News Archives

Friday, April 28, 2017

China Plans Expansion of Data Localization, Security Review Requirements

On April 11, the Cyberspace Administration of China issued draft rules, entitled the Measures for the Security Assessment of Personal Information and Critical Data Leaving the Country, designed to guide the implementation of the country’s Cybersecurity Law, slated to come into effect on June 1.  Whereas previously requirements for data localization appeared to be restricted to “key information infrastructure operators,” the proposed measures expand their scope to all “network operators.”  Insofar as “network operators” are defined as “those entities that own or administer a network, and to network service providers,” this would appear to impose data residency requirements on all technology/online companies, along with any company that uses its own IT networks or infrastructure.  Having a website directed to Chinese users might be sufficient to qualify an organization as a “network operator.” 

A second major problem for multi-nationals operating in China lies is the requirement in both the Cybersecurity Law and the Measures that a security assessment be conducted before personal data is transferred out of the country.  This assessment can be conducted internally, unless one of a number of conditions exist, such as with data transfers that involve more than 500,000 individuals or more than one terabyte of data; that relate to critical and sensitive facilities or infrastructure; or that impact the country’s national security or public interest.  Should one of these conditions apply, the security assessment would need to be carried out by an industry regulator. 

The draft measures, issued for public comment until May 11, contain many ambiguous terms and are subject to revision as a result of the public consultation.  Hogan Lovells has prepared a detailed analysis of the measures, available here, while an English translation released by Hunton & Williams may be found here.  The high-level brevity of the measures, considering their potentially profound impact upon businesses operating in China, is striking.

No comments:

Post a Comment