China: Data localisation requirements
The questions of when data transfers may be made from China to third countries, and which data localisation requirements will apply, are undeniably complex and thorny issues, with many separate laws and recommendations addressed to different entities and at different stages in the legislative process. Dehao Zhang, Senior Associate at Fieldfisher, addresses this topic and breaks down how businesses can best understand their obligations under a developing legal framework.
On 13 June 2019, the Cyberspace Administration of China ('CAC') published new guidance for data transfers outbound from China - the Measures for the Assessment of Outbound Security of Personal Information (Draft for Comments) - which mandates the process whereby network operators assess the security of personal information transfers, creating waves throughout the Chinese privacy and data protection community.
Data localisation is a very important topic in Chinese data protection, and for many businesses, the requirements of data localisation creates much confusion; these requirements are very complicated, and there are many different provisions that address the matter. For a long time, mainland China has been regarded as a jurisdiction which mandatorily requires businesses to store their data (including personal data) in China and prohibit all data (including both personal and non-personal data) from being transferred to third countries. This, however, is a misunderstanding of Chinese laws and regulations, and in this piece we will clarify the requirements of data localisation in China.
The framework of the data localisation provisions
In general, China does not prohibit all data from being transferred outside of the territory. Data localisation will be divided into two different parts - general requirements and special data localisation provisions.
General data localisation requirements can be found in:
- Article 37 of the Cybersecurity Law of People's Republic of China ('CSL'), which requires critical information infrastructure operators ('CIIOs') to store personal information and important data generated from critical information infrastructures in China;
- Draft Data Security Law of People's Republic of China ('the Draft Data Security Law'), which was reviewed by the National People's Congress of the People's Republic of China ('NPC');
- the Measures for the Assessment of Outbound Security of Personal information and Important Data (Draft for Comments) of 11 April 2017 ('the Old Measures'), which are not currently effective;
- the Measures for the Assessment of Outbound Security of Personal Information (Draft for Comments) of 13 June 2019 ('the New Measures'), which are also not currently in effect; and
- the Information Security Technology-Guidelines for Data Cross-Border Transfer Security Assessment (Draft for Comments) ('the Draft Guidelines') of 25 August 2017, also not effective.
Special data localisation provisions can be found in:
- Article 48 of the Law of the People's Republic of China on Guarding State Secrets (2010 Revision), which provides that if the data is related to state secret of China, such data is prohibited from being transferred outside to third countries and must then be stored exclusively in China;
- Article 6 of the Notice by the People's Bank of China Regarding the Effective Protection of Personal Financial Information by Banking Institutions provides that personal financial information collected in China shall be stored, processed, or analysed in China; except when otherwise required by other laws and regulation, banking financial institutions shall not transfer domestic personal financial information outbound China;
- Article 24 of the Regulation on the Administration of Credit Investigation Industry states that information collected by credit investigation organisations shall be stored in China; if such organisation needs to transfer personal information outbound China, it shall comply with the relevant requirements of laws and regulations;
- Article 10 of the Measures for the Administration of Population Health Information (for Trial Implementation) provides that population health information is prohibited from being stored in servers located outside of China;
- Article 27 of the Interim Measures for the Administration of the Business Activities of Online Lending Information Intermediary Institutions states the information of lenders and borrowers collected in China shall be stored in China; except when otherwise required by other laws and regulations, the online platform should not transfer the information of the lenders and borrowers outside of China;
- Article 34 of the Regulation for the Administration of the Map ('the Regulation for Map Administration') states that internet map service organisations shall set up a server for storing map data within the territory of the People's Republic of China, and build up an internet map data security management system and safeguards;
- Article 27 of the Interim Measures for the Administration of Online Taxi Booking Business Operations and Services provides that online taxi platform companies should comply with the relevant national network and information security provisions; that is, the personal information and business data should be stored and used in mainland China, shall not be transferred outside of China, and should be retained for two years, except for when otherwise required by other laws and regulations; and
- Article 4 (13) of the Guiding Opinions of Encouraging and Regulating the Development of Internet Bicycle Rental provides that the server of internet bicycle rental operators shall be located in China, and the personal information and business data should be stored and used in mainland China.
Who will have the obligation of data localisation?
The responsibility for storing personal or non-personal data in China will always be a relevant issue, especially for businesses.
In general, the data localisation requirements will only apply to CIIOs, except for the above sector-specific rules of data localisation. Under Article 31 of the CSL, multi-level cybersecurity protection systems are required for CIIOs that operate critical information infrastructure which will result in serious damage to state security, the national economy, people's livelihood, and the public interest if it is destroyed, loses functions, or is victim to a data breach; in this regard, its focus is on important industries and fields such as public communications and information services, energy, transport, water conservancy, finance, public services, and e-government affairs.
Based on the Notice on Matters Related to the Safety Protection of Critical Information Infrastructure, the crucial networks and systems of telecommunications, radio and television, energy, finance, transportation, railways, civil aviation, postal services, water conservancy, emergency management, healthcare, social security, the national defence technology industry will be deemed CIIs, and the operators of them therefore CIIOs.
Does the data localisation obligation expand to all the network operators?
Article 2 of the Old Measures expands the data localisation obligation to all network operators. However, the Old Measures did not become effective by the end of the deadline for comments, which created confusion for network operators about this legal obligation as to data localisation and data transfers.
On 13 June 2019, the CAC released the New Measures, which is different from the Old Measures in that it does not directly require network operators to store personal information in China, instead only requiring that network operators conduct a security assessment if they need to transfers of personal data outside of China. If the data transmission may affect or result in damage to national security or the public interest, or it may make it harder to protect the security of personal data during the data transfer, such personal data should not be transferred beyond China. However, it may be supposed that if a data transfer is liable to affect or damage the national security or the public interest, then that data may be controlled by a CIIO, which will be already subject to the preexisting data localisation obligation under Article 37 of the CSL. It seems then that the New Measures are more consistent with the CSL. Nevertheless, it is important to note the New Measures are also not in effect.
For the special rules of data localisation, these rules have clear requirements addressed to the specific organisations who should be responsible for data localisation. As such, the following discussion relates exclusively to the general requirements.
What kind of data is the object of data localisation?
While the question of what kinds of data is subject to data localisation is straightforward in relation to the special data localisation provisions, with the general requirements it is a very different story. Under Article 37 of the CSL, CIIOs shall store personal information and important data generated from the critical information infrastructure in China. Personal information and important data will be the object of data localisation.
'Personal information' means all kinds of information recorded in electronic or other forms, which can be used independently or in combination with other information to identify a natural person's identity, including but not limited to the natural person's name, date of birth, identity certificate number, biology-identified personal information, address, and telephone number.
The definition of 'important data' however is not clear under the mandatory and effective laws and regulations. No laws and regulations give any definitions of important data, which creates uncertainty for businesses. If any data can be regarded as important data, it seems that the network operator who controls such data may potentially be deemed as a CIIO and be subject to the obligations that this entails.
The Information Security Technology Guidelines for Data Cross-Border Transfer Security Assessment (Draft for Comments) ('the Draft Guidelines') of 25 August 2017 defines 'important data' as data which is not relevant to national secrecy, but is closely related to national security, the development of economic and public interest, which will include the original data and other derivative data. Appendix A of the Draft Guidelines sets out 27 categories of industries and fields, attempting to be consistent with the requirements of critical information infrastructure under the CSL. However, the Draft Guidelines are not effective, and even if they come into effect, they will remain a nationally recommended standard rather than a mandator requirement.
According to Article 19 of the Draft Data Security Law, each local government and sector shall define an important data directory, and provide a high level of security to those important data. However, it does not require the identification of the important data directly.
How to comply with the obligation of data localisation in China?
There are different opinions on how to store data in China. However, things seem to be resolved in practice. We may think about the different ways as follow:
- the data centre is built in mainland China, if there is any data centre;
- the servers or other retainers in which the data is stored is located in Mainland China, such as with the Regulation for Map Administration, which requires that the sever should be located inside of China; or
- the cloud server is located in mainland China, such as how iCloud uses a server located in the Guizhou Province of China.
The data stored in China shall be original data and, if there is any business needs, the organisation can only provide copied data to third countries outside of China after they pass a security assessment. Since the law does not directly require this, there are different opinions on this matter; but most people, in practice, will choose to store original data in China.
Some governments are trying to develop a Big Data industry, such as Ningxia and Guizhou, who will provide policies to support businesses in storing data in China.
Could the outbound data transfers be made after data localisation?
Data localisation is different from data transmission, but the two procedures are closely related.
Under Article 37 of the CSL, if it is indeed necessary to provide such information and data overseas due to business needs, a security assessment shall be conducted in accordance with the measures developed by the Cyberspace Administration of China in conjunction with the relevant departments of the State Council, unless it is otherwise prescribed by any law or administrative regulation.
Under the CSL, the data can be transferred outside of China if the result of the security assessment is positive. For some of the specific rules on data localisation however, data transfers are prohibited, such as where the data is related to state secrets.
There is however a question that remains - how to conduct a security assessment of data transferring? The answer to this question is still not clear at this time. The CSL creates this requirement but provides no guidelines, while the New Measures set out detailed measures on how to conduct the security assessment, but is not effective. On this point, most data specialists are still waiting for the Draft Data Security Law, which is under review by the NPC.
Under Article 22 of the Draft Data Security Law, when data processing activities may affect the national security, it is necessary for the government to conduct a national security review of the data processing activities. This may be understood as including data transferred outside of China; however it is not clear whether this is the same mechanism as the above security assessment which looks to the national security, while an assessment made under the Draft Data Security Law will be from a data transferring perspective.
Under the Article 23 of the Draft Data Security Law, China may build up the export control for data which is in the scope of its control list, although we are not clear on this point as this is a new term in data security.
Furthermore, under Article 24 of the Draft Data Security Law, China will adopt similar limitation or prohibition measures with countries who limit or prohibit China from the use or development of data in the area of investment or/and commercial trade. This is a new term which may affect data processing activities, including data transfers to specific countries.
Another question on data transferring is raised by a provision of the Draft Data Security Law, whereby we find a requirement that if other countries' data protection authorities need data to carry out their powers of enforcement, the relevant organisation or individuals shall report this to the competent authorities and may only receive the requested data subject's approval.
China does not require all network operators to comply with the data localisation provisions, and does not prohibit all data from being transferring outside of China. Currently, CIIOs in China should be mindful to store their data in China, including personal data and important data generated from their important networks and systems. For most of organisations which are not a CIIO, they may consider how best to conduct a security assessment when the need arises to transfer data outside of China; this however is also a problem for legislators and the CAC, and may be subject to the new data laws (e.g. the Draft Data Security Law and draft personal information protection law) and regulations, the status of which should be carefully monitored.
Dehao Zhang Senior Associate