in every industry with China operations has to figure out how to navigate the data laws because the penalties for non-compliance can be so severe, said Carolyn Bigg, head of DLA Piper’s data privacy and cybersecurity teams in Asia.
“Your systems will be blocked in China or you will not be able to carry on transferring Chinese personal data outside of China if you do not comply,” she said. “This is not just compliance for compliance’s sake.”
The new data laws were intended to exert control over the valuable information that powers the economy and future technologies, but have come under fire for disrupting the free-flow of information that multinationals need to operate globally, drive research and devise long-term strategy.
Beijing is increasingly making overtures to foreign and private enterprises, considered critical to reviving an economy threatened with deflation. The State Council, China’s cabinet, pledged over the weekend to streamline data transfers in a 24-point plan aimed at addressing longstanding concerns held by foreign companies in the country. Some measures proposed include a “green channel” for foreign firms that meet certain requirements, according to a policy document published online. The Chinese government will also help Beijing, Shanghai, Tianjin and the Greater Bay Area that includes Hong Kong devise a list of general data that can be freely exported.
Walmart, the world’s largest retailer by sales, was among the foreign cohort that sat down with the CAC in Beijing, one of the people said. PayPal and BC Education, the British-backed English learning institution, were also among the attendees, the people said. Walmart declined to comment. A BC Education spokeswoman said in a statement that no staff member was invited to a meeting, and that it always complied with local laws in China. Representatives for PayPal did not respond to requests for comment.The CAC didn’t respond to a faxed request for comment.
Read more: Global Law Firm Retreats From China Ahead of Data Crackdown
The discussions aligned with recent signs that officials are willing to throttle back on some of the regulatory clampdowns that emerged in 2021 and 2022 as the economy struggles to climb out of a Covid trough.
Beijing tightened restrictions over the troves of information produced within its borders as a means to wield control over the data that powers growth and future technologies such as AI. The moves are also driven by national security, coming alongside the passing of a new anti-espionage law and other measures to clamp down on potentially sensitive data flowing overseas.
Beyond difficulties in obtaining approvals for the transfer of large amounts of personal information, foreign players have also expressed concerns about a requirement to share data with regulators during the approval process, potentially forcing them to divulge internal security procedures and mechanisms. AmCham China has cited data management, along with preferential tax policies and support for companies focused on research and development, among several priority areas that need policy improvements.
Financial institutions, automakers, electronics firms and consumer retailers are among the more active multinationals in the country. Volkswagen AG, General Motors Co., Starbucks Corp., Intel Corp., Tesla Inc. and Apple Inc. are some of the largest household names with extensive Chinese operations. Tesla reiterated on Monday night, via a statement on its official Weibo account, that it is storing all Chinese data locally after local media highlighted potential security concerns.
But banking in particular is considered one of the more sensitive sectors because of its integral economic role, and is party to valuable data on Chinese borrowers.
Morgan Stanley’s remaining staff on the mainland have started to build a standalone China system to comply with local regulations. The new infrastructure, which may cost hundreds of millions of dollars, will be incompatible with its legacy global platforms as the lender overhauls its Asia strategy of handling client records.
“It’s hard to face up to the consequence of having to entirely stop data flows and the impact that that has on being able to service your China customers,” said Bigg of DLA Piper. “There’s a contractual liability there if you don’t turn your attention to this.”
--With assistance from Zheping Huang and Peter Elstrom.
(Updates with BC Education’s response in the eighth paragraph)
