China: Data Localisation
China has not yet issued a centralised personal data protection law or data security law. Currently, data localisation requirements under Chinese law mainly reside in the following laws, regulations and national standards (including their draft versions):
- the Cybersecurity Law (CSL);
- draft Data Security Law (DSL);
- draft Personal Information Protection Law;
- draft Administrative Measures on Data Security (the Draft Data Security Measures);
- draft Measures for Security Assessment on Cross-Border Transfer of Personal Information (the Draft Personal Information Assessment Measures);
- draft Information Security Technology Guidelines for Cross-Border Data Transfer Security Assessment (the Draft Security Assessment Guidelines);
- draft Critical Information Infrastructure (CII) Security Protection Regulation (the Draft CII Regulations); and
- other industry-specific regulations.
The CSL was published on 7 November 2016 and took effect on 1 July 2017, which marks the gradual formation of China’s new legal framework for cybersecurity and data protection. Among other requirements, the CSL provides localisation requirements for the operators of critical information infrastructure, as follows:
Critical information infrastructure operators shall store personal information and important data gathered and produced during operations within the territory of the People’s Republic of China. Where it is really necessary to provide such information and data to overseas parties due to business requirements, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration authority in concert with the relevant departments under the State Council. Where the laws and administration regulations have other provisions, those provisions shall prevail.
The CSL only provides some examples of the industries in which CIIs may exist (eg, public communication and information services, energy, communications, water conservation, finance, public services and e-government affairs) and leaves the detailed scope of CIIs and relevant security protection measures to the implementation rules to be issued by the State Council. The Draft CII Regulations further provide that the CII protection should apply to:
- government agencies and entities in the energy, finance, transportation, water conservation, healthcare, education, social insurance, environmental protection and public utilities sector;
- information networks, such as telecommunication networks, broadcast television networks and the internet, and entities providing cloud computing, big data and other large-scale public information network services;
- research and manufacturing entities in sectors such as science and technology for defence, large equipment manufacturing, chemicals industry and food and drug sectors; and
- press entities such as broadcasting and television stations, news agencies and other key entities.
To date, the meaning of ‘CII’ and other key concepts, such as ‘important data’, remain unclear and pending implementation regulations to be issued in the future.
Under the CSL, only CII operators are required to comply with the requirements of data localisation and security assessment for cross-border data transfer, and there is no data localisation or cross-border data transfer security assessment requirement for ordinary network operators. However, in 2019, the Cyberspace Administration of China (CAC) released the Draft Data Security Measures and the Draft Personal Information Assessment Measures for public consultation, which propose more detailed rules on data localisation for all network operators.
According to the Draft Data Security Measures, before a network operator publishes, shares, trades or sends important data to overseas, it must assess the potential security risks and report to the relevant industry regulator for approval (or the provincial-level cyberspace authority, if there is no clear industry regulator). According to the Draft Personal Information Assessment Measures, before a network operator sends personal information to a recipient outside of China, it shall report to the provincial level cyberspace authority, which will then conduct a security assessment. Failing the security assessment, the personal information cannot be sent to the overseas recipient. The Draft Personal Information Assessment Measures also set out the detailed requirements for the application and security assessment process, including the documents needed from the applicants (eg, a copy of the contract with the recipient and a self-risk assessment or security measure analysis report). As the Draft Data Security Measures and the Draft Personal Information Assessment Measures have not been finalised, whether these controversial requirements will pass as they are remains to be seen.
The Draft Security Assessment Guidelines, a proposed non-binding national standard issued in 2017, set out some proposed steps and methodologies in a security assessment for the cross-border transfer of personal information and important data. In an appendix to the Draft Security Assessment Guidelines, some typical ‘important data’ in various industries are listed. However, it is unclear to what extent the Draft Security Assessment Guidelines still has a reference value. Owing to the government-approval mechanism introduced by the newly issued Draft Data Security Measures and Draft Personal Information Assessment Measures, however, the Draft Security Assessment Guidelines themselves are likely to be amended soon.
On 3 July 2020, a draft version of the Data Security Law (DSL) was issued to solicit public opinions. The draft DSL provides some high-level principles for cross-border data transfer. Article 10 of the DSL stipulates that ‘the state actively carries out international exchange and cooperation in the field of data, participates in the formulation of international rules and standards related to data security, and promotes cross-border flow of data safely and freely.’ However, the draft DSL also proposes some high-level restrictions on cross-border data transfer, stipulating that ‘the state exercises export control over data pertaining to controlled items related to fulfilling international obligations and maintaining national security.’
The draft DSL does not list the specific types of data that are subject to export control. It remains to be seen whether the legislature will continue to revise the provisions of the DSL that restrict the cross-border data transfer or whether it will formulate relevant supplementary regulations to implement the DSL.
The draft DSL also stipulates how to cope with the requests made by an overseas law enforcement agency to access the data stored within China. Article 33 of the draft DSL provides:
If an overseas law enforcement agency requests access to the data stored in the People’s Republic of China, the relevant organizations and individuals shall report to the relevant competent authorities and provide the data only after obtaining authorities’ approval. If the international treaties and agreements concluded or acceded to by the People’s Republic of China have provisions on the access of domestic data by foreign law enforcement agencies, such provisions shall prevail.
On 21 October 2020, a draft version of the Personal Information Protection Law (PIPL) was issued to solicit public opinions. The draft PIPL provides some data localisation and cross-border transfer rules specific to personal information, including:
- The personal information processed by a state organ shall be stored within China; where it is necessary to provide such information to an overseas party, a risk assessment shall be conducted. Relevant departments may be required to provide support and assistance for risk assessment.
- Critical information infrastructure operators and personal information processors whose processing of personal information reaches the number prescribed by the state cyberspace administration shall store within China the personal information collected and generated in China. If it is necessary to provide such information and data to overseas parties, it shall be subject to the security assessment organised by the state cyberspace administration; if laws, administrative regulations or the provisions of the state cyberspace administration provide that the security assessment is not required, such provisions shall prevail.
- Where it is necessary to provide personal information outside China owing to international judicial assistance or administrative enforcement assistance, an application shall be filed with the competent authority for approval in accordance with the law.
- A personal information processor shall, before transferring personal information abroad, assess the risks of the following personal information processing activities in advance and keep a record of the processing. The risk assessment shall cover: whether the purpose and method of processing personal information are legitimate, justifiable and necessary; impact on individuals and the degree of risks; and whether the security protection measures taken are legitimate, effective and appropriate to the degree of risks. The risk assessment report and processing record shall be kept for at least three years.
In summary of the above laws and regulations, China takes a relatively conservative attitude toward the cross-border transfer of data, in particular of personal and important data. If in need of transferring personal data and important data abroad, in future, companies are likely to be subject to self-assessment, government assessment or government approval.
In spite of the absence of a uniform data localisation regulation, a number of industries have already issued regulations on data localisation requirements applicable to entities in these industries, such as in banking, insurance, credit investigation, post and courier services, population health and genetic information, online taxi booking businesses, location services and civil aviation.
China has not yet established a centralised authority to supervise data localisation and cross-border data transfer issues. The relevant supervisory and enforcement responsibilities are generally taken by various authorities in charge of data protection matters.
As the data localisation rules in the CSL remain unclear and future regulations are pending implementation, there are no enforcement cases based on the high-level data localisation requirements in the CSL. However, for industry-specific localisation requirements, as the underlying regulations have been issued and the requirements are normally more specific, the competent authorities of various industries may enforce these requirements from time to time. For example, in late 2018, the Ministry of Science and Technology published its penalties against BGI and Huashan Hospital for their international cooperation with Oxford University for research on Chinese human genetic resources without the approval of the competent authority. BGI was found to have transferred abroad human genetic resources information over the internet. The two entities were ordered to stop the related study projects, destroy all the genetic materials and related research data, and to suspend any international cooperation on human genetic resources until they are deemed qualified.
The effect of local laws on foreign business
Foreign businesses face significant compliance challenges in relation to data localisation requirements. Generally speaking, to comply with the data localisation requirements, companies will need to invest significantly in China to set up local storage facilities, servers and cloud-based servers. However, since the promulgation of the CSL, there has been no clear scope for ‘operators of critical information infrastructure’, which are subject to data localisation requirements. It is, therefore, difficult for foreign organisations to predict whether they themselves would fall under such strict data localisation rules.
It is also worth noting that, according to the draft PIPL, even if a company is not a ‘operator of critical information infrastructure’, if the volume of personal information processed by that company reaches the threshold stipulated by the authority, the data localisation requirement will also apply. However, it remains unclear whether this requirement will remain in the final version of the PIPL and what is the amount threshold to trigger the data localisation requirement.
Some industry-specific data localisation rules also represent compliance challenges to foreign businesses doing business in and with China. For example, according to the Administrative Regulations on Human Genetic Resources of the People’s Republic of China, ‘foreign organisations, individuals and the institutions established or actually controlled thereby shall not collect or preserve China’s human genetic resources within the territory of China. Nor shall they provide China’s human genetic resources out of the country.’ If foreign organisations and institutions established or controlled by foreign organisations or individuals need to make use of China’s human genetic resources to carry out scientific research activities, they will need to abide by China’s laws, administrative regulations and relevant provisions of the state, and these activities must be carried out in cooperation with scientific research institutions, institutions of higher education, medical institutions and enterprises in China. In addition, cooperation shall be subject to numerous requirements; for example, Chinese entities and their researchers must substantively participate in the entire research process during the period of cooperation. Further, the Interim Measures for the Administration of the Surveying and Mapping Conducted by Foreign Organisations or Individuals in China also provide that:
The management of surveying and mapping results in China shall be carried out in accordance with the relevant laws and regulations on the management of surveying and mapping achievements. Surveying and mapping results in China belong to Chinese departments or units. Without approval according to laws, surveying and mapping results shall not be carried or transferred out of the country in any form.
Foreign parties will need to take into account these industry-specific requirements to evaluate the compliance risk and actual benefits of the relevant projects.
With the promulgation of the CSL, the Chinese data protection and cybersecurity legal regime has taken shape rapidly. Moreover, the draft versions of the Data Security Law and Personal Information Protection Law have been published to solicit public opinion. They are expected to be passed soon and will provide more detailed requirements on data localisation and cross-border data transfer. Companies doing business in China need to keep a close eye on developments in this area to stay compliant.
1 See ‘China: Privacy’, ‘Privacy and data protection standards’ in this book.
2 See section 2.
3 Article 37 of the CSL.
4 Article 18 of the Draft CII Regulations.
5 Under the CSL, ‘network operator’ has a very broad meaning, defined as ‘owner or manager of a network or the provider of a network service’.
6 In May 2019, the CAC issued the Draft Data Security Measures for public consultation, which provides that ‘important data’ refers to the kind of data that, if divulged, may directly affect national security, economic security, social stability or public health and security (such as undisclosed government information), large-scale population, genetic health, geography and mineral resources, etc. Important data does not usually include information related to the production and operation and internal management of enterprises or personal information, etc. Further, ‘Network operators shall assess the potential security risks prior to releasing, sharing or selling important data or transferring such data abroad, and shall report to the competent regulatory department for approval. If the competent regulatory department is unclear, network operators shall report to the cyberspace administrations at the provincial level for approval.’ In June 2019, the CAC issued the Draft Personal Information Assessment Measures for public consultation. It provides that, ‘before the cross-border transfer of personal information, network operators shall apply to the local cyberspace administrations at the provincial level for security assessment for cross-border transfer of personal information.’ It provides that if the cross-border transfer of personal information may create national security or public interest concerns, or render it difficult to effectively protect the security of personal information, the cross-border transfer of such information shall not be allowed.
7 Article 23 of the DSL.
8 Article 6 of the Notice of the People’s Bank of China on ‘Urging Banking Financial Institutions to Do a Good Job in Protecting Personal Financial Information’ and article 33 of the Notice of the People’s Bank of China on ‘Issuing the Implementation Measures of the People’s Bank of China for Protecting Financial Consumers’ Rights and Interests’.
9 Article 82 of the Standards for the Financial and Accounting Work of Insurance Companies and article 4 of the Guidelines on Acceptance Inspection for Commencement of Business of Insurance Companies.
10 Article 24 of the Regulation on the Administration of Credit Investigation Industry.
11 Article 6 of the Measures for the Administration of the Real-Name Receipt and Delivery of Mails and Express Mails
12 Article 10 of the Measures for the Administration of Population Health Information; article 30 of the National Health and Medical Big Data Standards, Safety and Service Management Measures (trial); article 7 of the Administrative Regulations on Human Genetic Resources of the People’s Republic of China.
13 Article 27 of the Interim Measures for the Administration of Online Taxi Booking Business Operations and Services.
14 Article 34 of the Regulation on Map Management.
15 See ‘China: Privacy’, ‘Regulatory bodies’ in this book.
17 Article 7 of the Administrative Regulations on Human Genetic Resources of the People’s Republic of China.
18 Article 15 of the Interim Measures for the Administration of the Surveying and Mapping Conducted by Foreign Organisations or Individuals in China.