The localization of data is an important topic in Chinese data protection. These requirements are quite complex, as there are many different provisions that deal with the subject. And so, for many businesses the requirements of data protection in China cause a lot of confusion.
The legislation consists of many separate laws and recommendations that address different entities and at different stages of the legislative process. For a long time, People’s Republic of China has been considered as a jurisdiction which mandates businesses to store their data in China and prohibits all data from being transferred to third countries.
This, however, is now an incorrect interpretation of Chinese laws. The Chinese markets provide an incredible opportunity for global companies, and in the following blog post we will explain how to comply with data regulations and operate safely in China.
The framework for data protection in China
*The People’s Republic of China passed the Personal Information Protection Law (PIPL) in 2021, although other rules related to the protection of personal data and the security of data are still on the books, making some matters of data security law in China layered and quite complex.
The first national-level law to address cybersecurity and data privacy protection came into effect on June 1, 2017 – it was Cybersecurity Law of the PRC. After this event, there have been numerous implementing regulations and guidelines proposed, released, or revised to elaborate the essentials and ideas introduced under the China Cybersecurity Law.
*Update as per August 2021: on August 20, China’s Personal Information Law has formally passed into law. Please read our article on this topic here.
Among them are:
- Guidelines on Internet Personal Information Security Protection, effective from April 19, 2019;
- National Standard of Information Security Technology – Personal Information Security Specification, effective from May 1, 2018 (a revised draft is currently circulated for consultation);
- Draft National Standard of Information Security Technology – Guidelines on Personal Information Security Impact Assessment, released on June 11, 2018
- National Standard of Information Security Technology – Guideline for Personal Information Protection inside Information System for Public and Commercial Services, effective from February 1, 2013
- The Decision on Strengthening Online Information Protection, effective from December 28, 2012
General data localization requirements can also be found in:
- Article 37 of the Cybersecurity Law of People’s Republic of China (‘CSL’), which requires critical information infrastructure operators (‘CIIOs’) to store personal information and important data generated from critical information infrastructures in China;
- Draft Data Security Law of People’s Republic of China (‘the Draft Data Security Law’), which was revised by the National People’s Congress of the People’s Republic of China.
China personal data protection law 2020
The draft of China’s Personal Information Protection Law was unveiled for public consultation on Oct. 21, 2020. Viewing the proposed law closely, it is clear many provisions are inspired by the EU General Data Protection Regulation, as the China data security law bears a strong resemblance to the GDPR in many regards.
Before the new law on personal identifiable data was introduced, such sensitive data as birth date, address, phone number and credit card history was not rigorously controlled. With a new data security law in China, that is no longer the case.
Once the data security law was introduced, all international businesses operating in China became subject to the law’s jurisdiction – if they are collecting personal data of Chinese citizens.
The draft Personal Information Protection Law includes 70 articles and substantial fines. Evidently, once the law comes into effect, it will have a substantial impact on businesses that plan to operate in China or plan to take advantage of the Chinese market – even if they are not physically present in the region.
Extraterritorial application of the law
What are the extraterritorial applications for the Personal Information Protection Law of China? Unlike preceding versions of China’s data security law, the draft law takes into account individual processing of personal data in China no matter what nationality they are.
For example, the China Cyber Security Law provides limited extraterritorial application, while the draft Personal Information Protection Law proposes clear and specific extraterritorial application to overseas entities and individuals. The law is applicable if they process personal data of data subjects in China
- to provide products and/or services in China to data subjects;
- to analyze or assess the behavior of data subjects in China;
- other circumstances which may be provided by Chinese laws and regulations.
Such entities are subjects to security assessment that can be conducted by the Chinese regulators. Data localization is a requirement for all processors of personal data whose processing amounts exceed a certain limit. The Cyberspace Administration of China will set the number threshold once the proposed law is promulgated.
Although it is unclear how China will or is able to punish extra-territorial violations of the law, it does have a variety of economic and political options available to it — including fines and sanctioning those who violate the law.
Who is applicable under the law?
Naturally, a primary concern of an international organization conducting business in China is whether they will be governed by Chinese law. Of particular note is whether the new Chinese law allows important data to go abroad, or what rule is in place to limit that.
According to Article 25 of the Personal Information Protection Law, any organization or individual that conducts data activities will be required to maintain data security. According to the broad language of the law, if a business obtains and/or uses consumer data, or that of Chinese citizens, or of Chinese organizations, then the Chinese government will believe the law applies.
Are outbound data transfers allowed after data localization?
Data transmission is different from data localization in China, but the two processes are closely linked.
According to Article 37 of the Chinese Cyber Security Law , if business purposes require to share protected data with foreign entities, a security assessment should be conducted in accordance with the measures developed by the Cyberspace Administration of China in conjunction with the relevant departments of the State Council, unless it is otherwise prescribed by any law or administrative regulation.
Upon positive security assessment, the data can be transferred outside of China. However, for certain regulations on data localization, data transfers are prohibited, for instance when the data pertains to state secrets.
Security assessment – the procedure
Procedures for security assessment remain very unclear. The Cyber Security Law imposes this requirement, but does not provide any guidelines, while the New Measures provide detailed guidelines on how to conduct a security assessment, but fails to be effective.
Among the data specialists, most are still waiting for the draft on Data Security Law, which is being reviewed by the NPC.
Article 22 of the Draft Data Security Law makes it necessary for the government to conduct a national security review of the data processing activities if the processing activities may impact national security.
It is possible to interpret that this refers to data transferred outside of China, but it is unclear if this is the same mechanism as the above security assessment, which looks at the national security, while an assessment made under the draft Data Security Law looks at data transferred internationally.
China may control the export of data contained in its control list under the Article 23 of the Draft Data Security Law, although this is a new term in data security.
Furthermore, China will adopt similar limitations or prohibitions in Article 24 of the Draft Data Security Law with countries that limit or restrict the use of Chinese data for investment or commercial trade.
Data transferring also raises another question as is evident from the Draft Data Security Law, which contains a requirement that if foreign countries’ data protection authorities need data to fulfil their enforcement powers, the relevant organisations and individuals must notify the competent authorities and may only notify the data subject.
How to comply with the data protection laws in China – InCountry’s approach
A variety of opinions exist on how to store data in China and comply with the data security law in China. Partnering with InCountry is the fastest way to comply with data residency regulations and unlock new territories – such as People Republic of China. We allow businesses to localize data without repeatedly building their full stack.
Transform your applications with InCountry to enable compliance and security, while still utilizing the cloud. Map out your controls and strengthen your compliance process.