The New Chinese Security Laws and their Implications for (Foreign) Businesses
Microsoft offices © ClearCutLtd/ Public domain/ Pixabay
LinkedIn closed its Chinese localized version in China, and Microsoft has designed a new job-oriented app specifically for the Chinese market, InCareer, already available for download in China. As Yahoo followed one month after and left China, citing a challenging legal and business environment, you might be curious to know what lies behind it. Most of it has to do with Chinese new legislation.
Microsoft announced that its localized version of LinkedIn would cease operations in China on October 14, 2021 on the grounds that the company was “facing a significantly more challenging operating environment and greater compliance requirements in China” (Shroff, 2021).
News on the topic from the U.S. most popular media outlets, like New York Times and the Washington Post, connected the decision to China’s ban on other foreign tech companies like Facebook, Google and Youtube. They have also described the case as a new example of censorship, highlighting how LinkedIn has censored content published on social media in order to comply with Chinese regulations.(“LinkedIn was right to leave China. It’s discouraging anyway”, 2021; Weise and Mozur, 2021).
Chinese state-owned news agency Xinhua has reacted to such declarations by Western media quite firmly, blaming the BBC, the New York Times and the Financial Times for false reporting, claiming that these outlets “hyped up the social networking platform’s ‘China demise’ by giving the wrong impression that the company decided to quit the Chinese market.” In fact, according to Xinhua, LinkedIn “denied such claims on its official Weibo account and called the reports ‘untrue’” (“Xinhua Commentary: Western media and its compulsive anti-China bias“, 2021). The agency also criticized Western media for being biased, naming in particular the BBC and the New York Times, and referred to the growing lack of credibility of Western media reporting on China (Mu, 2021).
Nevertheless, and surprisingly, both Western media and Xinhua told the truth about the LinkedIn case. Indeed, LinkedIn was facing a challenging environment due to Chinese regulations on data security, which ultimately brought Microsoft to shut down its Chinese version of LinkedIn. However, Microsoft will keep being present in the Chinese market through its search engine Bing (Tilley and Lin, 2021) and has just launched a new job-oriented online platform, InCareer - previously announced with the name InJobs, specifically created for the Chinese market (Feng, 2021).
Interestingly, InCareer will deal with the issues that brought to the closure of LinkedIn by simply avoiding them. The new social network will bypass potential regulatory complications by not including a social feed or the ability to share posts or articles (Shroff, 2021). It is thus evident that Microsoft does not intend to leave the Chinese market. On the contrary, Linkedin’s shutdown now looks more like a step to better adapt its operations to the Chinese regulatory landscape.
The reason for Microsoft’s decision may be traced back to the difficulties the company was encountering to comply with the new data security laws recently enforced in China. 2021 was a particularly active year for Chinese data protection regulations, as two new pillar laws became effective and more implementing regulations were designed. Currently, the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law constitute the three fundamental data protection laws in China. Whilst the Cybersecurity Law was passed already in 2016, the Data Security Law and the Personal Information Protection Law were enacted at the end of 2021 (Luo, 2021). The subsequent implementation and enforcement of such legislation are under the purview of the Cyberspace Administration of China (CAC), the central internet control agency of the People’s Republic of China (Lee et al., 2021). These regulations have already proved to have an impact on the Chinese market, especially for foreign businesses involved in China.
Firstly, the Cybersecurity Law was the first legislation covering data security in China, addressing a considerable deficiency. The law passed in November 2016, and became effective in June 2017. The Cybersecurity Law (CSL) focuses on the protection and regulation of data that are considered important to national security, that is, data that if destroyed, leaked, or illegally obtained or utilized, may negatively impact national security, economic security, social stability, public health, public security or public interests more in general (Luo, 2021).. The first major implication of this piece of legislation is the imposition of obligations on network operators in accordance with their classification within the Multi-Level Protection Scheme, which categorizes networks depending on their criticality for national security on a scale from 1 to 5. Secondly, the law provides a regulatory framework for critical information infrastructure (CII) operators, defined as important network facilities and information systems in China that, in the event of damage, shut down or data leak, may seriously damage national security and interests. The CII includes networks in the field of public communications and information services, energy, transportation, water conservation, finance, public services, e-government, defence technology industry, and other critical industries that will have sectoral regulators who designate CII according to their rules.
The law also establishes a cybersecurity review mechanism for network products and systems. Even though CII and MLPS do not apply to networks whose servers are located outside of China, networks outside of Chinese borders that deal with sensitive data may have to localize their servers in China and establish an office to process data within China. The aim of this is to prevent that data from being part of cross-border flows , however, in the event a cross-border data transfer is needed for business reasons, a security review would then be carried out (“China’s cybersecurity regime”, 2021). Furthermore, in August 2021, China’s State Council released the Security Protection Regulations on Critical Information Infrastructure, an implementing rule of the CSL, which imposes much stricter rules to the operators of CII in terms of data security and cross-border data transfer (Ju, 2021).
The cross-border data transfers contained in the CSL were then fully dealt with in the Data Security Law (DSL), which also counts with a strong focus on protecting national security. The law applies to data processing activities within China’s territory which are detrimental to national security, public interest or Chinese citizens’ rights and interests. At the same time, the law creates more restrictions on cross-border transfers of important data, creating a more complex operational environment for companies with international presence. Above all, the most relevant element of the DSL is the creation of a data classification system, according to which the government can classify the data based on its level of importance and provide security standards for each type of data. The law then defines general security obligations for data processors at large; for instance, it imposes companies to establish a data security management system, it regulates how companies should collect and use data, and requires firms to monitor potential risks and, in case of incident, to react prompty and inform users (Wang et al., 2021) DSL will perhaps have more impact on companies that possess data that relates to national security and public interest, including those with a large volume of personal data, like statistical data and derivative data based on massive personal information, or critical infrastructure and critical industries, such as financial, medical and key technologies. Therefore, it is crucial for businesses to begin an internal evaluation to understand in which categories the data they handle may fall (Ju, 2021). It is expected that implementing rules will follow in the next year to give a systematic explanation of cross-border data transfer regulations, and a detailed description of the data categorisation.
Lastly, the third security data law, namely the Personal Information Protection Law (PIPL), came into force on November 1, 2021, and was created with the aim of protecting personal data of natural individuals. It has been compared to the European Union’s General Data Protection Regulation (GDPR) as it gives individuals control over their personal data. Interestingly, the legislation requires foreign organisations that possess personal information of individuals in China for market purposes to establish designated agencies or appoint a representative in China (“Personal Information Protection Law of the Mainland”, 2021), which means companies will need to hire personnel dedicated to such subject in China, and carry out procedures specifically for China.
For what concerns businesses like LinkedIn, the new set of regulations probably looks even more overwhelming than the summary just above. There is indeed the possibility that foreign companies will be forced to hand over sensitive information to the Chinese government, in addition to having their servers located in China and accept security reviews (“China security law tightens control of cyber security”, 2021). Given that the legislation includes penalties and sanctions, which may amount to several million dollars, and statistical data based on massive personal information might be regarded as important data, Microsoft’s decision to delete the social feed, and stick to job posting, may now be better understood.
Yahoo, which made the same decision to cease operations in China on November 1, 2021, the day the PIPL became effective, as a result of “the increasingly challenging business and legal environment in China” provides further clarity on LinkedIn’s ultimate fate (Soo, 2021).
Concerning China’s increasingly challenging business environment, it is worth noticing that the Chinese market of social media apps, even in the case of job-oriented internet services, is already highly competitive. Even though LinkedIn had around 54 million users in China, making it the second largest market for the company after the United States, it was not dominant in China if we consider the overall Chinese market for this sector. Chinese users have multiple other options to choose from, including Chinese companies like Boss Zhipin and Maimai. Nonetheless, LinkedIn counted with a competitive advantage in the sense that its international platform allowed users to seek jobs or employees from outside China. t (Wertime, 2021; ZEN SOO Associated Press, 2021).
Finally, one may ask, why does Microsoft not just delete its social feed and leave the LinkedIn app? The company may have had multiple reasons, ranging from a legal perspective to a more business-related argument. But whatever the reasons, the fun fact is that the localized version of LinkedIn was named “ling ying”, (meaning “leading elites” in Chinese), leading users in China to mock the name, as its Mandarin pronunciation sounded something like "the spirit of an unborn child" (Wertime, 2021). May InCareer have a better future.
Vanessa Spadetto is part of the European Guanxi Editor group and is currently pursuing a master degree in International Relations and Diplomacy, at Shanghai University SHU, China. She holds a Double BA degree in Chinese Language and Civilization at “La Sapienza” University of Rome, and has studied abroad at SHU and Beijing Foreign Studies University BeiWai. Dedicated, with an appetite for knowledge, she is particularly interested in the international field of European advocacy, relations, and politics, with a focus on Sino-EU relations. You can find her at Instagram, LinkedIn, and Twitter.
The opinions expressed here are those of the writers and do not represent the views of European Guanxi.
Do you have an article you would like to share? Write for us.
BBC (2015). China security law tightens control of cyber security. BBC News. [online] 1 Jul. Available at: https://www.bbc.com/news/world-asia-china-33340322 [Accessed 6 Dec. 2021].
Ju, Z. (2021). China Passes New Data Privacy and Security Laws. [online] The National Law Review. Available at: https://www.natlawreview.com/article/china-passes-new-data-privacy-and-security-laws [Accessed 6 Dec. 2021].
Lai, K. (2021). PRIMER: China’s Data Security Law. [online] International Financial Law Review. Available at: https://www.iflr.com/article/b1vdlcy3c367qc/primer-chinas-data-security-law [Accessed 6 Dec. 2021].
Lee, A., Sacks, S., Creemers, R., Shi, M. and Webster, G. (2021). China’s Draft Privacy Law Adds Platform Self-Governance, Solidifies CAC’s Role. [online] DigiChina. Available at: https://digichina.stanford.edu/work/chinas-draft-privacy-law-adds-platform-self-governance-solidifies-cacs-role/ [Accessed 6 Dec. 2021].
Lin, A.T. and L. (2021). LinkedIn Social Network Is Leaving China, but Microsoft Remains. Wall Street Journal. [online] 15 Oct. Available at: https://www.wsj.com/articles/linkedin-social-network-is-leaving-china-but-microsoft-remains-11634321277.
Luo, D. (2020). China - Data Protection Overview. [online] DataGuidance. Available at: https://www.dataguidance.com/notes/china-data-protection-overview.
Feng, C. (2021). LinkedIn launches China-only app without social feed. [online] South China Morning Post. Available at: https://www.scmp.com/tech/big-tech/article/3159968/linkedin-launches-new-app-china-without-social-feed-after-shutting?module=perpetual_scroll_0&pgtype=article&campaign=3159968 [Accessed 14 Jan. 2022].
Mu, C. (16AD). Foreign Media Face a Trust Crisis in China. [online] thediplomat.com. Available at: https://thediplomat.com/2021/07/foreign-media-face-a-trust-crisis-in-china/ [Accessed 6 Dec. 2021].
Office of the Privacy Commissioner for Personal Data, Hong Kong (n.d.). Personal Information Protection Law of the Mainland. [online] www.pcpd.org.hk. Available at: https://www.pcpd.org.hk/english/data_privacy_law/mainland_law/mainland_law.html.
Shroff, M. (2021). China: Sunset of Localized Version of LinkedIn and Launch of New InJobs App Later This Year. [online] blog.linkedin.com. Available at: https://blog.linkedin.com/2021/october/14/china-sunset-of-localized-version-of-linkedin-and-launch-of-new-injobs-app.
Soo, Z. (2021). Yahoo pulls out of China, citing “challenging” environment. [online] news.yahoo.com. Available at: https://news.yahoo.com/yahoo-pulls-china-amid-challenging-110457049.html [Accessed 6 Dec. 2021].
The Washington Post (2021). Opinion | LinkedIn was right to leave China. It’s discouraging anyway. Washington Post. [online] 1 Nov. Available at: https://www.washingtonpost.com/opinions/2021/11/01/linkedin-china-departure-free-expression/.
Turner, N. (2021). Yahoo Quits China in Wake of LinkedIn Exit as Media Hurdles Grow. Bloomberg.com. [online] 3 Nov. Available at: https://www.bloomberg.com/news/articles/2021-11-03/yahoo-pulls-out-of-china-following-linkedin-in-cutting-ties.
Wang, X., Swaminathan, A., Sussman, H., Hu, M. and McKenney, R. (2021). China’s New Data Security Law: What International Companies Need to Know. [online] www.orrick.com. Available at: https://www.orrick.com/en/Insights/2021/09/Chinas-New-Data-Security-Law-What-International-Companies-Need-to-Know.
Weise, K. and Mozur, P. (2021). LinkedIn to Shut Down Service in China, Citing “Challenging” Environment. The New York Times. [online] 14 Oct. Available at: https://www.nytimes.com/2021/10/14/technology/linkedin-china-microsoft.html [Accessed 27 Oct. 2021].
Wertime, D. (2021). What really brought down LinkedIn’s China play. [online] Protocol — The people, power and politics of tech. Available at: https://www.protocol.com/why-linkedin-left-china.
ZEN SOO Associated Press (2021). Chinese users have mixed feelings about LinkedIn departure. [online] ABC News. Available at: https://abcnews.go.com/Business/wireStory/chinese-users-feelings-mixed-linkedin-pulling-80657719 [Accessed 6 Dec. 2021].