Notes from the Asia-Pacific region: China signals pragmatic data compliance approach for SMEs

Some interesting developments in China are clearly demonstrating that the country's data regulators will take a more pragmatic step to balance reducing compliance costs and burdens, especially for small and medium-sized enterprises, with strengthening the protection of personal data. 

When I advise on data compliance matters, one of the most commonly asked questions is whether China's data laws allow for some relaxations on personal data protection requirements. Here comes the good news. On 3 April, the Cyberspace Administration of China issued the consultation draft of the Simplified Measures for the Protection of Personal Information for Small Personal Information Processors. It is open for public consultation through 2 May. 

In the draft, the term small-scale personal information processor refers to an entity that processes personal information of less than 100,000 individuals. Qualified entities are allowed to adopt simplified measures to meet the compliance requirements for personal information protection. 

Some notable simplified steps include: simplified privacy notification and consent methods; enabling business organizations to rely on the consolidated compliance support provided by the online platforms and business/technology parks where they have business operations; and relaxations on personal information protection impact assessments and audits. 

These simplified measures are applauded by SMEs. Even some multinational corporations are able to reduce compliance costs and burden and enjoy greater efficiency, as many engage in business-to-business operations and are not likely to trigger the threshold of 100,000 individuals. 

It is important to note, however, that there is no simplification for the collection and processing of sensitive personal information and cross-border data transfers.

Around the same time the simplified measures were issued, the CAC, Ministry of Industry and Information Technology, and the Ministry of Public Security released an official announcement launching a special campaign on personal data protection. 

The campaign aims to bolster personal data protection and crack down on some prevalent violations in apps and software development kits, which include failure to publish a transparent privacy policy, collection of personal data without consent or excessive collection, onerous account cancellation procedures and inadequate security measures, and potential risks of data breach leakage. 

Online advertising platforms are required to rectify noncompliant practices such as failure to notify users of data use for targeted advertising, lack of one-click opt-out mechanisms for personalized advertisements and unauthorized sharing of user data with third parties. 

The authorities have specifically targeted four high-priority industries: financial, education, health care and transportation. 

Noncompliance can lead to serious punishments ranging from regulatory investigations, removal from app stores, administrative fines, suspension of services, and in the worst case, criminal liability. Public whistleblower hotlines have been set up to receive reports of violations. 

Taking these two developments together, it is very clear that regulators in China are keen to further balance developing the digital economy with personal data protection and compliance regulation. For small-scale data collection and low-risk scenarios, the authorities are happy to take a more relaxed approach to reduce the compliance burden for businesses and create a more business-friendly environment. But at the same time, for high-risk scenarios and in high-risk sectors, businesses must take necessary compliance steps and meet the baseline requirements, and SMEs are not an exception.