Swiss trade with China is flourishing: Goods valued at more than 14 billion Swiss francs were exported to China in 2020. According to Swissmem, the Swiss association of the machinery, electrical engineering and metalworking industry, some 4.1 billion Swiss francs of this is attributable to machine exports. These figures make it clear: China is a key market for the local MEM industry, which is why Swiss IoT companies are increasingly considering gaining a foothold in the country with their own products and services.
A lot of planning and knowledge are needed, however, to successfully enter the Chinese market – especially when it comes to cross-border data traffic: “The Chinese government has long regarded data as a strategic resource and even declared it to be a production factor in the current five-year plan”, explains Markus Herrmann Chen, Managing Director of China Macro Group (CMG), a consultancy firm that specialises in China. “To enable this data economy, China is putting significant effort into the area of data protection and regulation – also beyond its own national borders.”
With this understanding, coupled with China’s vision of cyber sovereignty for nation states, the Cyber Administration of China (CAC) enacted various laws and standards to legally anchor data handling and traffic in the corporate environment. The most important of these will be presented here briefly:
Cyber Security Law (CSL), since 2017
CSL is the fundamental law for cybersecurity and data protection in China. Operators of networks – which China also takes to mean computer networks or company websites – are subject to a strict set of rules and are liable in case of non-compliance. In terms of content, the law deals with issues such as the protection of personal data, network security, the protection of critical information infrastructures, data localisation and risk assessment for data transfers abroad as well as with the security testing of network products and services.
Data Security Law (DSL), since 2021
While the CSL is rather general in its statements, the DSL specifies an overarching framework for China’s national data security. The DSL introduces a categorised data security system. The law differentiates between “core data” and “important data”. “Core data” supports the national or economic security of China, the well-being of its citizens or important public interests. “Important data” is regarded as the next level below core data. The precise definitions of core data and important data remain vague, however.
Personal Information Protection Law (PIPL), since 2021
PIPL is the first comprehensive personal information (PI) protection law in China. It defines the scope of personal data, clarifies the legal basis for processing this data, specifies the obligations and responsibilities of processors and imposes strict requirements on data localisation. PIPL is therefore an important law for China for protecting its interests in relation to the cross-border transfer of personal data. PIPL is often compared with the General Data Protection Regulation (GDPR) in force in Europe.
Data categorisation in China
The Chinese government introduced its own categorisation system for data with CSL, DSL and PIPL:
– Firstly, personal data is differentiated from factual data.
– Personal data is non-anonymised data on individuals. There is also a special category of sensitive personal data – data whose loss or illegal use would impair a person’s dignity or cause harm.
– As regards factual data, the subcategories of “core data” and “important data” were also created in addition to “ordinary data”, whose export is not sensitive from the perspective of the Chinese authorities. Originally, it was not possible to export ordinary data to third countries. However, following critical feedback on the first draft regulation, especially from industry, these strict provisions were relaxed.
The three laws CSL, PIPL and DSL are at the forefront of legislation and, in particular, regulate cyber security issues concerning hardware and data security. “These include implementing regulations that further specify various regulatory cross-section issues, such as management of data security or provisions for operators of critical information infrastructures (CIIO)”, explains Markus Herrmann. “The industry-specific implementation regulations follow at the third level. In this case, regulations for industry, telecommunications, transport, finance, technology, raw materials, education and health are each specified by industry-specific regulators.”
MLPS 2.0: Security certification is absolutely mandatory
Companies also need to pay particular attention to the Multi Level Protection Scheme 2.0 (MLPS 2.0) security certification, which is obligatory for all businesses in China – regardless of whether Chinese or foreign. In this context, companies have to complete a self-assessment (self-grading) of the security of their networks based on a catalogue of requirements. This demonstrates that the company’s network is adequately protected, for example, against unauthorised access by hackers.
The networks are rated 1 to 5 based on the self-grading – depending on the level of damage that would be caused to various legal interests, such as individuals, public order or national security, in the event of data loss and network disruptions. Finally, to gain certification, this grading must be submitted to the local authority of the Ministry of Public Security (MPS). “From level three, a compliance test is carried out by an officially authorised testing agency and a gap analysis report is presented, which the relevant company has to work through to demonstrate full compliance with the MLPS 2.0 requirements”, adds Markus Herrmann. “The number of compliance requirements increases with each MLPS 2.0 grading – so about 310 requirements have to be fulfilled at level 3 and about 340 requirements at level 4.”
Martin Egloff is a Business Area Manager in the medtech and industry fields. He understands the special development processes in the medical environment and has many years of experience in interdisciplinary development and consulting projects in the areas of software, hardware, mechanical engineering and consulting.