China Cybersecurity Law Update: Data localisation coming to China

By Clarice Yue, Michelle Chan, John Shi, Sven-Michael Werner


A quick look at the draft "Measures on Security Assessment relating to Export of Personal Information and Important Data".

The State Internet Information Office issued on 11 April 2017 a draft "Measures on Security Assessment relating to Export of Personal Information and Important Data". The consultation period will end on 11 May 2017. The draft measures are prepared pursuant to the China Cybersecurity Law and should provide further insight on how the Chinese government intend to enforce the main legislation.

We highlight below some of the key provisions and requirements in the draft measures:

  • All personal information and "important data" collected and generated by network operators must be stored within the territory of the People's Republic of China (and for this purpose, Hong Kong, Taiwan and Macau are unlikely to be regarded as part of the territory of the PRC).
  • If for business reasons, personal information and important data need to be exported to a place outside of China, a security assessment must be conducted in accordance with the measures.
  • If personal data is involved in the export, network operators must: (1) notify the data subject the purpose, scope, content, recipients and country or region where the recipients are located; and (2) obtain consent from the personal data subject. If no consent has been obtained, the personal information cannot be exported.
  • The security assessment will be carried out by the relevant supervisory authorities to which the network operators relate. All security assessment will be centrally co-ordinated by the State Internet Information Office.
  • Security assessment must be carried out under the following circumstances:
  1. the data to be exported involves personal information of 500,000 or more people;
  2. the amount of data is more than 1,000GB;
  3. the data concerns nuclear facilities, chemistry biology, national defense, health of the population, large-scale project activities, marine environment and sensitive geographic information data;
  4. network security data relating to critical information infrastructures, including system vulnerabilities, security defence and other network security data
  5. export of personal information and important data by critical information infrastructure operators to provide; or
  6. other circumstances that may affect the national security and social public interests.

The draft measures also include a definition which has caused much concern when the Cybersecurity Law was first promulgated, that is the definition of "important data". In the draft measures, this is proposed to mean "data which is closely related to national security, economic development, and social and public interests, with specific reference to relevant national standards and important data identification guidelines".


The scope of data localisation as proposed in the draft measures is much wider than it is contemplated under the Cybersecurity Law. Under the Cybersecurity Law, the data localisation requirement is only imposed on the operators of critical information infrastructure. The broadening of the data localisation obligation is unlikely to be well received by MNCs operating in China.

The draft measures now contain a definition of "important data", which appears to exclude business and commercial information. Whether this indeed will be the case, we will only be sure when the identification guidelines are eventually published.

It is also interesting to see the draft measures mentioning that the security assessment process set out in the measures should also be followed by other entities that collect personal information and important data in China and wish to export such information outside of China and are required to under security assessment of the export.