China’s Tighter Tech Laws Could Stymie U.S. Demands for Data Handover, Legal Expert Says
Chinese companies selling shares on American bourses could capitalize on China’s tightening technology regulations to avoid U.S. data handover requirements, according to a legal expert, as Beijing tightens its grip on cross-border data transfers by firms listing abroad.
Chinese firms going public in New York could use the Chinese laws to resist U.S. regulators who ask them to hand over sensitive data in accordance with the Clarifying Lawful Overseas Use of Data Act, also known as the CLOUD Act, Wu Shenkuo, executive director of Beijing Normal University’s international center for cyberspace law, told an online seminar on Friday.
The legislation that could be used as legal weapons by Chinese companies are China’s Cybersecurity Review Measures, the new Data Security Law and Personal Information Protection Law, Wu said.
In 2018, U.S. President Donald Trump signed into law the CLOUD Act, which enables the country’s law enforcement agencies to obtain access to data owned and controlled by entities under American jurisdiction to facilitate investigation of serious cybercrimes, regardless of whether such data is located within or outside the U.S.
A U.S.-listed Chinese company may have a reason to turn down a data access requirement when it is under a cybersecurity review in China, depriving it of its right to transfer data overseas, according to Wu. Also, a technical inability to provide the data could also be used as a reason to fend off the requirement, Wu said, citing the legal practices of some companies he knows. Wu did not elaborate on the nature of the technical inabilities.
In July, China revised its Cybersecurity Review Measures to make clear that any Chinese firm that holds the personal information of 1 million or more users would need to seek a government cybersecurity review before listing abroad. This means that in the future almost all Chinese internet firms eligible to go public in the U.S. will come under review and could push Chinese companies to list domestically to avoid potential reviews.
The revision came a month after China’s top legislature passed the Data Security Law, which asks companies to classify their data into different categories based on risks and protect them accordingly. It carried a promise to impose hefty penalties on companies that transferred “core data” overseas without a government permit. The law came into effect on Sept. 1.
Chinese lawmakers also approved the Personal Information Protection Law in August, adding legal teeth to the country’s management of how personal data can be gathered and used. The law is set to come into effect on Nov. 1.
“Some big Chinese companies listing in the U.S. told us they were under less pressure from U.S. regulators over data handover after the passage of the Data Security Law and Personal Information Protection Law,” said Wu.
“In the process (of strengthening its management on cross-border data flows), China needs to focus on its related laws’ extraterritorial application,” said Wu. He added that it becomes more important when the “international scramble for data resources and demand for data governance are intensifying” amid global digital transformation.
While Beijing is strengthening its data management, Wu pointed out that Chinese companies seeking a listing have started identifying the regulatory tightening as a key risk for investors in their planned IPOs.
China’s artificial intelligence specialist SenseTime, which filed for a Hong Kong IPO in August, said in a filing that China’s changing regulations, especially toward sensitive data handling, could impact its business.
Contact reporter Ding Yi (email@example.com) and editor Michael Bellart (firstname.lastname@example.org)
Download our app to receive breaking news alerts and read the news on the go.
Get our weekly free Must-Read newsletter.
- MOST POPULAR