China: Data Localisation

Regulatory framework

Currently, data localisation requirements under Chinese law mainly reside in the following laws, regulations and national standards (including their draft versions):[1]

  • the Cybersecurity Law (CSL);
  • the Data Security Law (DSL);
  • Personal Information Protection Law (PIPL);
  • draft Administrative Measures on Data Security (the Draft Data Security Measures);
  • draft Measures for Security Assessment on Cross-Border Transfer of Personal Information (the Draft Personal Information Assessment Measures);
  • draft Information Security Technology Guidelines for Cross-Border Data Transfer Security Assessment (the Draft Security Assessment Guidelines);
  • Regulations on the Security Protection of Critical Information Infrastructure (CII) (the CII Regulations); and
  • other industry-specific regulations.[2]

The CSL was published on 7 November 2016 and took effect on 1 July 2017, which marks the gradual formation of China’s new legal framework for cybersecurity and data protection. Among other requirements, the CSL provides localisation requirements for the operators of critical information infrastructure, as follows:

Critical information infrastructure operators shall store personal information and important data gathered and produced during operations within the territory of the People’s Republic of China. Where it is really necessary to provide such information and data to overseas parties due to business requirements, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration authority in concert with the relevant departments under the State Council. Where the laws and administration regulations have other provisions, those provisions shall prevail.[3]

The CSL only provides some examples of the industries in which CIIs may exist (eg, public communication and information services, energy, communications, water conservation, finance, public services and e-government affairs) and leaves the detailed scope of CIIs and relevant security protection measures to the implementation rules to be issued by the State Council. The CII Regulations further provide that the CII protection should apply to key network facilities and information systems in important industries and areas such as public telecommunication and information services, energy, transport, water conservation, finance, public services, e-government and the science and technology industry for national defence, which may seriously endanger the national security, national economy, people’s livelihood and public welfare once they are subject to any destruction, loss of function or data leakage.[4]

To date, the meaning of ‘CII’ and other key concepts, such as ‘important data’, remain unclear and pending implementation regulations to be issued in the future.

Under the CSL, only CII operators are required to comply with the requirements of data localisation and security assessment for cross-border data transfer, and there is no data localisation or cross-border data transfer security assessment requirement for ordinary network operators.[5] However, in 2019, the Cyberspace Administration of China (CAC) released the Draft Data Security Measures and the Draft Personal Information Assessment Measures for public consultation, which propose more detailed rules on data localisation for all network operators.

According to the Draft Data Security Measures, before a network operator publishes, shares, trades or sends important data to overseas, it must assess the potential security risks and report to the relevant industry regulator for approval (or the provincial-level cyberspace authority, if there is no clear industry regulator). According to the Draft Personal Information Assessment Measures, before a network operator sends personal information to a recipient outside of China, it shall report to the provincial level cyberspace authority, which will then conduct a security assessment. Failing the security assessment, the personal information cannot be sent to the overseas recipient. The Draft Personal Information Assessment Measures also set out the detailed requirements for the application and security assessment process, including the documents needed from the applicants (eg, a copy of the contract with the recipient and a self-risk assessment or security measure analysis report). As the Draft Data Security Measures and the Draft Personal Information Assessment Measures have not been finalised, whether these controversial requirements will pass as they are remains to be seen.[6]

The Draft Security Assessment Guidelines, a proposed non-binding national standard issued in 2017, set out some proposed steps and methodologies in a security assessment for the cross-border transfer of personal information and important data. In an appendix to the Draft Security Assessment Guidelines, some typical ‘important data’ in various industries are listed. However, it is unclear to what extent the Draft Security Assessment Guidelines still has a reference value. Owing to the government-approval mechanism introduced by the newly issued Draft Data Security Measures and Draft Personal Information Assessment Measures, however, the Draft Security Assessment Guidelines themselves are likely to be amended soon.

On 1 September 2021, the Data Security Law (DSL) took effect. The DSL provides some high-level principles for cross-border data transfer. Article 10 of the DSL stipulates that ‘the state actively carries out international exchange and cooperation in the field of data, participates in the formulation of international rules and standards related to data security, and promotes cross-border flow of data safely and freely.’ However, the DSL also provides some high-level restrictions on cross-border data transfer, stipulating that ‘the state exercises export control over data pertaining to controlled items related to fulfilling international obligations and maintaining national security.’[7]

The DSL does not list the specific types of data that are subject to export control. It remains to be seen whether the legislature will continue to revise the provisions of the DSL that restrict the cross-border data transfer or whether it will formulate relevant supplementary regulations to implement the DSL.

The DSL also stipulates how to cope with the requests made by an overseas law enforcement agency to access the data stored within China. Article 36 of the DSL provides:

Any organization or individual within the territory of the People’s Republic of China shall not provide any foreign judicial body and law enforcement body with any data stored within the territory of the People’s Republic of China without the approval of the competent authority of the People’s Republic of China.

On 21 October 2020, a draft version of the Personal Information Protection Law (PIPL) was issued to solicit public opinions. After three rounds of revisions, the PIPL was finalised and issued on 20 August 2021, and comes into force on 1 November 2021. It provides some data localisation and cross-border transfer rules specific to personal information, including:

  • The personal information processed by a state organ shall be stored within China; where it is necessary to provide such information to an overseas party, a risk assessment shall be conducted. Relevant departments may be required to provide support and assistance for risk assessment.
  • Critical information infrastructure operators and personal information processors whose processing of personal information reaches the number prescribed by the state cyberspace administration shall store within China the personal information collected and generated in China. If it is necessary to provide such information and data to overseas parties, it shall be subject to the security assessment organised by the state cyberspace administration; if laws, administrative regulations or the provisions of the state cyberspace administration provide that the security assessment is not required, such provisions shall prevail.
  • Competent authorities of China will, in accordance with the relevant law or international treaty or agreement concluded or acceded to by China or in accordance with the principles of equality and reciprocity, handle requests for the provision of any personal information stored within China made by a foreign judicial or law enforcement body. Without the approval of competent authorities, personal information processors shall not provide any personal information stored within the territory of China to a foreign judicial or law enforcement body.
  • A personal information processor shall, before transferring personal information abroad, conduct a personal information protection impact assessment in advance and keep a record of the processing. The personal information protection impact assessment shall cover: whether the purpose, method or any other aspect of the processing of personal information is lawful, legitimate and necessary; security risks and impact on personal rights and interests; and whether the protection measures taken are legitimate, effective and appropriate to the degree of risks. The personal information protection impact assessment report and processing record shall be kept for at least three years.

In summary of the above laws and regulations, China takes a relatively conservative attitude toward the cross-border transfer of data, in particular of personal and important data. If in need of transferring personal data and important data abroad, in future, depending on the various requirements, companies are likely to be subject to self-assessment, government assessment or government approval.

In spite of the absence of a uniform data localisation regulation, a number of industries have already issued regulations on data localisation requirements applicable to entities in these industries, such as in banking,[8] insurance,[9] credit investigation,[10] post and courier services,[11] population health and genetic information,[12] online taxi booking businesses,[13] location services,[14] automobile[15] and civil aviation.

Enforcement bodies

China has not yet established a centralised authority to supervise data localisation and cross-border data transfer issues. The relevant supervisory and enforcement responsibilities are generally taken by various authorities in charge of data protection matters.[16]

As the data localisation rules in the CSL remain unclear and future regulations are pending implementation, there are no enforcement cases based on the high-level data localisation requirements in the CSL. However, for industry-specific localisation requirements, as the underlying regulations have been issued and the requirements are normally more specific, the competent authorities of various industries may enforce these requirements from time to time. For example, in late 2018, the Ministry of Science and Technology published its penalties against BGI and Huashan Hospital for an international cooperation project with Oxford University for research on Chinese human genetic resources without the approval of the competent authority. BGI was found to have transferred abroad human genetic resources information over the internet. The two entities were ordered to stop the related study projects, destroy all the genetic materials and related research data, and to suspend any international cooperation on human genetic resources until they are deemed qualified.[17]

The effect of local laws on foreign business

Foreign businesses face compliance challenges in relation to data localisation requirements. Generally speaking, to comply with the data localisation requirements, companies will need to invest significantly in China to set up local storage facilities, servers and cloud-based servers. However, although the CII Regulations have been issued, there is only a general definition of ‘critical information infrastructure’, and the scope for ‘operators of critical information infrastructure’ that are subject to data localisation requirements remains unclear. It is, therefore, difficult for foreign organisations to predict whether they themselves would fall under such strict data localisation rules.

It is also worth noting that, according to the PIPL, even if a company is not a ‘operator of critical information infrastructure’, if the volume of personal information processed by that company reaches the threshold stipulated by the authority, the data localisation requirement will also apply. However, the amount threshold to trigger the data localisation requirement is unclear.

Some industry-specific data localisation rules also represent compliance challenges to foreign businesses doing business in and with China. For example, according to the Administrative Regulations on Human Genetic Resources of the People’s Republic of China, ‘foreign organisations, individuals and the institutions established or actually controlled thereby shall not collect or preserve China’s human genetic resources within the territory of China. Nor shall they provide China’s human genetic resources out of the country.’[18] If foreign organisations and institutions established or controlled by foreign organisations or individuals need to make use of China’s human genetic resources to carry out scientific research activities, they will need to abide by China’s laws, administrative regulations and relevant provisions of the state, and these activities must be carried out in cooperation with scientific research institutions, institutions of higher education, medical institutions and enterprises in China. In addition, cooperation shall be subject to several other requirements; for example, Chinese entities and their researchers must substantively participate in the entire research process during the period of cooperation. Further, the Interim Measures for the Administration of the Surveying and Mapping Conducted by Foreign Organisations or Individuals in China also provide that:

The management of surveying and mapping results in China shall be carried out in accordance with the relevant laws and regulations on the management of surveying and mapping achievements. Surveying and mapping results in China belong to Chinese departments or units. Without approval according to laws, surveying and mapping results shall not be carried or transferred out of the country in any form.[19]

Foreign parties will need to take into account these industry-specific requirements to evaluate the compliance risk and actual benefits of the relevant projects.

Outlook

With the promulgation of the CSL, DSL and PIPL, the Chinese data protection and cybersecurity legal regime is taking shape rapidly. Moreover, as the CII Regulations have also been issued, it is expected that the detailed categories of ‘critical information infrastructure’ will be published by relevant regulatory authorities of different industries and sectors in the near future. Companies doing business in China need to keep a close eye on developments in this area to stay compliant.


Footnotes

[1] See ‘China: Privacy’, ‘Privacy and data protection standards’ in this book.

[2] See section 2.

[3] Article 37 of the CSL.

[4] Article 2 of the CII Regulations.

[5] Under the CSL, ‘network operator’ has a very broad meaning, defined as ‘owner or manager of a network or the provider of a network service’.

[6] In May 2019, the CAC issued the Draft Data Security Measures for public consultation, which provides that ‘important data’ refers to the kind of data that, if divulged, may directly affect national security, economic security, social stability or public health and security (such as undisclosed government information), large-scale population, genetic health, geography and mineral resources, etc. Important data does not usually include information related to the production and operation and internal management of enterprises or personal information, etc. Further, ‘Network operators shall assess the potential security risks prior to releasing, sharing or selling important data or transferring such data abroad, and shall report to the competent regulatory department for approval. If the competent regulatory department is unclear, network operators shall report to the cyberspace administrations at the provincial level for approval.’ In June 2019, the CAC issued the Draft Personal Information Assessment Measures for public consultation. It provides that, ‘before the cross-border transfer of personal information, network operators shall apply to the local cyberspace administrations at the provincial level for security assessment for cross-border transfer of personal information.’ It provides that if the cross-border transfer of personal information may create national security or public interest concerns, or render it difficult to effectively protect the security of personal information, the cross-border transfer of such information shall not be allowed.

[7] Article 25 of the DSL.

[8] Article 6 of the Notice of the People’s Bank of China on ‘Urging Banking Financial Institutions to Do a Good Job in Protecting Personal Financial Information’ and article 33 of the Notice of the People’s Bank of China on ‘Issuing the Implementation Measures of the People’s Bank of China for Protecting Financial Consumers’ Rights and Interests’.

[9] Article 82 of the Standards for the Financial and Accounting Work of Insurance Companies and article 4 of the Guidelines on Acceptance Inspection for Commencement of Business of Insurance Companies.

[10] Article 24 of the Regulation on the Administration of Credit Investigation Industry.

[11] Article 6 of the Measures for the Administration of the Real-Name Receipt and Delivery of Mails and Express Mails.

[12] Article 10 of the Measures for the Administration of Population Health Information; article 30 of the National Health and Medical Big Data Standards, Safety and Service Management Measures (trial); article 7 of the Administrative Regulations on Human Genetic Resources of the People’s Republic of China.

[13] Article 27 of the Interim Measures for the Administration of Online Taxi Booking Business Operations and Services.

[14] Article 34 of the Regulation on Map Management.

[15] Article 11 of Several Provisions on Vehicle Data Security Management (for Trial Implementation).

[16] See ‘China: Privacy’, ‘Regulatory bodies’ in this book.

[17] See: ‘BGI was punished by the Ministry of Science and Technology for unlawfully transferring abroad human genetic resources information’, http://www.sohu.com/a/271433358_161795.

[18] Article 7 of the Administrative Regulations on Human Genetic Resources of the People’s Republic of China.

[19] Article 15 of the Interim Measures for the Administration of the Surveying and Mapping Conducted by Foreign Organisations or Individuals in China.

Get unlimited access to all Global Data Review content