As the Chinese government bolsters oversight of foreign companies' data practices, larger businesses will increasingly decouple data storage and processing to mitigate compliance risks. But small- and medium-sized firms may be forced to pick between the Chinese and global markets. In recent weeks, several high-profile Western firms have announced their intention to separate their business activities in China from the rest of their global operations, citing increasingly stringent regulations and uncertain geopolitical tensions. On Sept. 27, the Financial Times reported that U.S.-based Kyndryl, IBM's former information technology services unit, was planning to split off its China business, with one source saying the company had deemed it too difficult to operate as a U.S. corporation ''in the data and technology space in China.'' U.S. consulting firm Bain & Company also recently announced its intention to separate its operations in China from those it has elsewhere in the world; according to a Sept. 18 report published by The Times, the company has begun localizing data within its Shanghai branch to ensure compliance with China's newly revised data laws, which mandate that foreign firms keep Chinese data on local servers. On Sept. 21, prominent Silicon Valley venture capital firm GGV Capital announced it would divide its business in China and the United States into independent firms due to the ''highly complex'' operating environment in China. 

• There are reports that other Western companies — including U.S. consulting firms McKinsey, Boston Consulting Group and Oliver Wyman, as well as the Anglo-Swedish pharmaceutical giant AstraZeneca — are planning to split their IT systems as well, allegedly in response to China's increasingly stringent approach to counter-espionage and data transfer activities. However, none of these companies have officially announced the details of such plans.

Foreign firms' impetus to separate out their operations in China has been driven, in part, by the release of increasingly stringent data and cyber regulations by the Cyberspace Administration of China (CAC). In 2023, the CAC released updated provisions to several laws pertaining to cybersecurity and data, including updates to its Data Security Law, which implemented several trial regulations on Jan. 1. The new rules bar organizations from exporting any personal information or data they gather in China that is deemed ''important'' by the CAC, unless given express governmental permission to do so. Per the updated stipulations, any data gathered from Chinese state-owned bodies, such as public universities and hospitals, must be kept in China as well. In February, CAC also released its final version of standard contractual clauses, or SCCs, to create a framework through which organizations can legally transfer data in and out of China. These clauses became effective June 1, though organizations transferring personal information outside of China prior to this date have until Nov. 31 to come into compliance with the standards. The new SCCs are expected to ease the transfer of data to and from the country, but the strict penalties for violating the updated standards also require greater compliance efforts from foreign organizations. In addition, the CAC announced revisions to the country's Counterespionage Law on April 26, which went into effect July 1. The law's new stipulations restrict the transfer of information pertaining to national security and state interests (without clearly defining these terms), and also expand the definition of espionage to include documents and data related to security interests. These changes further empower state authorities to inspect organizations' facilities and their electronic devices if they are suspected of espionage, and encourage a whole-of-state approach to countering instances of espionage within China.

• Between March and May, Chinese officials raided and investigated Western firms including Mintz, Bain & Co. and Capvision due to accusations that these companies were violating national security priorities by maintaining overseas relations.
• In the weeks following the revised Counterespionage Law's implementation, several multinational organizations, including venture firm Sequoia Capital and global law firm Dentons, announced plans to separate their business operations in China from other regions of operation. Sequoia cited an ''increasingly complex'' dynamic in explaining its decision, while Dentons stated that its move was ''in response to an evolving regulatory environment for Chinese law firms in China — including new mandates and requirements relating to data privacy, cybersecurity, capital control and governance.''

While China will ease some aspects of its data, national security and cybersecurity regulations to lessen some compliance requirements for foreign companies, the government will still pursue increasingly stringent oversight. In response to increasing concerns raised by Western organizations, the CAC proposed new regulations on Sept. 29 to waive data export security assessments for activities like international trade, academic cooperation, cross-border manufacturing and marketing that do not contain personal information or important data. The agency may also make adjustments to other provisions in the future, especially if foreign pushback against stringent rules grows and as Beijing seeks to reassure investors that it is open for business. However, other recent developments — including exit bans on executive employees of U.S. risk advisory firm Kroll and Japanese firm Nomura — further reflect this heightened risk environment that will increasingly target Western and Western-aligned organizations. Moreover, as Beijing continues to prioritize national security objectives, it is highly unlikely to significantly pull back from what it sees as a legitimate need to regulate its cyberspace and foreign data transfers, in line with the growing scope of data localization requirements across the globe. Therefore, Chinese government agencies will likely continue to implement strict regulatory rules around Western organizations' ability to operate in the country. While China is unlikely to enact new major legislation pertaining to data protection (in light of the robust framework it has recently built), the CAC and other Chinese governmental bodies will likely pass periodic updates to these preexisting laws that may include expanded oversight or enforcement of various data protection laws.

Large multinationals will likely increasingly split their data storage and processing between China and elsewhere, but small- and medium-sized firms may be forced to pick one market or another. Either way, companies that maintain operations in China will likely face higher costs and legal risks. Organizations with significant resources, particularly large-scale multinational corporations, will likely take measures like the aforementioned firms to establish parallel data storage and processing operations (one in China and one elsewhere) in an effort to minimize their regulatory and compliance risks. While this will introduce new costs and inefficiencies, larger firms should be able to absorb them. By contrast, it is unclear how small- and medium-sized businesses will grapple with China's increasingly stringent regulatory environment, and these organizations will likely have a more difficult time maintaining multiple business divisions that necessitate different data storage and processing procedures. Therefore, smaller foreign firms may be forced to decide whether to operate solely within China or leave the market altogether. But regardless of their size, organizations that decide to maintain operations within China will likely face heightened risks as the Chinese government continues to increase oversight of foreign firms' physical and cyber practices. These risks include higher operating costs, business inefficiencies and legal risks as organizations and their employees face fines, detention, interrogations and seizure of personal or corporate items, including digital devices.