A new system of social and corporate control in China raises serious new data security risks for multi-national foreign firms operating in the country, according to a new report from the EU Chamber of Commerce in China.
The new study, The Digital Hand: How China’s Corporate Social Credit System Conditions Market Actors, is meant to serve as a wake-up call to EU firms which may not have got their compliance plans in place.
The Corporate Social Credit System (SCS) will require all firms operating in China to provide the government with data feeds covering a wide sweep of operations — in areas as diverse as environmental regulations and health and safety.
They will then be given an algorithmically calculated score which will change over time: those with low scores face more frequent audit inspections, customs delays, public shaming, and even blacklisting by the government.
However, the European Chamber warned that the data transfers themselves could be problematic for companies.
“Taken individually, most of the transferred data points are not highly sensitive information,” the report explained. “However, the integration and systematically cross-cutting use of data on the government’s side can become a challenge. It provides the government with a full picture of the detailed performance and capability of a company.”
There may also be concerns over sharing sensitive IP and information on personnel, the report claimed.
It urged foreign MNCs to engage with Beijing now “with the goal of modifying data transfer requirements and excluding such information.”
“Ensuring the security of this data is one of the key promises of the government,” it added. “Companies need to hold the government authorities to this promise and make sure that no detrimental use of this comprehensive data occurs.”
It remains to be seen how flexible the Chinese government will be in allowing firms to exclude certain sensitive data points, and how prepared it will be to ensure the security and integrity of the data.
The European Chamber warned that SMEs could be particularly at risk from non-compliance given the onerous, resource-intensive data collection requirements. A complicating factor is that the scores given to third-party suppliers may drag down a company’s overall score, so a great deal of work will need to be done to vet partner organizations.
“It is no exaggeration to say that the Corporate SCS will be the most comprehensive system created by any government to impose a self-regulating marketplace, nor is it inconceivable that the Corporate SCS could mean life or death for individual companies,” warned European Chamber President, Jörg Wuttke.