On June 1, 2017 China's new Cyber Security Law will come into effect. This law moves China one step closer to requiring that at least some internet companies and other data handlers keep their user's personal data within China's borders. Other new laws, still under debate, would expand that requirement to all companies.  

The Cyber Security Law

The Cyber Security Law requires that "key information infrastructure operators" store in China any personal information produced during operations in China. However, this is not an absolute requirement. The Cyber Security Law allows that where it is "really necessary" to provide such data to overseas parties due to "business requirements", the company must undertake a security assessment in accordance with rules to be issued by China's Cyberspace Administration ("CAC"). 

What is Key Information Infrastructure?

Key information infrastructure is defined broadly as infrastructure that will, in the event of destruction, loss of function or data leak, result in serious damage to national security, the national economy and people's livelihoods, or the public interest. Specific reference is made to sectors such as public communication and information services, energy, transportation, water-resources, finance, public services and e-government, but no further details have been given on how to determine whether a specific company may fit into any of these categories.

It doesn't stop at Key Information Infrastructure

China also just issued new Draft Measures on the Security Assessment of Outbound Transmission of Personal Information and Critical Data. These measures are not yet law, but if implemented in their current form would expand the data localization requirements to ALL internet companies operating in China. 

To re-state that, these Draft Measures would prohibit any "network operator" from transferring any personal data outside of China. Just like in the Cyber Security Law though, an overseas data transfer might be possible if the company undertakes a "security assessment" subject to genuine business needs.

However, even with the possibility of some overseas data transfers following a security assessment, the rule proposed in the Draft Measures would be a significant expansion of current law, and create numerous operational difficulties for both foreign companies and China's own home-grown multinationals. As a result, the efficacy and reasonableness of this requirement is still being debated.

So what is a Security Assessment?

Neither the Cyber Security Law nor the new Draft Measures identify any specific procedures or requirements for a security assessment.  What we do not is that in some cases, a company will be able to conduct the security assessment on its own, and in other cases the security assessment will be done by the government.  The Draft Measures suggest some rules for determining when that is the case.

Specifically, the Draft Measures propose that a security assessment must be done by the government and not by the company when the personal information being transferred (1) contains information on more than 500,000 people; or (2) has a data size of more than 1000 GB. 

This volume-based definition is interesting, as it would capture nearly any data set derived from a service that is open to anyone, such as the large social networks, but could potentially exclude more specialized or exclusive data sets. It remains to be seen whether this is the final rule, and how such a rule would influence data gathering practices in China, for both foreign and domestic companies. 

Conclusion

As a result of these new and proposed laws, any company that collects online data in China will need to carefully review the basis and legality of any overseas data transfers, and may need to update or change its data transfer policies depending on the final form of the pending legislation.  

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.