Don’t get caught with your guard down — global data protection is a serious matter for foreign-invested businesses operating in China

In global business, the obligation to protect valuable data is paramount for enterprises. 

This month marks the third anniversary of the Cybersecurity Law of the People’s Republic of China (CSL). Equally, last month was the second anniversary of the General Data Protection Regulation (GPDR). Since the implementation of these measures, enforcement of both has continued to expand and compliance for companies remains an important issue. In June, Horizons regional partner Lucia Netti served as a panellist on a much-viewed webinar addressing global data protection for enterprises. The event — Global Data Protection: from the US to Europe to China – safeguarding digital information is your responsibility — was hosted by Consulegis, an international network of independent law firms, in-house lawyers and related professional advisors.  

The global data protection webinar shared key insights and best practices for business related to the process of safeguarding important information from corruption, compromise or loss. Specifically, in a globalised world, The importance of data protection increases as the amount of data created and stored continues to grow, calling upon businesses to establish compliance models which safeguard data and reduce the risk of liability. To this end, Lucia Netti, an in-demand speaker on the topic, provided insights into how foreign companies can safeguard data under China’s CSL and how CSL is differentiated from the GDPR. Since the promulgation of CSL, Horizons has been involved in a number of CSL cases. From our experience in these cases, we offer three insightful takeaways as follows:

1 – COVID-19 Personal Data Protection


In the resumption of work, companies in China were strictly required to collect and report on the daily health of employees under governmental COVID Measures and Public Emergency Law of the People’s Republic of China. Specific personal data such as name, health and ID number, and travel history were regularly collected and reported to local authorities in order to prevent the spread of COVID-19. In this instance, any personal data collected and processed within a network was and continues to be required to be handled in adherence to CSL. Authorities were quick to enforce data protection and issue fines for violations, such as data leakage or usage of collected data outside the scope of usage; these instances were considerably high.


Horizons advised several multinational manufacturers to implement a COVID-19 personal data protection policy.  As a technology app was utilised to monitor and record individual travel histories, daily health and names of employees, Horizons established a consent agreement for employees that included the outlining the purposes, means and scope of collection and use of information as according to CSL provisions. What’s more, personal data obligations were outlined in a COVID-19 employee policy, clarifying that any mishandling of data was clearly defined as misconduct and would bear liabilities.

2 – Network Security Assessment


While GDPR is primarily focussed on the protection of individual’s rights around the collection and processing of personal data, CSL focuses on supervision and management of information and network systems. CSL subjects network operators who collect, save, transmit, exchange and process information to establish measures to safeguard this information and prevent virus attacks.

CSL obligations are enforced diligently by both local government departments such as the Cybersecurity Coordination Bureau in Beijing, among others. Penalties for violations include rectification, warning and confiscation of illegal gains or fines from one to ten times the illegal gains (violators with illegal gains may be subject to both confiscation and a fine). Where there is no illegal gain, a fine of up to RMB 1,000,000 may be imposed.


Horizons performed several CSL security assessments for foreign companies in China. These assessments highlighted internal vulnerabilities within a company’s IT system(s) based on the requirements of CSL. Examples include:

  • Unclear internal management and operational rules which left IT systems vulnerable to hackers or enabled network users to disseminate illegal information within social groups.
  • Collection of personal data which did not disclose the purposes, means and scope to the network user.
  • Failure to obtain clear consent from network users.
  • Failure to put in place monitoring procedures to record and monitor network security incidents.

Through the CSL security assessment, we tailored a CSL procedure and policies for employees, ensuring the necessary provisions of CSL were implemented into the management of the IT system.

3 – Ecommerce Obligations


On 1 January 2019, the China E-commerce Law came into effect to regulate e-commerce businesses, provide consumer protection and foster the development of the E-commerce industry in a sustainable, healthy manner. For foreign companies establishing an e-commerce website in China, written content published on the website is required to strictly adhere to the provisions of CSL and E-commerce Law. Specifically, consumers are entitled to a right to know and right of choice. Information of commodities or services is to be disclosed in a comprehensive, accurate and timely manner. False or misleading publication, such as fictitious deals and fabricated user comments, is strictly prohibited. Publication and dissemination of illegal information by network users or network operators is strictly prohibited and subject to penalties.


Horizons advised a multinational retailer to establish a China e-commerce website in compliance with E-commerce Law and CSL. Consultation included the drafting terms and conditions for user accounts in order to publicly inform users on the use and scope of personal data collection, implementing e-commerce procedures for employees to prevent the publication of prohibited materials, website security maintenance, labilities for any misconduct when handling personal data, and instalment of malware, among other items. 

As Lucia Netti highlighted during the global data protection webinar, CSL differs from GDPR in that the protection of data is centralised on the security of the collected data and companies are obliged to ensure network collecting and processing of such data is secure and monitored. For foreign companies in China, CSL compliance is paramount as CSL enforcement is a high government priority.

If you have questions or concerns related to global data protection, corporate digital governance and associated digital tools or other corporate matters, please contact Horizons at +86 21 5356 3400 or to schedule a consultation session. From RMB 1,500 per session, Horizons can provide insight, expertise and the right solutions for you. 

Horizons Corporate Advisory helps clients solve complex problems, thrive and be inherently responsible in their business activities worldwide. The countries and special administrative regions we operate in include Belarus, Brazil, Bulgaria, China, Colombia, Cyprus, Egypt, France, Germany, Hong Kong SAR, Indonesia, Italy, Kazakhstan, Macau SAR, Malta, Mexico, Mongolia, Morocco, The Netherlands, Nigeria, Portugal, Russian Federation, Serbia, Spain, Switzerland (French and German-speaking cantons), Turkey, United Kingdom, United States of America and Zambia.