October 09, 2023

Complete Guide on Data Residency and Cross-Border Transfers in China

Complete Guide on Data Residency and Cross-Border Transfers in China

Multinational corporations in China are increasingly familiar with the strict data privacy laws and regulations guiding business operations within the country. One of the biggest focuses of these data protection laws is data localization in China.

China data protection laws have set specific requirements for cross-border data transfer by companies that collect Chinese citizens’ personal information. As part of PIPL compliance, companies are expected to keep data collected and processed in China within Chinese borders.

However, specific provisions of China’s data residency laws allow for cross-border data transfer, providing some requirements are met. For example, some of these regulations specify that businesses use cloud services in China to store the personal information of Chinese citizens.

China’s PIPL is clear on companies’ compliance with China’s data localization requirements. However, the problem that most business owners and multinational corporations face is understanding how to comply with these localization requirements.

PIPL did not fully clarify and expand on the requirements needed for the cross-border transfer of the personal information of Chinese citizens. This necessitated the addition of new technical specifications seeking to clarify Article 38 of the PIPL.

Even with the addition of the technical specifications, it will still take some getting used to properly articulating the requirements for cross-border data transfers. Therefore, this blog breaks down some of the China data localization requirements for businesses and how to comply with them. 

China data compliance whitepaper

China Data Residency Requirements

According to the new clarifications in the Chinese data protection laws, two circumstances will determine if a company is expected to comply with China’s localization requirements. These are:

  • Is the business a critical information infrastructure operator?
  • Does the business process ‘important’ data?

The first circumstance considers the type of business in operation. For example, companies that handle critical information infrastructure must keep all data collected and processed within Chinese borders.

This designation comes as a result of the data they collect and store, which is viewed as being sensitive to China’s national security and economy. Hence, data transfer is only allowed after receiving approval from the appropriate regulatory authorities.

The China Cyber Security Law, (CSL), defines critical information infrastructure, (CII), as any framework that can negatively affect national or public interests if damaged. Telecommunication services, transportation, financial institutions, and public services are generally considered CII.

However, China’s data residency laws do not specify the criteria for classifying a CII. There is also no list of published CII or CII operators, making it difficult for business owners to easily assess whether they fall into this designation.

The second circumstance considers the type of data processed by companies. Data controllers must be able to store ‘important’ data within Chinese borders and can only transfer data abroad after receiving approval.

For businesses that fall within this circumstances, there is a need to store sensitive personal information of Chinese citizens within China. Outside of these circumstances, companies only need to comply with specific cross-border data transfer requirements and do not need to store data locally.

The process for a corporation to ascertain if any data it processes would be subject to China’s data localization regulations is shown in detail in the flowchart below.

Data localization requirements

In context, here are specific data localization requirements for entities using Chinese citizens’ personal information.

China Data Localization Requirements For CII Operators 

  • Must store sensitive personal information and ‘important’ data within China
  • Data can be transferred if it passes the Cyberspace Administration of China, (CAC), security assessment

China Data Localization Requirements For Non-CII Operators

  • No general data localization requirement on processed important data
  • Must also store personal data of Chinese citizens in China if a threshold is reached (see PIPL Article 40)

Cross-Border Data Transfer Requirements 

Requirements For CII Operators

  • Must undergo security assessment according to the process specified by CAC 
  • Cross-border transfer requires consent from the data subjects
  • Internal risk assessment before transfer

Requirements For Non-CII Operators

  • Requires separate notice and consent from the data subjects for cross-border data transfer
  • Internal risk assessment before the data transfer
  • Depends on the type of business, categories, and amount of processed data
  • Need to pass a CAC security assessment  (PIPL Article 38)

9 Steps to Localize or Transfer Data in China

The process of data localization in China can be tedious if you do not understand the steps to take. Therefore, let’s look at a step-by-step approach to localizing your data in China.

Step 1 – Check if data localization laws apply to business and whether data is transferred overseas

First, check if China data localization laws apply to your business. Data operators must also determine the processes by which their data is being transferred overseas. Understanding this will help business owners know if they need to consider other data transfer and localization requirements.

Step 2 – Evaluate the type of data operator

Now that you’ve determined that data localization laws apply to your business, the next step is to check which data localization circumstances your business falls under. For example, businesses that handle personal information will fall in the category of personal information handlers.

CII operators and personal information handlers handling personal information reaching quantities specified by the CAC (see PIPL Article 40) can only transfer data across borders after obtaining security assessment and approval.

Step 3 – Consider the type of data to be transferred

For ‘general’ data controllers that do not fall under the category of CII operators, it is essential to determine the type of data to be transferred. China data laws specify some data types – personal information and ‘important’ data.

Data controllers that collect sensitive personal information beyond a specific threshold must undergo security assessment similar to CII operators. In addition, based on its sensitivity and importance to national security and public interest, data specified as ‘important data’ will also require security assessment before it can be transferred.

Step 4 – Check if a CAC assessment is required

Depending on the type of data processed and the category of business in operation, a CAC assessment may be needed for cross-border data transfers. A security assessment from the CAC makes it possible for certain entities to transfer data overseas.

The CAC will check the legitimacy, legality, scope, and necessity of purpose, as well as the scope and method of data transfer. In addition, the CAC will assess if the scope of transfer meets the required level of data protection needed for the PIPL.

Step 5 – Ascertain if a cybersecurity review is needed

In cases where the data processing activities of a data controller pose a potential national security threat, regulatory authorities have the right to conduct an audit and review the operations of such entities. 

Cybersecurity Review Measures, CRM, mandate additional reviews in such cases and may even prohibit cross-border data transfer.

Step 6 – Check if an exception applies

If a company, so far, has passed all the requirements in the preceding steps, then it is very probable that data localization laws do not apply to such businesses. First, however, it is essential to check if your business is an exception to the cross-border transfer restrictions of the PIPL.

For instance, the law makes an exception in cases where data transfer is based on concluding a contract. In this case, the data subject does not need to comply with the transfer requirements of Article 38 of the PIPL.

There is also an exception if the cross-border transfer of sensitive personal data is needed to protect or save the lives of individuals or secure their property.

Step 7 – Select the best transfer mechanism

However, for data controllers that do not fall within all categories mentioned above, it is essential to select the best transfer mechanism under China’s data residency laws. The following are conditions required for the transfer of data:

  • Security assessment by the CAC
  • Getting a third-party certification from the appropriate government authority
  • Using a standard contractual clause (SCC) issued by the CAC
  • Third-party data recipients must meet the required standards of data protection
  • Data controllers must obtain separate consent from data subjects

Step 8 – Find out if an international treaty or agreement is applicable

Although China has not entered into a trade treaty, there are ongoing plans to join regional trade agreements. As a result, businesses can take advantage of this progress.

According to the PIPL, ‘general’ data controllers exempt from undergoing a security evaluation may also cite a treaty or agreement that China has ratified as the legal foundation for data transfer. These agreements will probably be in the form of treaties devoted to data flows or data security.

Step 9 – Obligations for entrusted third-party data processors

According to PIPL, data controllers may delegate some processing tasks to reliable third parties. However, the processing agreement must outline the objectives and procedures for processing, the categories of personal data handled, the parties’ rights and obligations, and any later processing agreements between the entrusted party and another organization.

All cross-border transfers to entrusted parties require data controllers to complete a risk assessment. If a security assessment is necessary, they must disclose the results to the CAC.

China Data Residency – InCountry Experience

Multinational corporations and businesses can comply with these requirements without losing their market ground or incurring fines and penalties. Using Data Residency-as-a-Service solution providers will make it easier for companies to comply with China localization requirements.

InCountry offers data residency and localization solutions that help organizations resolve data residency compliance problems without interfering with daily operations. As a result, companies no longer have to be concerned about breaking data rules while continuing their global operations and expansion.

InCountry for Salesforce Cross-Border maintains global reporting across Salesforce orgs, Hyperforce orgs, and Salesforce on Alibaba Cloud. With InCountry, records from local and regional orgs are copied in real-time to a global org with regulated fields fully anonymized.

This  IBM Consulting case study is an excellent example of how InCountry made it possible for a large global luxury retail to comply with China’s data localization laws. InCountry’s Data Residency-as-a-Service solution in collaboration with IBM Consulting’s planning and management services, enabled the retail to meet the regional regulations. The solution combines a secure gateway for data transmission, local storage, and data processing capabilities. 

Companies can safely keep and process regulated data within the country of origin thanks to InCountry’s data residency-as-a-service solution. If you wish to use the many advantageous features of InCountry’s platform effortlessly to maintain compliance with your business operations in China, get in touch with our specialists.