China Cybersecurity Law Update: Data localisation coming to China

Written By

john shi module
John Shi

Partner
China

I am a partner in Bird & Bird's Corporate team and the chief representative of the Beijing office. I have extensive experience in transactional and commercial work across various sectors.

svenmichael werner module
Sven-Michael Werner

Partner
China

I am a partner in the international Corporate Group based in Shanghai and have been living and working in China since 1999, and based in Shanghai since 2003. I have close to 20 years' experience practising law in China.

michelle chan module
Michelle Chan

Of Counsel
UK

I'm a technology, telecoms and media lawyer, providing strategic, corporate and commercial advice to major players in the Asia Pacific region. I am based in London and I am Of Counsel in our Corporate & Commercial team.

A quick look at the draft "Measures on Security Assessment relating to Export of Personal Information and Important Data".

The State Internet Information Office issued on 11 April 2017 a draft "Measures on Security Assessment relating to Export of Personal Information and Important Data". The consultation period will end on 11 May 2017. The draft measures are prepared pursuant to the China Cybersecurity Law and should provide further insight on how the Chinese government intend to enforce the main legislation.

We highlight below some of the key provisions and requirements in the draft measures:

  • All personal information and "important data" collected and generated by network operators must be stored within the territory of the People's Republic of China (and for this purpose, Hong Kong, Taiwan and Macau are unlikely to be regarded as part of the territory of the PRC).
  • If for business reasons, personal information and important data need to be exported to a place outside of China, a security assessment must be conducted in accordance with the measures.
  • If personal data is involved in the export, network operators must: (1) notify the data subject the purpose, scope, content, recipients and country or region where the recipients are located; and (2) obtain consent from the personal data subject. If no consent has been obtained, the personal information cannot be exported.
  • The security assessment will be carried out by the relevant supervisory authorities to which the network operators relate. All security assessment will be centrally co-ordinated by the State Internet Information Office.
  • Security assessment must be carried out under the following circumstances:
  1. the data to be exported involves personal information of 500,000 or more people;
  2. the amount of data is more than 1,000GB;
  3. the data concerns nuclear facilities, chemistry biology, national defense, health of the population, large-scale project activities, marine environment and sensitive geographic information data;
  4. network security data relating to critical information infrastructures, including system vulnerabilities, security defence and other network security data
  5. export of personal information and important data by critical information infrastructure operators to provide; or
  6. other circumstances that may affect the national security and social public interests.

The draft measures also include a definition which has caused much concern when the Cybersecurity Law was first promulgated, that is the definition of "important data". In the draft measures, this is proposed to mean "data which is closely related to national security, economic development, and social and public interests, with specific reference to relevant national standards and important data identification guidelines".

Observations

The scope of data localisation as proposed in the draft measures is much wider than it is contemplated under the Cybersecurity Law. Under the Cybersecurity Law, the data localisation requirement is only imposed on the operators of critical information infrastructure. The broadening of the data localisation obligation is unlikely to be well received by MNCs operating in China.

The draft measures now contain a definition of "important data", which appears to exclude business and commercial information. Whether this indeed will be the case, we will only be sure when the identification guidelines are eventually published.

It is also interesting to see the draft measures mentioning that the security assessment process set out in the measures should also be followed by other entities that collect personal information and important data in China and wish to export such information outside of China and are required to under security assessment of the export.

Latest insights

More Insights
featured image

KSA: SDAIA Opens Consultation for New Data Protection Consultancy Rules

3 minutes May 01 2025

Read More
featured image

Coimisiún na Meán Publishes Its Strategy Statement 2025–2027

3 minutes Apr 25 2025

Read More
Curiosity line blue background

UK/EU data protection in financial services round-up – 2025 so far….

5 minutes Apr 23 2025

Read More