As China steps up cybersecurity enforcement, smaller businesses are feeling the heat

As China moves to tighten security around its domestic data, law enforcement agencies are expanding efforts to monitor compliance across the country – from big tech firms to smaller street-level businesses. Now, businesses ranging from restaurants to foot massage parlours are being warned about punishments they face for failing to follow the country’s evolving cybersecurity regulations.

Last month, police in the city of Zhenjiang, in the eastern province of Jiangsu, carried out security sweeps at local businesses, issuing warnings to those that offered Wi-fi without requiring real-name registration, local media reported on Monday.

Citing the country’s Cybersecurity Law, the warnings ordered the businesses to “rectify” their services, which failed “to implement technical safety protection measures”, as required by the law, according to the report.

As those police checks started making waves, police in Huaian, another Jiangsu city, began handing out similar warnings to a local foot massage boutique, citing the country’s Data Security Law.

Chinese report reveals US-controlled cyber attacks by ‘empire of hackers’

The business was warned after police said it had stored customer information, such as names and identity numbers, which are deemed as sensitive data, without setting up sufficient security measures to protect the data.

The security inspections shed new light on China’s growing scrutiny of how companies handle personal data, as authorities continue to tighten their control over cybersecurity. Beijing has also been working on strengthening its data protection legal framework, which is considered a key pillar for national security.


Beijing raids offices of consulting firm Capvision in widening crackdown over national security

Beijing raids offices of consulting firm Capvision in widening crackdown over national security

New regulations on data protection include requirements that all companies that handle personal data conduct regular compliance audits. The rules come as Beijing this year scales up its anti-espionage efforts, with warnings over unauthorised acquisition of “documents, data, materials and items related to national security and interests”.
China enacted its Cybersecurity Law in 2016, stressing the need to maintain control of the nation’s sovereign cyberspace and national security. Building on that foundation, the Data Security Law was implemented in September 2021 to limit the ways data can be processed. The law also stresses the need to safeguard national security and interests, making the protection of data security a national security priority.
Alex Roberts, a Shanghai-based counsel for technology, media and telecommunications at law firm Linklaters, said the recent enforcement actions are a clear signal from Chinese authorities that any informal grace period is over, and businesses – regardless of their size – must take action to comply with the country’s data privacy and data security laws.

“While the enforcement action serves as a reminder to businesses of their data security and protection obligations, it has also sparked debate among industry participants over its fairness when targeting small enterprises, which may not be able to afford to take sometimes costly compliance measures,” Roberts said.

China’s Personal Information Protection Law, which came into effect in 2021, hinted that future legislation may be introduced to address this issue, Roberts said, as it calls for specific “special personal information protection rules and standards” to be developed for small enterprises that handle personal data.

However, these implementation rules – or a timetable for their publication – have yet to be seen by industry, Roberts added.

Angela Zhang, an associate professor of law at the University of Hong Kong, said the recent cases obviously reflect a shift in focus by local governments to enforce the data security rules on small and medium-sized firms and organisations.

“This clearly indicates a trend where Chinese authorities are intensifying their data security regulations. Unlike large corporations, small and medium-sized enterprises often lack robust compliance mechanisms. This could account for the recent surge in enforcement actions against them,” she said.


‘Stop stealing’: China condemns US over Trojan horse cyberattacks on state-funded university

‘Stop stealing’: China condemns US over Trojan horse cyberattacks on state-funded university

“However, the fines levied under this law tend to be relatively small, and the targets of enforcement actions are generally not prominent corporate actors. This suggests that the enforcement may not be as impactful on larger corporations,” she added.

Gao Fuping, a law professor at the East China University of Political Science and Law in Shanghai, said more comprehensive law enforcement is needed to raise awareness among all enterprises, while small businesses that handle data are more commonly at risk of illegal selling and sharing of data.

“I think all enterprises should meet the basic requirement of data storage security … for personal data. If leaked, it is not just a personal privacy issue, but more of a social safety and security issue. So there should be [compliance] pressure given to businesses,” Gao said.

With data security now at a higher priority, meeting such requirements could entail more costs and inconvenience on the part of businesses, Gao said.

As authorities strengthen enforcement under the provisions of the Data Security Law, fines are being handed out to various companies that have failed to comply with cybersecurity rules and were deemed at risk of data leaks.

Say no to ‘digital iron curtain’, China’s Wang Yi tells Brics security officials

In an article published on its WeChat account on Wednesday, the public security ministry’s network Security Bureau cited data-related cases over the past two years, 336 of which were handled in Jiangsu.

The article warned of possible data leaks in the healthcare industry and the financial and real estate sectors, warning that such leaks could cause “significant harm to public interests, economic operations, and individual rights and interests, and may affect national security and social stability.”


This website uses cookies. By continuing to use this site, you accept our use of cookies.