CS Anuj MalikThere are various laws in China which put restrictions on cross-border data transfer. Cyber Security Law of the People’s Republic of China (CSL) and Personal Information Protection Law of the People’s Republic of China (PIPL) are the main laws which mandate to store personal and critical information within the territory China.

    1. Requirement of data localization under the laws:-
      1. Personal Information Protection Law of the People’s Republic of China:
        Article 40: Critical information infrastructure operators and the personal information processors that process personal information (of more than 1 million people) up to the amount prescribed by the national cyberspace department shall store domestically the personal information collected and generated within the territory of the People’s Republic of China. Where it is truly necessary to provide the information for a party outside the territory of the People’s Republic of China, the matter shall be subjected to security assessment organized by the national cyberspace department. Where laws, administrative regulations, or the provisions issued by the national cyberspace department provide that security assessment is not necessary, such provisions shall prevail.
      2. Cyber Security Law of the People’s Republic of China:
        Article 37: Critical information infrastructure operators shall store personal information and important data gathered and produced during operations within the territory of the People’s Republic of China. Where it is really necessary to provide such information and data to overseas parties due to business requirements, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration authority in concert with the relevant departments under the State Council.
        Where the laws and administration regulations have other provisions, those provisions shall prevail.
        Note: – There are some sectoral laws prohibiting banks, credit investigation agencies, security companies, medical and healthcare centers, online taxi booking platforms, Internet map service providers etc. to transfer/share their data outside China.
    2. Exception/exemption:- Data collected in China may be transferred/shared overseas by conducting data export security assessment as prescribed under Measures for Data Export Security Assessment read with Guidelines for Data Export Security Assessment Declaration. To transfer/share data overseas, data processor needs to apply to the Central Cyber Security Affairs Commission for data export security assessment and once the assessment is done with positive evaluation result approval is granted. Validity of the approval of data export security assessment is 2 years.
    3. Definitions:-“Personal information processor” refers to any organization or individual that independently determines the purpose and method of processing in their activities of processing of personal information.

      “Critical information infrastructure” is defined as “important network facilities and information systems” in the areas of public communication and information services, energy, transport, water conservation, finance, public services, e-government, national defense, and science and technology, as well as industries in which any damage, loss of function or data leakage may seriously endanger national security, the national economy and people’s livelihoods, or the public interest.

      “Personal information” refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized. Processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information.

      “Important data” refers to data that may endanger national security, economic operation, social stability, public health and safety, etc. if it is tampered with, destroyed, leaked or illegally obtained or used.

    4. Conclusion: – All domestic or foreign companies (Critical information infrastructure operator and personal information processor of a category discussed in point No. 1) shall set up a server in China to collect and store personal information and data of the critical nature.
      MNCs should first identify their exposure under the Law to see whether or not they qualify for “critical information infrastructure operators” or “personal information processors that process personal information of more than 1 million people”.

Disclaimer: This is an effort by Lexcomply.com to contribute towards improving compliance management regime. User is advised not to construe this service as legal opinion and is advisable to take a view of subject experts.


Leave a Reply

Your email address will not be published. Required fields are marked *