navigating china’s cybersecurity and data

Navigating China’s Cybersecurity and Data Protection PoliciesSinolytics Primer – Linking China‘s cybersecurity and data regulatory framework to your business needs

Tiffany Wong

Project Leader

[email protected]

Dr. Camille Boullenois

Project Leader

[email protected]

Dr. Jost Wübbeke

Managing Partner

[email protected]

mailto:[email protected]



Profile Key expertise areas Approach

Sinolytics – a European research-based consultancy entirely focused on China

Sinolytics Cybersecurity Services2

Primary source and Chinese-language research

Problem-solving and developing tailored solutions

Flexible delivery formats: strategies, reports, workshops

Depth in content, while strong in contextualization

Extensive expert network and research partners

• Founded in 2017, Sinolytics is a

client-serving, research-based

consultancy with offices in Berlin,

Beijing and Zurich

• Uniquely blending in-depth research

with management consulting

approach to problem solving

• Operating at the nexus of business

and policy and analyzing China’s

political economy, Sinolytics advises

companies from across business

sectors and functional areas

• 50+ clients, including some of the

largest and most respected foreign

companies operating in China

Macro-, industrial and S&T/innovation policies

14th FYP, automotive, S&T cooperation, 5G/new infrastructure

China’s digital economy and digital transformation

Digital platforms, valuetization of data, AI, startups/VC

Market governance and regulatory compliance

Cybersecurity/personal information/MLPS 2.0/x-border, CSCS

Social policies: welfare and domestic consumption

Health, pension, urbanization, rural economy and labor

Finance, geoeconomics (trade/investment) & geopolitics

Financial opening-up, BRI, RCEP, tech decoupling, EU-China

Public and Governmental Affairs (PGA)

Structures, strategy, stakeholder analysis, network support

Sinolytics offers cybersecurity regulatory support to clients backed by deep industry expertise


Trainings and on-demand advisory

Product

Building cohesive strategies for HQ and

China offices to deal with China’s fluid

cybersecurity framework

Preparing clients to meet challenges posed by China’s unique cybersecurity and data regime

• Piecing together China’s cyber regulatory framework puzzle to form comprehensive and forward-

looking cyber and data regulatory strategies

• Supporting HQ-China offices to build strategies and SOPs to ensure smooth but compliant cross-

border, cross-function data operations

Responding to cybersecurity

compliance needs effectively and

strategically

Preparing clients to navigate high-risk regulatory landscape

• Assessing cybersecurity compliance risks of current operations in China and supporting with

mitigation strategies

• Ensuring China offices and business units meet compliance requirements and providing support

for gap closures

Staying at the forefront of cybersecurity

regulatory knowledge and response

Preparing clients to be ready for upcoming policies and requirements

• Updating and monitoring policy updates across cybersecurity regulatory areas specific to

client industries

• Establishing an early warning system for new requirements for timely preparation and action

Cyber and Data Strategy

Compliance and Risk Assessment

Regulatory monitoring

Preparing clients for specific scenarios with targeted and tailored advice

• Trainings for HQ and China offices to approach issues raised by China’s cybersecurity regulatory

framework

• On-demand calls upon request and one-on-one advisory for targeted questions

Client Value-add

Bridging general and granular

knowledge gaps with high-level and

in-detail advice

4

1

2

3

China’s maturing cyber security regime

Key regulatory frameworks: MLPS 2.0, Cross-border data transfer, Personal

information, Network security

Industry impacts: Signals from automotive, finance, and health industries

Sinolytics cybersecurity expertise

Sinolytics Cybersecurity Services

4

The number of national cybersecurity laws,

regulations and standards increased enormously… with many national regulations already implemented

1995 2000 2005 2010 2015 20200

50

150

100

170

# of cumulative national regulations and standards

10

22

1

28

2325

3

6

4

9 4

30

10

0

20

# of regulations and standards by area

Draft

General MLPS 2.0 CIIO Network

products

and

encryption

PIP Industry

Specific

Implemented

The implementation of the Cybersecurity Law gained momentum in 2020 and 2021

Cross-

border

data

transfer5

Cybersecurity law

effective in 2017


National

security

Techno-

nationalism

International

Cyber

governance

Digital

economy

Cybersecurity

Consumer

Protection

Information

control

Cyber threats are seen as

national security threats

Censoring information and surveilling

population seen as key for social

stability

China addresses the recent

scandals of personal information

misuse

China aims to lead the world in digital

economy and technologiesPromotion of self-sufficiency

and Chinese technology

China aims to influence the

international cyberspace rulemaking

6

Objectives of the 14th FYP: National cybersecurity law, regulations, and system standards should be improved and developed, and

security guarantees for data resources in important areas, important networks and information systems should be strengthened

Security, innovation policies, and geopolitical objectives drive China’s cybersecurity policy

6 Sinolytics Cybersecurity Services

Draft RegulationsNew/adjusted in 2020/2021

2017 Cybersecurity Law

CIIONetwork product

and encryption

Personal

Information

Protection

Cross-border

Data Transfer

Measures on Cybersecurity Review

MLPS 2.0

MLPS and CII Security Protection System Guiding Opinions

Reg. on Security Protection of CII

Reg. on Cross-Border Transfer of Personal Data

Encryption Law

Grading guidelines for classified

protection

Baseline for MLPS for cybersecurity

Implementation guide for MLPS for

Infosys

Testing & evaluation guide for

MLPS

General requirements for MLPS

of cyber security I - V

Tech. Reqs. for MLPS Security

Mgmt Center

Guidelines for Data Cross-Border

Transfer Security Assessment

Network key equipment security

tech. reqs. - General reqs

Network key equipment safety -

technical reqs

Basic reqs for CII network security

protection

CII security control measures

More regulations &

standards expectedMore regulations &

standards expectedGeneral Reqs for InfoSys

Encryption Application

Catalog of critical network equipment

and network security products

Technical requirements. for

security design for MLPS

Capability requirements for

organization of MLPSSecurity requirements for database

management systems

PI Protection Law

PI Security Impact Assessment

Guidelines

Guidelines for PI Security in Mobile

Apps

Information Security Technology PI

Notification Consent Guide

PI Security Engineering Guidelines

Online PI Security Protection

Guidelines

PI Anonymization Guidelines

PI Security Specification

MLPS Classification Guideline

Commercial Encryption Mgmt.

Regulations

List of Commercial Encryption

Import License, Export Control List

Opinions on Impl. of Commercial

Encryption Testing and Certification

Certification Rules for Commercial

Cryptographic Products

Commercial Password Product

Certification Catalog

Data Security Law

Measures on Security Assessment on Cross-Border Transfer of PI

Revised Criminal Law

Revised Civil Code

Consumer Rights Protection Law

Simplified overview of China’s cybersecurity framework

Measures for Security Assessment of

Cross-border transfer of Personal

Information and Important Data


Multi-pronged cybersecurity regime have critical implications for businesses in China


High-level foreign business implications

2017 Cybersecurity Law 2021 Data Security Law 2021 Personal Information Protection Law

What is it?

• The CSL is the first legislation devoted to

supervision and management of cybersecurity

and internet space in China

Why is it important?

• Introduces key cybersecurity concepts, e.g.

MLPS 2.0 and critical information

infrastructure operators (CIIOs)

• Lays foundation for future laws and regulations

• Overall: Unique cybersecurity regime with

increased oversight from authorities

• Management: Cybersecurity protection

responsibility is shifted primarily from IT

departments to management

• Risk and compliance: Risk assessment and

evaluation procedures for entities introduced

• Operations: CAC has increased power to use

CSL for non-cybersecurity related issues, such

as export control or supply chain limits

What is it?

• To be implemented in Sept 2021, the Data

Security Law is concerned primarily with data

protection and data activities of entities


• Demonstrates “important data” and “national

core data” significance for data protection

• Equates data security as national security, with

extraterritorial implications

• Overall: Data security and data transfer

strategies

• Management: Foreign business HQs have to

follow DSL while treating Chinese data abroad

• Risk and compliance: “Important data”

processors face extra requirements, incl. for

cross-border transfer

• Operations: Data security review regime can

open foreign business data activity to

regulatory scrutiny

What is it?

• Taking effect in November 2021, the Personal

Information Protection Law is concerned

primarily with personal and consumer

information protection


• Sets fundamental requirements for handling of

PI and sensitive PI for entities

• Regulates cross-border data transfer

• Overall: Granular personal information

protection requirements along data value chain

• Management: Foreign business HQs have to

follow PIP law while treating Chinese citizen

data abroad

• Risk and compliance: Businesses have to

conduct impact assessment for cross-border

personal information transfer

• Operations: Enforcement activities already

underway for standards based on PIP law

Businesses in China see an increasing enforcement of cybersecurity and data regulations


Regulatory compliance is actively enforced

Sample PSB Outreach Letter for MLPS 2.0 compliance

Companies see fines, litigation, and business suspension over regulatory violation

• 2021 PIP Law draft increased fines for violations to 50 million RMB, or 5%

of annual revenue for the company

10

1

2

3







4


MLPS 2.0 sets rules for all companies that operate networks (“network operators”) to increase security protection capabilities,

including the ability to prevent threats, detect security incidents and recover after damage

• The number of technical requirements in various security areas

increase for higher MLPS 2.0 levels• Network operators are obligated to conduct a self-assessment

• Above level 2 are subject to extra expert evaluation

• Above level 2 need to file with local public security bureaus

Level 4

53

Level 1 Level 3 Level 5Level 2

122

189

204

Companies need to grade their MLPS 2.0 level…

Management Personnel Security

O&M Management Security

Management Org. Security

Construction Management Security

Security Management

Management Center Security

Computer Environment Security

Network Boundary Security

Telecomm Network Security

…and comply with corresponding requirements

Requirements

not published

Level 1

Legal

persons

Public

security

Nat’l

Security

Level 2 Level 3 Level 4 Level 5

DamageSerious

Damage

Damage

Very Serious Damage

Serious

Damage

Damage

Very Serious Damage

Serious

Damage

Very Serious Damage

OR OR

OR OR

MLPS 2.0All firms operating networks have to follow MLPS 2.0 requirements

Companies in some industries face higher likelihood to be labelled CIIOs

Finance

Telecomm.

Health

Manufacturing

• Bank operators

• Securities and futures trading

• Insurance

• Data center/cloud services

• Voice, data, internet network and hubs

• Health institutions such as hospitals

• Disease control

• Emergency centers

• Intelligent manufacturing system

• High-risk industrial facilities

CIIOs face stricter requirements (most updated regulations from Guiding Opinions

and Data Security Law)

• Critical Information Infrastructure Operators (CIIOs) face stricter requirements such as data localization

• 14th FYP indicates that the construction and regulation of a well-developed CIIO protection infrastructure is a major cybersecurity policy goal

• The final definition of CIIO companies depends on industry regulators; designated CIIOs will be supervised by the MPS and industry regulators

Water

conservancy

City

infrastructure

• Long-distance water delivery

• Urban water source

• Sewage treatment

• Urban rail transit

• Smart City op. & mgmt

Asset risk assessment: CIIOs have to

conduct a risk assessment of all assets

Data storage: CIIOs have to store important

and sensitive personal information in

separate data servers within China

Supply chain: Network providers and

servicers to CIIOs have to undergo

cybersecurity review procurement procedures

Post-incident recovery: Post-cyber incident

recovery requires instant back-up system

Critical Information Infrastructure Operators regulation regime slowly developing

CIIOs are companies that

may “gravely harm

national security, the

national economy, the

people’s livelihood and

the public interest if

sabotaged”

12

Known CIIOs


CIIOs


• According to regulations, companies face new impact assessment and approval procedures for data transfer abroad

• All companies that are network operators and transfer personal data outside the borders of China will be affected

• The PIPL suggests that all companies transferring

personal information abroad undergo a one-time

impact assessment assessment and contract

procedure

• Some industries (e.g. finance, automotive) see

security assessment requirements for transfer of

important data

• Uncertainties remain; e.g. if group companies are

to be treated as a separate or entire entity

Implications for companies

Multi-party impacts

Data transfer contracts require coordination

and assessment of data sender and recipient

Cross-entity data protection coordination

Security assessments and record-keeping

require increased coordination among MNC

entities

Increased spot-checks

Provincial CACs will inspect transfer records

in a randomized manner

Management and structure

Data security compliance team required and

work norm processes for data transfer

security need to be established

Companies will face extra cost for compliance with

new cross-border data transfer requirements, e.g:

Cross-border Data Transfer

New cross-border data transfer

regulation and standards not yet

officialized…

…but already present new data transfer

requirements for companies in China

• Standard on Cross-Border Data

Transfer Security Assessment likely

to be officialized by CAC in early

2022

Companies face challenges of new cross-border data transfer requirements

• Data Security Law (2021) indicates

that cross-border data transfer

regulations will be published by the

CAC and the State Council

Personal Information Protection Law: wide-sweeping impact on many companies


• China’s 2021 Personal Information Protection Law (PIPL) sets out framework requirements for companies to protect personal

information they collect and process

Human resources

Finance and

accounting

Marketing/e-

commerce

• Employees’ address, personal phone

number, e-mail address

• Position, work unit, education, degree,

education experience, work

experience, training record,

transcripts

• Clients’ address, personal phone

number, e-mail address

• Software usage records, click

records, favorite lists

• Transaction and consumption

records

Business Function (Sensitive) Personal Information

• PIPL allows some personal

information collection without

individual consent for some

HR functions

• Personal pricing algorithms

and automated decision-

making through big data

analysis are completely

prohibited by the new PIPL

and supporting regulations

Impact on operations

• Bank account, deposit information

(including the amount of funds,

payment collection records)

• Client’s name, address, personal

phone number, photos, nationality,

job position

See also separate

industry slide

Implications for Companies

• Financial personal information

face specific categorization

• Certain categories of

sensitive financial personal

information may need to be

localized

For cross-border data transfer,

companies need to demonstrate that

data transfer abroad is necessary

Companies should segment

sensitive personal information

processing and develop separate

consent mechanisms

For cross-border personal

information transfer, companies need

to conduct impact assessments and

sign contracts with foreign data

recipients

Individual (retractable) consent

required for all PI collection

Penalties for non-compliance can

reach up to 50 mn CNY or 5% of

annual revenueBased on support regulations and standards

Examples of the impact of China’s PIPL on various business functions:

Triggers for the

review

Potential impact of network products and services on national

security

The network product and services review process

• Requirements apply to

a list of key network

products

• These products must

undergo a security

review

Providers of key network products must pass technical

reviews

CIIOs must ensure their supply chain meets cybersecurity review

Network Products & Services

Principles taken

into account

• Data control: Make sure no data can be illegally obtained/

processed

• Controllability: Ensure that the products cannot be

manipulated

• Product choice: Make sure that the purchasing party is not

deprived of its right to choose products and services

➢ Router

➢ Switch

➢ Server

➢ Firewall

➢ …

Point-based

score review

General requirements Technical requirements

Detailed requirements exist for

each of the products


Network products and services: CIIOs and providers in the regulatory spotlight

16

1

2

3







4


Industry Most Relevant Cybersecurity Regulations by Industry1)

Implications for MNCs and SMEs

IT

Automotive

Health/Pharma

Chemicals

Finance

Machinery

Retail

MLPS 2.0 CIIONetwork

ProductsCross-border

Data transferEncryption

Personal Data

Protection

• IT & cloud companies listed as

CIIOs face tough approval

processes from authorities

• Corporations face tough regulations

on data collection and processing

• Unique-to-ICV cybersecurity reqs.

• Sensitive personal data from clinical

trials face tough regulations

• Data transfer partners can be CIIOs

• Data transfer partners can be CIIOs

• DG data can be listed as important

data

• Industry-focused regulations for

personal data treatment

• Data localization required

• Some machinery processes may

be subjected to increased data

protection requirements

• Strict personal data protection

requirements for eCommerce

1) Relevant cybersecurity regulations depend strongly on business models

Different industries are affected by a combination of cybersecurity regulations

= will affect corporations

= possibly affect corporations Effects of regulations for industries

stand for MNCs and SMEs,

regardless of size


• Automotive industry is one of the first industries to see a comprehensive industry-specific data protection regime

• Draft regulations point to granular important data and personal information protection categories, with localization requirements and cross-border

transfer thresholds

• “Recommended principles” for data collection and processing included renewed consent for data collection at every start of journey, and in-

vehicle handling of PI/important data

Industry:

AutomotiveAutomotive industry: granular data security requirements suggested

Implications for Auto OEMs and Suppliers

Cross-border data transfer: Auto

OEMs, suppliers, and system providers

face increased requirements cross-

border dataprocessing

Increased monitoring: Auto OEMs will

face increased scrutiny from provincial

CACs and relevant departments on how

they handle data

Supply chain compliance: Auto OEMs

need to establish a cybersecurity

guarantee mechanism for their entire

supply chain

Data processing regime: Auto OEMs

will have to ensure compliance with

dedicated personnel and SOPs

China’s burgeoning ICV cybersecurity regulatory framework shows heightened focus on ICVs

Industry:

Finance

…but strict cybersecurity regulations for all

financial institutions can impact operation models

• Foreign companies can now set up wholly-owned units in the mainland and take part in a 45 tn USD financial services market

• According to Bloomberg, foreign banks and securities companies could see profits of more than 9 bn USD a year in China by 2030

• Finance industry faces cybersecurity requirements for data localization and tight personal information protection requirements

Foreign institutions are setting up to move

into China

Asset Management

Securities

Insurance

• Applying for licenses for 100%-owned

companies

• Approved for majority stakes in local

joint ventures

• Greenlighted for first entirely foreign-owned

insurance holding company in China

Risk

Evaluation

Personal

financial

data

• Personal financial information

categorized in three levels: C1, C2,

C3, with corresponding restrictions

• “Specification for financial

information service security” (GB/T

36618-2018) requires strict risk

compliance for cybersecurity

• These include back-up

requirements (e.g. on different

servers) and post-incident response

mechanisms

Due to type of personal data

gathered. some financial

institutions are likely to be

categorized as CIIOs, and face

additional restrictions

Financial institutions face

restrictive cross-border data

transfer restrictions for personal

financial data, which pose extra

challenges for data transfer

limits and methods

Dedicated China-specific

cybersecurity team needs to be

established to deal with extra

data protection requirements, risk

monitoring and evaluation, and

cybersecurity trainings

Implications for Financial Institutions


Financial institutions: strict personal data protection rules apply

No vulnerabilities

Low vulnerabilities

Medium vulnerabilities

High vulnerabilities

High growth for digital healthcare in China

• In 2016, 58% of patients in China reported having shared

technology information with healthcare professionals, compared

to 26% in the UK, 17% in Sweden and 12% in Germany

During Covid-19, internet diagnosis and treatment1)

increased by 17 times, and consultations on 3rd-party

Internet service platforms increased by 20 times.

Life science firms and insurance firms are likely to

benefit from expansion

COVID-19 has increased the market potential

But the industry suffers from high

cybersecurity vulnerabilities

• In 2018, a total of 77% of hospitals’

patient apps had cybersecurity

vulnerabilities

• In April 2020, China’s largest and

first cross-border telemedicine app

“Dr. Chunyu” was suspended for

privacy violations

2020 Health Law

emphasizes data

protection

Healthcare is

highlighted as a

focus of

cybersecurity

regulations

Specific healthcare

cybersecurity

regulations in the

making

Art. 49: “The state protects citizens ’personal health

information and ensures the safety of citizens’

personal health information. No organization or

individual may illegally collect, use, process, or

transmit personal health information of citizens”

• "Key Information Infrastructure Security Protection

Regulations” (2017): healthcare operators are CIIOs

• “Personal Information Security Specification” (2020):

healthcare data is ‘sensitive information’

➔ This implies particularly strict requirements in all

areas of cybersecurity and data protection

• Four specific regulations issued in 2018

• National standards are being drafted

➔ Healthcare-related companies must prepare to

specific cybersecurity requirements

Cybersecurity regulations have implications for healthcare

infrastructure

6% 4%23%

67%

Industry:

Healthcare


Digital health: between market potential and heavy regulation

21

1

2

3







4

22

Social CreditAutomotive

• Level Determination

• Requirement Gap

Analysis

• Gap Closure Support

• External Assessment

and Filing

• Connecting Sinolytics’

automotive

experience with

Cybersecurity

• Links between

Cybersecurity

Regulation and Social

Credit System

MLPS 2.0

• CIIO Determination

• CIIO Requirement

Gap Analysis

• CIIO Strategy, e.g.

Cybersecurity Review

Measures

CIIO Encryption

• Encryption Law

Provisions

Cybersecurity Strategy

• HQ and China office

cybersecurity strategy

• Monitoring/Forecasting

New Rules

Finance


finance experience

with Cybersecurity

• Cross-Border Data

Transfer Assessment

• Identifying Specific

Review Requirements

• Implement Review

Cross-border Data transfer

Personal Data Protection

• Identifying sensitive

personal data

• Privacy policy advice

• Data anonymization

assessment

• CIIO Procurement

Rules

• Network Product and

Services Catalogue

Network Products

• Connecting digital

health business

models with

Cybersecurity

Our service focuses on the topics below, tailored to your needs

Health


Sinolytics’ Cybersecurity and Personal Data Expertise

Overall strategy and regulatory topics:

Industry-specific topics:

Machinery Pharma

• Connecting

machinery and

manufacturing

models with

Cybersecurity


pharma experience

with Cybersecurity

23

1 Level Grading

Network Identification

Identify client network

systems relevant for

MLPS 2.0

Level grading

Support in self-

determining the MLPS

2.0 level regarding

potential impacts for

relevant objects

Self-assessment report

Support in producing a

report that can be

provided to authorities or

3rd parties if required

Technical

Requirements

List of requirements

based on the graded

level as defined in

standards, also including

encryption, personal data

protection, etc.

Operational/

Management

Requirements

Based on the level,

clarify necessary further

steps, such as external

review, approval from

industry regulator and

filing with public security

bureau

2Requirements

Assessment3 Gap Analysis

Status Quo Analysis

Evaluate client’s current

cybersecurity measures

in accordance with MLPS

level

Gap Identification

Identify potential

compliance gaps against

the backdrop of

requirements and client‘s

status quo

4Implementation

& Enablement

Gap Closure Roadmap

Define a roadmap to

close potential gaps and

define specific measures

to be taken

Document Preparation

In case of external review,

approval or filing,

formulate relevant

materials and inputs for

grading

Partnership Evaluation

In case of external review,

identify local accredited

3rd party reviewers that

provide best fit for client

needs

5Continuous

Compliance

Strategy

Develop a strategy to

continuously deal with the

MLPS 2.0 system

Monitoring Process

Build process to regularly

update MLPS 2.0

assessment against

regulatory dynamic and

regular reporting duties

Communication Process

Build internal processes to

communicate MLPS 2.0

related requirements among

internal stakeholders

Sinolytics Service

MLPS 2.0 Compliance Service (Example)

Requirements Report Compliance RoadmapStrategy &

Monitoring



Sinolytics Service

Personal Information Protection Compliance Service

Sinolytics examines company compliance with 500+ requirements for personal information protection

Regulatory Areas covered by our compliance analysis:

Third PartyData Collection

Data Storage

Data Usage

User Rights

Personnel

management

Security

Measures

Anonymization

Impact

Assessment

Cross-border

data transfer


Sinolytics Service

Cybersecurity workshops and training (Example)

Company HQ – China Offices Cybersecurity Strategy Issue or Topic Compliance and Response Strategy

Company HQ and China offices of SMEs and

MNCsMainly China-based offices of SMEs and MNCsAudience Audience

Topics

covered

China’s entire cybersecurity framework, targeted

towards company’s business industry

Impact evaluation of Chinese cybersecurity

regulations on HQ and China office operations at

business level

Cross-border implications of China’s

cybersecurity framework, especially compared to

other data protection regimes (e.g. GDPR)

AimEnable top-level, cross-functional, and tailored view on cybersecurity

in China and clarify strategies and frameworks for overarching

cybersecurity needs in China

AimEnable deep and granular understanding of cybersecurity compliance

in China for on-the-ground operations, tailored to business model and

business needs

Topics

coveredDeep-dive into singular and/or combination of

regulatory topics

Targeted deep-dive of compliance requirements

according to business industry and their

challenges to businesses

Compliance strategies and use-case examples

from businesses in China


Meet our team

27

Dr. Camille BoullenoisTiffany Wong

Tiffany leads Sinolytics’ cybersecurity

service portfolio and has extensive

experience advising corporations and

industry groups on China’s

cybersecurity and data governance

regime. She also specializes on

facilitating business strategies for clients

dealing with China’s industrial and

technology policies against the

backdrop of an ever-evolving

geopolitical landscape. Prior to

Sinolytics, she worked at an advisory

group in Washington, D.C. analyzing

China’s BRI debt structure. She holds

an M.A. from Johns Hopkins in

International Economics and China

Studies and a B.A. from the University

of Chicago in Political Science and

International Relations.

Project LeaderProject Leader

Camille advises clients on regulatory

compliance in the Chinese market and

has strong mastery of data analytics

tools and methods. Prior to Sinolytics,

she worked as an analyst at China

Policy, and contributed to the EIU,

Oxford Analytica and the ECFR on

topics pertaining to China’s social and

economic issues. She is also a

researcher at the Australian National

University and has studied at Sciences

Po (Paris) and Oxford; with many years

of experience in China, she has an

outstanding command of the Chinese

language and political landscape.

Dr. Jost Wübbeke

Managing Partner

Jost is a leading expert on China’s

industrial, technology, and automotive

policy. He heads Sinolytics’ service

portfolio for cybersecurity, internet

governance, and e-commerce. Jost

has consulted large MNCs and SMEs

on their China cybersecurity strategy

including MLPS, personal data, and

cross-border data transfer. Previously,

he headed the MERICS technology

policy team, where he published

groundbreaking analyses on Made in

China 2025 and Internet Plus. He has

a PhD from FU Berlin on China’s

industrial policy. He also holds degrees

in International Relations and China

Studies from Berlin and Bochum and

was a research fellow at Tsinghua

University.

Sinolytics’ cybersecurity team


Fynn Heide carries out consulting

work and research on

cybersecurity policy and personal

information protection. He

previously worked at Trivium

China and the Mercator Institute

for China Studies and for a

member of the German

Bundestag on China-related

topics. He also focused on several

Sino-German cultural exchange

and preservation projects in

Beijing and Berlin. He holds a B.A.

in Politics, Philosophy, and

Economics from the University of

Warwick, where he wrote his

dissertation on the corporate

social credit system.

Analyst

Fynn Heide

China insights and judgment at the nexus of business and policy

ContactSinolytics [email protected]

28

navigating china’s cybersecurity and data

Documents