Chinese data protection officers will wake up on Monday morning as highly sought-after individuals.
The introduction of sweeping data protection laws by Beijing has transformed what was unglamorous compliance work into a critical role for companies of all sizes.
Salaries are soaring as companies scramble to hire DPOs, especially since the new laws will put these staff in the uncomfortable position of being held personally responsible for any failures.
“We face being slapped with a personal fine of Rmb1m ($156,000) or even prison if we neglect our duties,” said a DPO at a large courier company.
On Monday, China’s Personal Information Protection Law (PIPL) comes into effect. The legislation, similar to Europe’s General Data Protection Regulation, puts limits on what companies can do with consumer data.
Under the PIPL, Chinese websites must now obtain explicit consent from internet users before hoovering up their personal information.
“The scope of my job was much narrower before the PIPL,” said a DPO working for a telecoms company, who asked not to be named. “I was mainly responsible for ensuring data was stored safely on servers. Now I have to pay attention to the whole lifecycle of data, from its collection, generation, use, storage and then destruction.”
The surprise probe into China’s top ride-hailing app, Didi Chuxing, for suspected data violations two days after its blockbuster initial public offering in New York underscored the risk for companies failing to comply.
The Cyberspace Administration of China (CAC), the country’s data watchdog, ordered Didi to be removed from app stores while it investigated, temporarily crippling the business.
“DPO salaries have soared since the Didi incident,” said Xiang Li, who manages training courses for DPOs in the southern Chinese city of Zhuhai. He added that companies were now looking to hire DPOs who also have tech skills and experience with government relations, in addition to an understanding of China’s complex data laws.
An entry-level DPO at ByteDance, the owner of the viral video app TikTok, can now earn a monthly salary of up to Rmb60,000 ($9,380) in Beijing, five times the average in the capital, according to an advert on a popular recruitment website. Software developer E-Hualu is hiring a chief security officer to supervise data security management for an annual salary of up to $180,190.
However, the cost of DPOs is small compared to the potential fine of up to 5 per cent of annual revenues for companies who breach the PIPL.
“The strain on DPOs is immense,” said Li, explaining that the officers are personally liable for any infringements of the country’s data laws and regulations. Li said DPOs “could be put on a professional blacklist” if their employer procured consumer information illegally or leaked sensitive data overseas.
DPOs are mandated under the PIPL to submit security reports to the local branches of the data watchdog. But two people with prior experience of working with the agency noted that regional offshoots of the CAC lack the adequate technical knowledge and capacity necessary to monitor how companies handle data at a granular level.
As a result, the CAC, established in 2014 by President Xi Jinping to centralise internet control, has also been on a hiring frenzy for data professionals responsible for, among other duties, dealing with companies’ applications to transfer specific data overseas. The recruitment sites of Chinese university websites are littered with adverts for positions at local branches of the data watchdog.
The expansion of CAC’s power marks the end of two decades of loose data governance, a period in which internet companies grew with little concern for data protection and consumer privacy. The new data law represents an additional tool for the CAC to steer the government campaign to wrest control over data from the large technology companies as the internet becomes a bigger driver of economic growth.
“The digital economy will be critical to overcoming China’s overall slowing growth rate,” said Kendra Schaefer, head of tech policy research at the Beijing-based Trivium consultancy, “and data is the engine powering the digital economy.”
The strain on DPOs is compounded by uncertainty about how companies should operate under this new data apparatus. “There is a lot of ambiguity in the PIPL, and companies are already getting mixed messages from the regulators about how they will implement it on the ground,” said Carolyn Bigg, a Hong Kong-based technology lawyer at DLA Piper.
Feng Chucheng, one of the founders of the political research group Plenum, said this vagueness was intentional: “It gives regulators flexibility to adapt to a changing environment.”
But for data protection officers, the price of being on the wrong side of this ambiguity is imprisonment or a crippling fine. “I am concerned that there will be conflicts with the way the law is executed,” said a DPO at a media company. “The pressure on us is very high.”