China: Data Localisation

Regulatory structure and framework

Data localisation requirements and cross-border data transfer regulations are two of the most important and rapidly developing regulatory areas under the laws of the People’s Republic of China (PRC or China). ^[1] The current laws, regulations, national standards and guidelines (including some draft versions circulated for public comment, collectively the Regulations) cover the cross-border transfer of:

• personal information;
• important data (as defined in ‘Localisation requirements and restrictions on the cross-border transfer of important data’, below); and
• data in specific industries, for example:
  • automotive important data;^[2]
  • online car-hailing service data;
  • personal financial information;^[3]
  • human genetic resources;^[4]
  • big data in healthcare ^[5] and population health information;
  • overseas IPO archives (as defined in the ‘Overseas IPO archives’ subsection of ‘Localisation requirements and restrictions on the cross-border transfer of industry-specific or area-specific data’, below); and
  • automated driving map data.^[6]

The above list does not exhaustively list all data subject to localisation or data cross-border transfer restrictions, but illustrates some of the most heavily regulated areas.

The following Regulations are the major rules that govern cross-border transfers and localisation requirements in the PRC:

Localisation requirements and restrictions on the cross-border transfer of personal information ^[7]

If a personal information handler (PI handler) ^[8] wishes to transfer personal information to another country, the handler needs to meet each of the following requirements.^[9]

Conduct a personal information protection assessment for cross-border transfer of personal information

Before transferring personal information abroad, a PI handler must conduct a personal information protection assessment (PIPA) in advance, and keep a record of the processing for at least three years. The PIPA must mainly focus on the following aspects:

• whether the purposes and methods of personal information handling are legitimate, justified and necessary;
• the impact on individuals’ rights and interests, and relevant security risks; and
• whether the protection measures are legitimate, effective and match the degree of risk.

If the PI handler transfers personal information abroad by entering into a standard contract (this mechanism for cross-border data transfer is detailed below) issued by the Cyberspace Administration of China (CAC), the PIPA of the cross-border data transfer must analyse:^[10]

• whether the responsibilities and obligations undertaken by the overseas recipient, as well as the management and technical measures for such obligations, can ensure the safety of personal information transferred;
• the responsibilities and obligations that the overseas recipient promises to undertake, as well as the management and technical measures, and capabilities for fulfilling the responsibilities and obligations that aim at ensuring the security of personal information cross-border transfer; and
• how the performance of the standard contract will be impacted by the personal information protection policies and regulations of the country or region where the overseas recipient is located.

Provide information and obtain separate consent from personal information subjects

The PI handler should inform personal information subjects (PI subjects) of

• the overseas recipient’s name and contact information;
• the processing purposes and methods;
• types of personal information involved; and
• procedures for PI subjects to exercise their rights under the PIPL with the overseas recipient.

It must also obtain the PI subject’s separate consent for the cross-border transfer.^[11]

Although there is no Regulation that specifically provides what ‘separate consent’ is, in practice, it is interpreted as consent that should be obtained in an explicit and separate manner (please see the example at the end of this paragraph), and the consent procedure must avoid ‘bundled consent’ that combines different categories of personal information and different processing purposes and methods together. For example, in an online customer journey, separate consents may be obtained by setting a separate checkbox in a pop-up window and permitting the PI subject to specifically review the privacy policy and choose whether or not to click the checkbox.

Security assessment, standard contract or certification

Depending on specific scenarios and the data category or amount involved, and among other requirements, the PI handler needs to complete one of the following three tasks:

• conduct a security assessment;
• conclude a standard contract; or
• complete a certification.

In order to know which task should be completed, the PI handler needs to first confirm if its personal information handling activities meet one of the following conditions:^[12]

• whether the PI handler:
  • is recognised as a critical information infrastructure operator (CIIO);^[13] or
  • transfers important data abroad;
• whether it handles the personal information of more than one million persons;
• whether the cumulative amount of personal information provided by it overseas exceeds 100,000 persons since the first calendar day of the previous year; or
• whether the cumulative amount of sensitive personal information provided by it overseas exceeds 10,000 persons since the first calendar day of the previous year.

A PI handler that meets one of the above conditions must file its cross-border data transfer activities with the CAC for security assessment. A PI handler that does not meet any one of the above conditions can enter into an agreement with the overseas data recipient based on a standard contract issued by CAC.

CAC security assessment

A PI handler required to file and pass the security assessment conducted by CAC must complete a prior self-assessment for such cross-border data transfer. The self-assessment should mainly focus on the risks associated with national security, public interests, and the legitimate rights and interests of relevant individuals or organisations.^[14]

The CAC will then evaluate the risks associated with such cross-border data transfer, focusing on matters such as the impact of the data security protection policies and network security environment of the jurisdiction of the overseas recipient, and whether the overseas recipient meets the data protection standards required by Chinese law.^[15]

If CAC security assessment not required and the standard contract is applicable

A PI handler that does not meet any one of the above conditions and is not required to obtain certification (see below) can just enter into a standard contract with the offshore data recipient to comply with the PIPL’s restrictions on cross-border transfers and does not need to pass a security assessment by the CAC to meet compliance requirement.

A template for the standard contract is attached to the Draft Standard Contracts for CBDT.

The standard contract must oblige the overseas recipient to:

• allow the onshore PI handler to audit the processing activities related to the standard contract; and
• provide a relevant audit report to the onshore PI handler regarding the deletion or anonymisation of personal information when the storage period of the relevant personal information expires or when the standard contract is terminated.

Such requirements may be controversial between the handler in PRC and the overseas recipient and make the negotiation of the standard contract more time consuming.

Both the onshore PI handler and the overseas recipient must provide copies of the standard contract to the PI subject if they request. Therefore, the parties may wish to ensure the standard contract for cross-border transfers is prepared in a separate document to the other contractual terms so as to avoid disclosing more commercial and contractual details to the PI subjects.

If CAC security assessment not required and the certification is applicable

According to PIPL, if it is not required to complete the security assessment, either a standard contract should be entered into or a certification should be obtained. However, currently CAC has not issued detailed guidance about the certification and has not designated which institutions can conduct such certification. Thus, PI handlers tentatively can only choose to enter into a standard contract as a way to fulfil compliance obligation. Certain PI handlers may be required to obtain certification from a specialised institution prior to undertaking a cross-border transfer when required by regulations that have not yet been issued.

Although a specification named Cybersecurity Standard Practice Guide – Regulations on Security Certification of Cross-border Personal Information Processing was issued by the National Information Security Standardization Technical Committee on 24 June 2022, it only provides a recommended certification procedure and does not have binding legal effect. Further regulations regarding personal information protection certification are yet to be issued by the CAC to clarify the scope and requirements of the certification obligation.

Sector specific requirements

It is worth noting that, in addition to the above, a PI handler wishing to undertake a cross-border transfer may be subject to other requirements provided by authorities regulating specific industries. Such requirements depend on the circumstances of the cross-border transfer and the category and quantity of data involved. The section below provides an introduction to some of the special requirements in certain situations.

Localisation requirements and restrictions on the cross-border transfer of important data

Under PRC law, ‘important data’ refers to data that may endanger national security or public interest once tampered with, damaged, leaked, illegally obtained or illegally utilised. A data handler needs to identify its important data.

The Measures for CBDT Security Assessment provides that if a data handler intends to transfer important data collected and generated during its operations within China overseas, it should conduct a self-assessment of the risk of that transfer. ^[16] After such self-assessment, the data handler must then go through a security assessment organised by CAC to obtain prior approval for the transfer of important data.

However, currently available Regulations still fail to provide a complete and comprehensive regulatory framework for data handlers to identify important data because:

• the number of effective regulations for identifying important data in specific industries are very limited. Basically, the Provisions on Automotive Data is the only regulation in force that points out the specific scope of important data in a specific industry. However, even those provisions provide a too general scope of important data ^[17] and fail to provide sufficiently detailed guidelines to enable clear and effective identification of important data; and
• some national standards and guidelines providing detailed guidance on how to identify important data are either just drafts for public comment or otherwise not legally binding.

Localisation requirements and restrictions on cross-border data transfer by CIIOs

The CSL provides that a CIIO must usually store personal information and important data collected and generated during operations in China within the PRC. Where it is necessary to provide such information and important data to overseas parties for business purposes, the CIIO should conduct a risk self-assessment,file for the security assessment by CAC in accordance with the Measures for CBDT Security Assessment and obtain the CAC’s approval before undertaking the cross-border transfer.^[18]

A CIIO is identified based on rules formulated by the relevant competent authorities in respective industries.^[19]

Localisation requirements and restrictions on the cross-border transfer of industry-specific or area-specific data

Where an entity intends to transfer its data overseas, additional compliance obligations may apply depending on the nature of the data and specific industry. Below is an introduction to the data transfer requirement in certain industries that are heavily regulated.

Automotive important data

An automotive important data ^[20] handler must usually store important data within China. If it is really necessary to provide such data to overseas entities for business purposes, the transfer may proceed if it passes a prior security assessment conducted by the CAC (the same localisation requirements as for transferring important data abroad for general scenarios and industries).^[21]

The automotive important data handler must also report its important data handling activities to a local branch of the CAC by 15 December of each year. That report should include details of:

• certain basic information on the overseas recipient;
• the type, scale and purposes of the data to be transferred, and the necessity of the transfer;
• the location, scope and retention period for the data;
• the complaints of PI subjects regarding personal information handling activities, and how such complaints are handled; and
• other information required by competent authorities.^[22]

Online car-hailing service data

An online car-hailing platform company (eg, DiDi) must generally store and handle the personal information and business data in China. The car-hailing platform company may not provide the data overseas unless otherwise required by laws and regulations.^[23]

Personal financial information ^[24]

Personal financial information, collected and generated in the course of providing financial products or services in the PRC must usually be stored and handled within the PRC. If it is necessary to provide such information to affiliates located outside of PRC for business purposes, the personal financial information handler must:

• comply with the relevant laws and regulations; and
• meet certain requirements, including obtaining the explicit consent of the personal financial information subject, conducting a personal financial information protection assessment and, by entering into agreements or conducting on-site inspections or through other ways, supervising overseas recipients’ performance of the confidentiality obligation, data deletion obligation and the obligation of providing assistance in case investigation.

Human genetic resources ^[25]

Foreign organisations and individuals (or institutions formed or controlled by them, collectively known as Foreign HGR Recipients) should not collect or store human genetic resources within China (such human genetic resources within China being referred to as PRC HGR), nor should they provide PRC HGR overseas.^[26]

If a PRC entity intends to provide PRC HGR overseas for international cooperation science research or other necessary purposes, it needs to obtain approval from the Science and Technology Administrative Department, and meet all of the following conditions:

• the provision of such data will cause no harm to the public health or public interest of the PRC;
• the purpose of transferring such data abroad is reasonable and the identity information of the offshore recipient is clear;
• the human genetic resource materials are collected or received legally; and
• the provision has passed the ethical review.^[27]

If a PRC entity intends to provide PRC HGR to Foreign HGR Recipients, it should file a request with China’s Ministry of Science and Technology of the PRC for approval. Such filings should include the purposes of transfer activities, a copy of such PRC HGR, basic information about the recipient, and a risk assessment of the PRC HGR transfer. If such transfer activities may have a negative impact on public health and public interests, the PRC entity must also pass a security review conducted by the applicable regulatory authority.^[28]

Big data in healthcare and population health information

Big data in healthcare ^[29] must be stored in a server in the PRC. If a data handler needs to provide such data outside of the PRC for business purposes, it should conduct a prior security assessment in accordance with the relevant laws and regulations. However, there is not yet any effective regulation that explains the specific requirements on such security assessments.^[30]

Population health information ^[31] must not be stored in any server located outside of the PRC.^[32]

Overseas IPO archives

The Draft Archives Rules provides procedures for confidentiality and file management that an enterprise in the PRC should comply with before providing information abroad. A PRC enterprise must go through different approval procedures depending on the category of information to be transferred abroad.

Archives, such as basic working documents, produced in the PRC by securities companies ^[33] and securities service institutions ^[34] for the purpose of overseas securities issuance and listing during the process of providing relevant security business, should be stored in the PRC. The transmission of all such working papers to recipients outside of the PRC must be approved by applicable regulatory authorities of the PRC.^[35]

If the PRC enterprise intends to cooperate with overseas securities regulators or relevant authorities in their investigations and inspections or provide materials to them, it must file an application to the China Securities Regulatory Commission in advance for approval.^[36]

A PRC enterprise must usually not provide any accounting records to an overseas accounting firm that has not gone through regulatory procedures as required by Chinese law.^[37]

If it is necessary for the PRC enterprise to provide accounting records to overseas regulators and such account records have significant preservation value for the nation and society, then the PRC enterprise must complete certain regulatory procedures in advance of the transfer.^[38]

Automated driving map data ^[39]

If a data handler intends to provide automated driving map data to foreign organisations or individuals, or to any wholly foreign-owned enterprise or sino-foreign joint venture registered in China, it should obtain prior approval from the applicable surveying, mapping and geoinformation administrative authorities.^[40]

Enforcement body

As reflected above, generally the CAC plays a leading role in the monitoring and enforcement of localisation and cross-border data transfer laws. Industry-specific regulators are also responsible for regulating localisation and data cross-border transfer activities in specific industries.

A practical issue is that a data transferor in the PRC may need to obtain approvals or conduct filings under multiple administrative procedures if different regulations apply. For example, if a local entity in the PRC wishes to transfer human genetic resources to a research institution in another country and such transferred human genetic resources exceeds certain amount (eg, sensitive personal information of over 10,000 persons since the first day of the previous year), such transfer activities require prior approval from the Ministry of Science and Technology for PRC HGR data transfer, and would also be subject to a separate prior security assessment by the CAC.

Currently, there are few publicly available reports of enforcement of the cross-border data transfer rules. A rare example is that in 2015 the Ministry of Science and Technology imposed an administrative penalty on Huada Technology and Huashan Hospital because those entities transferred certain human genetic resources data to University of Oxford for a research project without obtaining prior approval from the Ministry of Science and Technology.

There is no publicly reported case related to violations of the cross-border transfer regime since 2015. One reason may be that the major regulatory rules for cross-border transfer restrictions are provided in the PIPL and in the DSL, which only recently entered force. Also, such two laws lack cross-border transfer requirement details, and the requirement details are provided in some Regulations like in the Measures for CBDT Security Assessment or in the Draft Standard Contracts for CBDT, which were issued in around June and July of 2022. So regulators may need more time to investigate compliance and proceed with enforcement. For example, there may be more enforcement cases after February of 2023 once a six month grace period under the Measures for CBDT Security Assessment expires.

Effect on foreign-invested companies

A large number of foreign-invested companies in the PRC store all or part of their data in servers outside the PRC, rely on integrated IT infrastructure and management by teams in other jurisdictions, or otherwise need to transfer data collected in the PRC to colleagues in other countries. Such companies must comply with the PRC’s localisation and cross-border regulations.

To evaluate the effect of such regulations on their businesses and compliance obligations, foreign-invested companies should:

• review their data and identify key details, including the categories of data and the amount of data; and
• identify whether their business is in an industry or business area that is subject to special cross-border regulations.

Generally speaking, if a foreign-invested company (1) handles a comparatively large amount of personal information; (2) handles certain types of regulated data (eg, important data or one of the other categories referred to earlier as industry-specific or area-specific data); or (3) belongs to certain industries that have special cross-border data transfer rules, then it needs to either:

• invest significant resources to localise its data in the PRC; or
• file and pass all security assessments and obtain necessary approvals for its cross-border data transfers.

If a foreign-invested company actually processes huge amounts of personal information or its services or products may otherwise have significant influence on the national security or public interest in PRC, the place where its data is stored might raise a significant concern from regulators and it may need to localise data storage and processing in the PRC from the perspective of better compliance and improving long-term governmental relationship.

In practice, many foreign-invested companies will fall within one of scenarios (1)–(3) above. This is because the relevant thresholds are relatively low and because many companies in the consumer, manufacturing and healthcare industries process personal information from numerous customers or process important data.

If a foreign-invested company falls outside of scenarios (1)–(3) above, it may be able to achieve compliance for cross-border data transfers in a relatively ‘light’ way. For example, it may only need to obtain consent from individuals, to conduct a PIPA, and to enter into adequately prepared standard contract with the overseas data recipient.

In practice, some foreign-invested companies that have a ‘B2B’ business model may find it easier to adopt such a light compliance approach. That is because such companies may only process personal information from employees and contact persons of business partners (provided their industries are not sensitive and they do not process important data). Also, some investment funds or companies with a foreign background may be able to utilise a light approach because the business of such funds and companies is investment and thus they might find it easier to avoid collecting important data or large amounts of personal information. For example, investment funds may be able to anonymise a large portion of data received without impacting on their business.

Trend

With the issuance of the Measures for CBDT Security Assessment and the Draft Standard Contracts for CBDT, the outline of the structure for regulating cross-border data transfers and localisation has been established. The PRC has significantly increased its regulation of detailed localisation and cross-border transfers in recent years.

In the near future, regulatory authorities may issue the rules and procedures necessary for clearly identifying important data. Such details are of great importance when accurately identifying whether important data is transferred, because if the important data is transferred, a security assessment is required. As a result, such details will help with the better enforcement of the important data regulations. Alignment and cooperation on the identification of important data among various different regulatory authorities will be key, because the overall regime relies on both the CAC and other authorities.

Those regulators responsible for specific industries may also issue more industry-focused regulations in the near future. Companies need to closely follow legislative developments in their specific sectors.

With more and more of the Regulations now in place, authorities will have more detailed guidance and legal grounds to enforce the law on cross-border transfers and localisation. It is anticipated that future enforcement action may provide a clearer view about the operation of those Regulations and the approach authorities will take to enforcing them.

Notes