Skip to main content

Institutions rightly expend significant resources ensuring staff understand GDPR and other domestic data protection regulations. However, when collaborating internationally, understanding the regulatory framework of your partner country can be equally important. This is especially true in jurisdictions as large and complex, and that has changed as rapidly, as China.

China’s emphasis on cyberspace sovereignty as an aspect of national security underlies both its implementation of internet restrictions – often called the ‘Great Firewall’ – as well as a new suite of data protection legislation that started coming into force from 2017. Data transfer is now subject to a comprehensive set of regulations that significantly clarify what was previously a chaotic morass of rules.

For researchers that want to collaborate with Chinese peers, do field-based research inside China, or obtain datasets from Chinese-owned entities, understanding this new framework is vital.

A Slow Legislative Build Up

Pre-2017, there was no comprehensive national data protection legislation in China.

Data protection was instead handled by the various functional ministries, often overlapping and conflicting with one another, or varying across provincial borders. This meant every single partnership needed to negotiate data access afresh, often with little consistency.

Since then, three key pieces of legislation have come into place:

  • Cybersecurity Law 2017 (CSL)

Introduced a framework for comprehensive regulation of the privacy of electronically stored data.

  • Data Protection Law 2021 (DSL)

Provides more specificity about data localization, data export, and data protection requirements introduced by the CSL.

The DSL classifies data based on its impact on Chinese national security and regulates its storage and transfer accordingly.

Categories include “core data” (afforded the highest degree of protection) and “important data” (defined by functional ministries).

  • Personal Information Protection Law 2021 (PIPL)

Focuses specifically on personal information protection.

Together these laws provide an overall national data protection framework.

However, as with much Chinese legislation, the laws themselves are vague on implementation and it has not been until 2024 that the Cyberspace Administration of China (CAC) has published detailed rules for implementing cross-border data transfers.

The pace of the rollout of both the legislative framework and then the implementation guidelines have significantly contributed to the environment of multinational corporate uncertainty that has emerged over recent years.

National Security First

The good news for researchers is that the clarity of the new regulations should make it easier to transfer academic research data out of China, contingent on the data set not including either personal, important, or classified data.

However, the legislative framework foregrounds national security, rather than privacy, as the driving principle for data protection. Oversight and penalties are therefore strictly enforced and may make partners more risk adverse than necessary.

Linked to this, in 2018 MoST introduced the ‘National Science and Technology Secrets Classification Management Regulations’ which details the control of classified material. Many elite Chinese universities will hold government and military contracts and will have received security credentials at either/both an institutional and personal level. Unsurprisingly, disclosure of classified data is prohibited and there have been a number of high-profile cases where Chinese researchers have been prosecuted for such disclosure to international partners.

Understanding whether a current or prospective partner is working on projects that involve access to classified information is critical to protect both yourself and them from the potential ramifications of inadvertent data breaches.

Define Important

While the definition of personal data is intuitive, important data is more vague. Per Article 2 of the CAC implementation rules “Data handlers shall identify and report important data”. Effectively this means that ministries or other governance organisations with legal oversight of a particular domain of data, or major organisations that produce and control such data, will be responsible for determining if it classifies as ‘important’.

This is not necessarily a barrier to collaboration. But it means that, like with large (1M+) volumes of personal data, transfer of the set will require a data export licence from the CAC. Personal data sets containing fewer than one million records will require a standard data sharing contract between the partners.

This is likely to be a best practice regardless of the type of data that is being shared.

It is also worth noting that some other kinds of data are subject to specific restrictions and regulations, for example the Biosecurity Law (2021) and Implementing Rules of the Administrative Provisions on Human Genetic Resources (2023).

There is also the Export Control Law (2020) which handles transfer of materials, patents, and technological knowledge. It is worth noting that data collected that relates to a technology or materials subject to export control may similarly be barred from transfer even if the data itself is in a low-risk area such as environmental science.

Practical Implications for Research Collaboration

The new rules make it clear that the CAC is aiming to be as permissive as possible for academic partnerships, stating clearly that data is exempt from export licencing unless it contains personal information or has been specifically identified as containing important data.

The export licensing process has also been streamlined with a new online web portal to submit data export documents. CAC has also provided updated guidelines explaining the new procedures for data security export assessments, and when and how to use standard data sharing contracts.

Despite this welcome transparency and guidance, it is critical to keep in mind that the overall legal environment in China remains vastly different to the one you are familiar with. Talking to your partners about the type of data that will be generated, its classification, and whether it will need to be transferred is critical to avoid misunderstandings and potential roadblocks in your project. In particular, do not make assumptions that a particular type of data is easily accessible in China, even if it is normally accessible elsewhere.

It is also worth bearing in mind that the Free Trade Zones have been given leeway to develop their own rules on data export, to further encourage collaboration in those pilot areas. Where you partner is based, or where the data is being generated, may also therefore influence accessibility.

Finally, the legal system in People’s Republic of China exists to uphold the government and the leadership of the Party. Projects and data that are deemed politically sensitive are likely to face significant challenges regardless of the legal framework.

Conclusion

There is a lot more detail than I can cover in this short article, but overall, the new rules should significantly clarify the process of sharing research data generated in China or between partners.

If you would like support understanding how these rules affect your collaboration, or need help negotiating a new partnership that includes data transfer, please get in touch.