中国美国商会浏览中国的数据迷宫法规如何影响美国公司2019512页

VIEWPOINTTheAmericanChamberofCommerceinShanghai-ViewpointMay20192019:HowRegulationsAffectU.S.Companies’sViewpointseriesprovideinsightsandrecommendationsfromAmChamShanghaimembercompaniesonimportantpolicyissuesimpactingforeigncompaniesinChina.ThesereportsarebasedonextensiveinterviewsandresearchbytheAmChamShanghaiGovernmentRelationsteam.ThereportsareusedinAmChamShanghai’sadvocacyeffortswiththeChineseandU.S.governments.ABOUTUSTheAmericanChamberofCommerceinShanghai(AmChamShanghai),knownasthe“VoiceofAmericanBusiness”inChina,isoneofthelargestAmericanChambersintheAsiaPacificregion.Foundedin1915,AmChamShanghaiwasthethirdAmericanChamberestablishedoutsidetheUnitedStates.Asanon-profit,non-partisanbusinessorganization,AmChamShanghaiiscommittedtotheprinciplesoffreetrade,openmarkets,privateenterprise,andtheunrestrictedflowofinformation.AmChamShanghai’smissionistoenablethesuccessofourmembersandstrengthenU.S.-Chinacommercialtiesthroughourroleasanot-for-profitserviceproviderofhigh-qualitybusinessresourcesandsupport,policyadvocacy,andrelationship-buildingopportunities.Findusonlineat:SnapPrintingAmChamShanghaiwouldliketothankallintervieweesfortheircontributionstothisreport.May2019VIEWPOINT3ExecutiveSummaryInFebruaryandMarch2019weinterviewedcybersecurity,data,andITprofessionalsat17foreigncompaniesabouthowtheymanagethedatatheycollect,howwelltheyunderstandChina’sdataregime,andhowthecountry’sdataregulationsaffecttheirbusinessoperationsinChina.Thesecompaniesexpressedthatwhiletheyrecognizedtheimportanceofstrongerdatagovernanceandprotectionofpersonalinformation,theywereconcernedbytheonerouslocalizationrequirements,ambiguouslanguage,vaguenessinlegalrequirements,inconsistentimplementation,lackofinputindrafting,andoverlyexpensivesecurityassessmentsofChina’sCybersecurityLaw(CSL).KeyIssuesOnerousLocalizationRequirements.Datalocalizationrequirementsrepresentedbyfarthebiggesthurdleformostofourrespondentcompanies.Companiesalreadyincompliancebutcontinuingwithcross-bordertransfersmustalsoexpendsignificantcapitaltoanonymizethedatabeforesendingitabroad.CompaniesthatpurchasedatafromexternalsourcesmustalsospendtimeandmoneytoensurethatitcomplieswiththeCSL.AmbiguousLanguageinLaw.Companiesarestillunsureofwhatcountsas“importantdata”andwhichcompanieswillbeclassifiedas“CriticalInformationInfrastructureOperators.”Wordinginthecross-bordertransferrulesisunclearandtherearealsoindustry-specificambiguities,likeinhealthcare,wheregapsexistinthelawoverhowtoanonymizemedicalpatientdata.VaguenesswithLegalRequirementsandRecommendations.Manycompaniesareunsureofwhatwaslegallymandatedbystandardsandwhatwasjustarecommendation.Thisambiguitycausescompetitivedisadvantagetobusinessesthatinstitutecompany-wideprocessestofullycomplyoverthosethat“riskit”anddon’tcloselyfollowthesestandards.InconsistentImplementationoftheLaw.CompaniescomplainedaboutalackofcollaborationbetweengovernmentagenciesthatleadstoinconsistentimplementationoftheCSL.Insomeinstances,differentministriessuddenlypromulgatelawsthatcontradictearlierregulations.Similarly,companiesalsocomplainedaboutinconsistenciesbetweennationalandlocalimplementation.NoVoiceinDraftingofLaws.Manyofourmembersfeelthattheirvoicesareignoredbythegovernmentinthedraftingandimplementationoftheselaws.Thoughforeigncompaniesareabletosubmitpubliccommentstothedraftregulationsindividuallyorcollectivelyasagroup,theybelievethat“foreigncompaniesareexcludedorforgottensometimes”and“domesticcompaniesgettoknowearlierandmoreabouttheregulationchangesthan[foreigncompanies]do.”However,thisperceptionwasnotuniversalacrossourinterviewees—someofthelargerandmoreestablishedMNCsreportedampleopportunitytoengagewiththeregulatorsandparticipateintheregulationdraftingprocess.OverpricedSecurityAssessments.TheannualsecurityevaluationrequiredbytheGuidelinesforGradingofClassifiedProtectionofCybersecurityistooexpensive.Abusingadministrativepowerasaprofiteeringtoolisagainsttheprinciplesofpublicserviceandaddstothefinancialburdenofcompaniesinanalreadysofteningeconomy.RecommendationsForgovernmentOffermoreavenuesinadditiontopubliccommentperiodsforreceivingfeedbackfromdomesticandforeigncompanieswhendraftingregulations.Improvecoordinationbetweendifferentbodiestoensurelawsandregulationsareefficientlyrolledoutandallowlargemultinationalsampletimetocomply.Standardizetheimplementationofthelawatthelocalleveltoensureconsistencywiththenationallaw.SetclearfeestructuresforanysecurityassessmentsrequiredbytheCSLoritssupportingmeasuresanddon’tabuseadministrativepowerasaprofiteeringtool.ForcompaniesProactivelyimplementsolutionsaheadofthedeadlinetoeaseoperationalcomplianceandstemtheslowingofinnovation.WheretheCSLisunclear,benchmarkcomplianceprocesswithGDPR.Continuetoseekadvicefromregulatoryagenciesandengagewithgovernmentbodies.LawenforcementbodiesarebecomingmoreconfidentininterpretingandenforcingtheCSLsoexpectstrictercompliancestand