Last month, police in the city of Zhenjiang, in the eastern province of Jiangsu, carried out security sweeps at local businesses, issuing warnings to those that offered Wi-fi without requiring real-name registration, local media reported on Monday.
Citing the country’s Cybersecurity Law, the warnings ordered the businesses to “rectify” their services, which failed “to implement technical safety protection measures”, as required by the law, according to the report.
As those police checks started making waves, police in Huaian, another Jiangsu city, began handing out similar warnings to a local foot massage boutique, citing the country’s Data Security Law.
The security inspections shed new light on China’s growing scrutiny of how companies handle personal data, as authorities continue to tighten their control over cybersecurity. Beijing has also been working on strengthening its data protection legal framework, which is considered a key pillar for national security.
“While the enforcement action serves as a reminder to businesses of their data security and protection obligations, it has also sparked debate among industry participants over its fairness when targeting small enterprises, which may not be able to afford to take sometimes costly compliance measures,” Roberts said.
China’s Personal Information Protection Law, which came into effect in 2021, hinted that future legislation may be introduced to address this issue, Roberts said, as it calls for specific “special personal information protection rules and standards” to be developed for small enterprises that handle personal data.
However, these implementation rules – or a timetable for their publication – have yet to be seen by industry, Roberts added.
“This clearly indicates a trend where Chinese authorities are intensifying their data security regulations. Unlike large corporations, small and medium-sized enterprises often lack robust compliance mechanisms. This could account for the recent surge in enforcement actions against them,” she said.
“However, the fines levied under this law tend to be relatively small, and the targets of enforcement actions are generally not prominent corporate actors. This suggests that the enforcement may not be as impactful on larger corporations,” she added.
Gao Fuping, a law professor at the East China University of Political Science and Law in Shanghai, said more comprehensive law enforcement is needed to raise awareness among all enterprises, while small businesses that handle data are more commonly at risk of illegal selling and sharing of data.
“I think all enterprises should meet the basic requirement of data storage security … for personal data. If leaked, it is not just a personal privacy issue, but more of a social safety and security issue. So there should be [compliance] pressure given to businesses,” Gao said.
With data security now at a higher priority, meeting such requirements could entail more costs and inconvenience on the part of businesses, Gao said.
As authorities strengthen enforcement under the provisions of the Data Security Law, fines are being handed out to various companies that have failed to comply with cybersecurity rules and were deemed at risk of data leaks.
In an article published on its WeChat account on Wednesday, the public security ministry’s network Security Bureau cited data-related cases over the past two years, 336 of which were handled in Jiangsu.
The article warned of possible data leaks in the healthcare industry and the financial and real estate sectors, warning that such leaks could cause “significant harm to public interests, economic operations, and individual rights and interests, and may affect national security and social stability.”