An entirely new legal framework governing data security in China has been introduced over the last few years, beginning with 2017’s Cybersecurity Law. This was followed in September 2021 by the enactment of the Data Security Law, establishing a system to classify data collected and stored in China according to its potential impact on national security. This was then joined by the Personal Information Protection Law, which was passed in August 2021 and came into effect in November.

The legislation has raised many challenges, both in terms of the short transition timeframe and the fact that some provisions remain ambiguous. Organizations await clarification while they try to make sense of the practical effects not only on operations in China, but on offshore data processing activities.

TMT and PMB sectors are first to feel the heat

The rash of legislation is part of a broader regulatory crackdown on large businesses and anticompetitive behavior. The technology, media, & telecom (TMT) sector has been the most obviously affected part of the economy so far, especially organizations who are deemed to operate ‘critical information infrastructure’. However, ‘critical information infrastructure’ is not defined in the legislation, leaving scope for interpretation.

Most businesses today, if not all, depend on information technologies and possess sensitive data. Though TMT has been the most impacted so far, data-rich companies in the pharma, medical, & biotech (PMB) and insurance industries are expected to come under increasing scrutiny.

Stricter compliance rules will weigh heavily on organizations and exacerbate risks in M&A.

Increasing scrutiny poses new challenges for M&A

Stricter compliance rules will weigh heavily on organizations and exacerbate risks in M&A. One response may be for would-be buyers to pursue alternative deal structures that invite less scrutiny or involve fewer liabilities.

The effect on listings is more explicit. As of mid-February, Chinese internet companies that hold personal information on more than one million users are required to participate in a network security review, administered by the Cyberspace Administration of China, before they list overseas, including in Hong Kong. Amid these developments, one might expect more companies to hold back from big-ticket moves before certain ambiguities are resolved.