Global companies are accelerating their push to decouple China data in response to the country’s increasingly stringent data and anti-espionage laws, as relations between Washington and Beijing deteriorate.
The drive for full localisation of data in China and separation of information technology systems from the rest of the world is happening as Beijing strengthens its control and regulation of data.
US consulting firms including McKinsey, Boston Consulting Group and Oliver Wyman are splitting their IT systems, according to a half-dozen staff at the companies.
“Multinationals are concerned . . . it’s named the anti-espionage law and espionage naturally gets people a bit worried,” said Alex Roberts, a data compliance expert at law firm Linklaters in Shanghai.
On July 1, Beijing put into effect an expanded anti-espionage law to strengthen national security. A series of raids and sanctions on US consultancies such as Bain & Company and Mintz Group, along with semiconductor giant Micron Technology, have put more pressure on companies operating in China.
Roberts said the wording in the updated anti-espionage law unveiled in April introduced the possibility of criminal sanctions and being policed by the country’s state security agency for sharing information deemed sensitive.
The revised law and the raids “have businesses scrambling to understand their current compliance footing”, he said.
In the past, western companies were concerned about taking electronic devices into the country over fears that China could access their data. Now they are equally concerned about sensitive data leaving China for fear of violating Beijing’s rules.
An executive at a US consultancy said his company started reorganising its systems months ago, creating a costly “for China” version of nearly every digital tool. Staff were banned from taking their China-issued laptops out of the country and the company is creating Chinese servers and second email addresses ending in “.cn” for local team members.
“We’ve got two IDs now basically,” said the consultant, adding that the data issue “goes to the heart of why it’s hard to do business in China”. The company has not figured out what to do about phones, he added.
Four staff at Big Four accounting firms KPMG and EY said their groups had started reorganising IT systems in China around the time Beijing rolled out several data security and cyber laws in 2021. At EY, the costly second IT system has led to a fee dispute between the China arm and headquarters.
The growing push to localise data also comes as China’s internet regulator, the Cyberspace Administration of China, has started to conduct data security assessments to control the flow of outbound data.
The reviews — the first of their kind — apply to any group sending abroad “important data” or the “sensitive personal information” of more than 10,000 Chinese people over a two-year period. They were supposed to be completed by the end of March, but for many companies they are still not finished.
“While it’s not entirely clear if they must, companies are finding it easier and less risky to localise data within China as much as possible instead of sending data across borders. They want to avoid risks,” said Sally Xu, manager of government affairs at the British Chambers of Commerce in China.
Almost 10 per cent of roughly 500 European companies surveyed this spring by the European Union Chamber of Commerce in China said they were completely decoupling their China IT systems from the rest of the world. Three-quarters said they had localised their IT systems and data storage to some degree.
Compliance costs will be “unmeasurable” for financial institutions if they fully comply with China’s data laws, said the American Chamber of Commerce in China in April.
Banks such as JPMorgan, which can now run its own securities arm in the country, are building separate infrastructure for China, according to two people briefed on their operations.
Mutual fund managers like BlackRock and Neuberger Berman, which have approval to manage local mutual funds for domestic Chinese investors, are prohibited under sector-specific rules from sharing information on their shareholdings or research from local units to their parent organisations.
Carolyn Bigg, head of DLA Piper’s Asia data privacy team, said the data localisation drive even extended to retailers’ global loyalty programmes, where some companies were moving to cut out Chinese customers.
McKinsey, BCG, Oliver Wyman, KPMG, EY and BlackRock did not respond to requests for comment. JPMorgan and Neuberger Berman declined to comment.
Nian Liu contributed reporting from Beijing and Cheng Leng from Hong Kong