Foreign companies that want to enter the Chinese market successfully have to be familiar with local privacy regulations and adapt to them. This includes the Cybersecurity Act, which came into effect in June 2017.
Hardly any topic has kept marketer as busy as data protection in the past months. The GDPR, which is binding from May, keeps marketing department on their toes throughout the EU and beyond. But not only the EU has a new regulation on data protection. In China, a cybersecurity law was passed in November 2016, and came into force on 1 June 2017.
The Cybersecurity Act is just one of many that the Chinese government has adopted in recent years to ensure political stability and have comprehensive control and oversight over the Internet. This has a significant impact on e-commerce and presents a challenge for foreign companies, which ultimately have no choice but to adapt if they want to do business in China. Companies that sell IT products to operators of critical infrastructures (including communications, energy, transportation, water, and finance) are particularly affected. They must undergo a state security audit and may need to disclose their source code. Moreover, a license requirement applies for foreign encryption products. With regard to marketing products and services, the local data storage obligation as a central aspect of the cybersecurity law is certainly more relevant, hence we will focus on this aspect in the following.
The Cybersecurity Act ensures data security, protection of critical infrastructures and the protection of the privacy of Chinese citizens. At the same time it forces foreign companies to show a high degree of transparency. Business that do not comply with the regulations face severe penalties including a withdrawal of their business license.
What the local data storage requirement means for marketing in China
Personal data from Chinese citizens residing in China should remain in China. This does not mean, however, that no data may leave the country. In general, data should not be brought out of China if:
- it concerns personal data for which no consent is given or if the data transfer is in conflict the personal interests of the data subject,
- the data is critical to infrastructures, contrary to the public interest or may cause harm to national security,
- data otherwise excluded from transfer by public security officials.
Users have to be informed about what data is stored, how extensive that data is, what the purpose of the transfer is, and who receives that data. Users must give their consent before any data is transferred. If it concerns minors, the consent of the parent or guardian must be obtained.
In principle, the data should be kept in China. Nevertheless, in some cases data transfer is a business necessity. In these instances, businesses should conduct a security assessment in advance. In any case, it is important that the consent of the user is obtained in advance and the data does not fall under the exclusion criteria listed above.
W4 has developed a special WeChat module based on the requirements of state-of-the-art marketing automation software, which combines the API with the very important WeChat app for the Chinese market and ensures the data protection-compliant collection and lawful storage of Chinese users' data (on local servers). In addition, the analysis software allows the fully automatic identification, addressing and qualification of a (potential) lead. We-Tomation works with users' user IDs and sends automated push notifications to the WeChat app.
Read more about Digital Marketing in China.