China: Data Localisation
China has not yet issued a centralised personal data protection law or data security law. Currently, data localisation requirements under Chinese law mainly reside in the following laws, regulations and national standards (including their draft versions):
- the Cybersecurity Law (CSL);
- draft Administrative Measures on Data Security (the Draft Data Security Measures);
- draft Measures for Security Assessment on Cross-Border Transfer of Personal Information (the Draft Personal Information Assessment Measures);
- draft Information Security Technology Guidelines for Cross-Border Data Transfer Security Assessment (the Draft Security Assessment Guidelines);
- draft Critical Information Infrastructure (CII) Security Protection Regulation (the Draft CII Regulations); and
- other industry-specific regulations.
The CSL was published on 7 November 2016 and took effect on 1 July 2017, which marks the gradual formation of China’s new legal framework for cybersecurity and data protection. Among other requirements, the CSL provides localisation requirements for the operators of critical information infrastructure, as follows:
Critical information infrastructure operators shall store personal information and important data gathered and produced during operations within the territory of the People’s Republic of China. Where it is really necessary to provide such information and data to overseas parties due to business requirements, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration authority in concert with the relevant departments under the State Council. Where the laws and administration regulations have other provisions, those provisions shall prevail.
The CSL only provides some examples of the industries in which CIIs may exist (eg, public communication and information services, energy, communications, water conservation, finance, public services and e-government affairs) and leaves the detailed scope of CIIs and relevant security protection measures to the implementation rules to be issued by the State Council. The Draft CII Regulations further provide that the CII protection should apply to:
- government agencies and entities in the energy, finance, transportation, water conservation, healthcare, education, social insurance, environmental protection and public utilities sector;
- information networks, such as telecommunication networks, broadcast television networks and the internet, and entities providing cloud computing, big data and other large-scale public information network services;
- research and manufacturing entities in sectors such as science and technology for defence, large equipment manufacturing, chemicals industry and food and drug sectors; and
- press entities such as broadcasting and television stations, news agencies and other key entities.
To date, the meaning of ‘CII’ and and other key concepts, such as ‘important data’, remain unclear and pending implementation regulations to be issued in the future.
Under the CSL, only CII operators are required to comply with the requirements of data localisation and security assessment for cross-border data transfer, and there is no data localisation or cross-border data transfer security assessment requirement for ordinary network operators. However, in 2019, the Cyberspace Administration of China (CAC) released the Draft Data Security Measures and the Draft Personal Information Assessment Measures for public consultation, which propose more detailed rules on data localisation for all network operators.
According to the Draft Data Security Measures, before a network operator publishes, shares, trades or sends important data to overseas, it must assess the potential security risks and report to the relevant industry regulator for approval (or the provincial-level cyberspace authority, if there is no clear industry regulator). According to the Draft Personal Information Assessment Measures, before a network operator sends personal information to a recipient outside of China, it shall report to the provincial level cyberspace authority, which will then conduct a security assessment. Failing the security assessment, the personal information cannot be sent to the overseas recipient. The Draft Personal Information Assessment Measures also set out the detailed requirements for the application and security assessment process, including the documents needed from the applicants (eg, a copy of the contract with the recipient and a self-risk assessment or security measure analysis report). As the Draft Data Security Measures and the Draft Personal Information Assessment Measures have not been finalised, whether these controversial requirements will pass as they are remains to be seen.
The Draft Security Assessment Guidelines, a proposed non-binding national standard issued in 2017, set out some proposed steps and methodologies in a security assessment for the cross-border transfer of personal information and important data. In an appendix to the Draft Security Assessment Guidelines, some typical ‘important data’ in various industries are listed. However, it is unclear to what extent the Draft Security Assessment Guidelines still has a reference value. Owing to the government-approval mechanism introduced by the newly issued Draft Data Security Measures and Draft Personal Information Assessment Measures, however, the Draft Security Assessment Guidelines themselves are likely to be amended soon.
In summary of the above law and regulations, China takes a relatively conservative attitude toward the cross-border transfer of data, in particular of personal and important data. If in need of transferring personal data and important data abroad, in future, companies are likely to be subject to self-assessment, government assessment or government approval.
In spite of the absence of a uniform data localisation regulation, a number of industries have already issued regulations on data localisation requirements applicable to entities in these industries, such as in banking, insurance, credit investigation, post and courier services, population health and genetic information, online taxi booking businesses, location services and civil aviation.
China has not yet established a centralised authority to supervise data localisation and cross-border data transfer issues. The relevant supervisory and enforcement responsibilities are generally taken by various authorities in charge of data protection matters.
As the data localisation rules in the CSL remain unclear and future regulations are pending implementation, there are no enforcement cases based on the high-level data localisation requirements in the CSL. However, for industry-specific localisation requirements, as the underlying regulations have been issued and the requirements are normally more specific, the competent authorities of various industries may enforce these requirements from time to time. For example, in late 2018, the Ministry of Science and Technology published its penalties against BGI and Huashan Hospital for their international cooperation with Oxford University for research on Chinese human genetic resources without the approval of the competent authority. BGI was found to have transferred abroad human genetic resources information over the internet. The two entities were ordered to stop the related study projects, destroy all the genetic materials and related research data, and to suspend any international cooperation on human genetic resources until they are deemed qualified.
The effect of local laws on foreign business
Foreign businesses face significant compliance challenges in relation to data localisation requirements. Generally speaking, to comply with the data localisation requirements, companies will need to invest significantly in China to set up local storage facilities, servers and cloud-based servers. However, since the promulgation of the CSL, there has been no clear scope for ‘operators of critical information infrastructure’, which are subject to data localisation requirements. It is, therefore, difficult for foreign organisations to predict whether they themselves would fall under such strict data localisation rules.
Some industry-specific data localisation rules also represent compliance challenges to foreign businesses doing business in and with China. For example, according to the Administrative Regulations on Human Genetic Resources of the People’s Republic of China, ‘foreign organisations, individuals and the institutions established or actually controlled thereby shall not collector preserve China’s human genetic resources within the territory of China. Nor shall they provide China’s human genetic resources out of the country.’ If foreign organisations and institutions established or controlled by foreign organisations or individuals need to make use of China’s human genetic resources to carry out scientific research activities, they will need to abide by China’s laws, administrative regulations and relevant provisions of the state, and these activities must be carried out in cooperation with scientific research institutions, institutions of higher education, medical institutions and enterprises in China. In addition, cooperation shall be subject to numerous requirements; for example, Chinese entities and their researchers must substantively participate in the entire research process during the period of cooperation. Further, the Interim Measures for the Administration of the Surveying and Mapping Conducted by Foreign Organisations or Individuals in China also provide that:
The management of surveying and mapping results in China shall be carried out in accordance with the relevant laws and regulations on the management of surveying and mapping achievements. Surveying and mapping results in China belong to Chinese departments or units. Without approval according to laws, surveying and mapping results shall not be carried or transferred out of the country in any form.
Foreign parties will need to take into account these industry-specific requirements to evaluate the compliance risk and actual benefits of the relevant projects.
With the promulgation of the CSL, the Chinese data protection and cybersecurity legal regime has taken shape rapidly. China is drafting a separate Data Security Law and Personal Information Protection Law, which are expected to be passed in the next few years and will provide more detailed requirements on data localisation. Companies doing business in China need to keep a close eye on developments in this area to stay compliant.