China’s Cybersecurity Law: Data Localization and Cross-Border Data Transfers

By now, most people doing business in the People’s Republic of China have become aware of China’s recently enacted Cyber Security Law (In Chinese: 中华人民共和国网络安全法) (“CSL”).  The main aim of the CSL, which came into force last year on 1 June 2017, is to improve national cybersecurity, and to protect Chinese citizens and organizations from cyber-attacks and data theft.  Despite the CSL’s good intentions, however, when the law was promulgated many observers expressed concerns that its provisions were too broadly drafted, and therefore it was unclear in what way and to what extent they would apply to companies with business interests in China.  This was particularly the case with the provisions related to data localization and cross-border data transfers, a key aspect of the CSL.

In an attempt to address those concerns, the Cyberspace Administration of China (“CAC”), the Chinese government agency in charge of enforcing the CSL, released a series of drafts of supporting regulations that flesh out in greater detail, and facilitate the interpretation and implementation of, specific aspects of the CSL.  The drafts of the regulations were circulated by the CAC for public comment last year, but have not yet been officially enacted.

Main Entities Regulated Under CSL and Data Localization Requirements

Key Information Infrastructure Operators (“KII Operators”) and Network Operators are the main two entities regulated under the CSL.  According to Article 37 of the CSL, “personal information” and “important data” (definitions detailed below) collected and generated by entities designated as KII Operators must be stored domestically within China.  “Where it is really necessary to provide such information and data to overseas parties due to business requirements”, the Article further stipulates, “a security assessment shall be conducted in accordance with the measures formulated by the [CAC] in concert with the relevant departments under the State Council”.  This article essentially means that KII Operators may be obliged to use servers in China and to keep their Chinese data separate from their global databases.

Article 31 of the CSL defines key information infrastructure as “infrastructure that, in the event of damage, loss of function, or data leakage, might seriously endanger national security, national economy or the livelihoods of the people, or the public interest”.  The article also provides examples of KII industries and fields, including public communications, information services, energy, transportation, water utilities, finance, public services, and e-government affairs.  According to this definition, some examples of the types of companies that may be considered KII Operators include China’s state-owned banks, telecommunications companies and energy companies.

Article 18 of the draft Regulation for Protection of Critical Information Infrastructure (For Public Comment) (In Chinese: 关键信息基础设施安全保护条例 (征求意见稿)) (“Draft Regulation”), released by the CAC on 11 July 2017, further expands and clarifies the scope of entities that can be considered KII Operators to include, for example, entities in sectors such as science and technology for national defense, large-scale equipment manufacturing, chemical engineering, and food and drugs, among others.  However, whether companies operating in one of the abovementioned sectors will be considered KII Operators remains unclear.  It is expected that further decisions and guidance will clarify exactly what KII is and the types of organizations that are deemed KII Operators.

To provide further clarification on the requirements set out in the CSL for data localization and cross-border data transfers, on 11 April 2017 the CAC released the first draft of the Measures for Security Assessment of Cross-Border Data Transfer of Personal Information and Important Data (For Public Comment) (In Chinese: 个人信息和重要数据出境安全评估办法 (征求意见稿)) (“Draft Measures”).  While this supporting regulation has been useful in some respects in providing more clarity, the requirement to store data domestically in China under Article 37 of the CSL was expanded under Article 2 of the first draft of the Draft Measures to include both KII Operators and Network Operators, adding an extra layer of uncertainty regarding which entities are required to store data domestically in China.

According to Article 76(3) of the CSL, Network Operators refer to “owners, administrators of the network and network service providers”.  This definition appears to encompass almost any company or individual collecting information in China via a network (including the internet).  This led to significant backlash from both foreign and domestic companies with business interests in China.  As a result, the CAC removed the reference to data localization requirements for Network Operators in a second, revised draft of the Draft Measures.  This suggests that only KII Operators would be required to localize their data in China (in line with Article 37 of the CSL). However, under the second draft of the Draft Measures, Network Operators are still required to conduct a security assessment prior to transferring data overseas (detailed below).  In this second draft, the CAC also moved the effective compliance date from 1 June 2017 (the same as the CSL) to 31 December 2018 to provide companies with a grace period of 18 months to comply with the new rules.  According to other industry sources, in August 2017 the CAC apparently made some further small changes in a third draft, but this has not yet been released to the general public.  The third draft will therefore not be referred to for the purpose of this article.

Personal Information and Important Data

According to Article 76(5) of the CSL, “Personal information refers to all kinds of information recorded by electronic or other means that can, independently or in combination with other information, identify natural persons’ personal information, including but not limited to, natural persons’ name, dates of birth, ID numbers, personal biological identification information, addresses, and telephone numbers etc.”  Article 15 of the second draft of the Draft Measures expands this definition slightly to include correspondence and communication contact information, account numbers and passwords, property status, and location and activity information.

The CSL does not define important data.  The Draft Measures, however, does.  According to Article 15 of the second draft of the Draft Measures, “Important data refers to data closely related to national security, economic development and societal and public interests”.  An updated, second draft of the Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (For Public Comment) (In Chinese: 信息安全技术 – 数据出境安全评估指南 (征求意见稿)) (“Draft Guidelines”), an important guiding document which supplements the Draft Measures,provides a more specific definition of important data, as well as comprehensive examples of important data in 27 industries and sectors.

Security Assessment for Cross-Border Data Transfers

Article 6 of the second draft of the Draft Measures requires Network Operators to “conduct security assessments of cross-border data transfers according to the types, amount and importance of the cross-border data transfer”.  Under the second draft of the Draft Measures, and set out specifically in section 4 of the Draft Guidelines, there are two types of security assessments: (1) self-assessments; and (2) assessments carried out by the competent industry regulator or regulatory authority.  Article 8 of the second draft of the Draft Measures requires Network Operators to conduct a self-assessment before transferring data overseas to determine:

  1. The legality, legitimacy and necessity of the transfer;
  2. The quantity, scope, type, and level of sensitivity of the personal information to be transferred, and whether data subjects have consented to such transfers;
  3. The quantity, scope, type, and level of sensitivity of the important data to be transferred;
  4. The security capabilities, measures and environment of the data recipient;
  5. The risk of data leakage, damage, falsification or misuse of data after the transfer overseas and subsequent re-transfer; and
  6. The possible risks to national security, public interests, and individual rights.

According to section 4.2.6 of the Draft Guidelines, Network Operators are required to prepare a report following the completion of the self-assessment, and this should be retained for at least two years.

Under Article 7 of the second draft of the Draft Measures, a security assessment must be conducted by the relevant regulatory authority where the transfer involves:

  1. Data containing or accumulatively containing personal information of more than 500,000 individuals;
  2. Data related to nuclear facilities, chemical biology, national defense or military, population and healthcare etc.;
  3. Data related to large-scale engineering activities, the marine environment, sensitive geographical information;
  4. Data related to the cybersecurity information of key information infrastructure, such as system vulnerabilities and security protection measures;
  5. Other factors that may potentially affect China’s national security, and public interests.

It’s worth nothing that two criteria for the security assessment needing to be conducted by an industry regulator/regulatory authority were removed from the first draft of the Draft Measures: (1) data transfers exceeding 1,000GB; and (2) transfers involving the provision of personal information and important data to overseas recipients from KII Operators.


Failure to comply with the CSL can result in harsh penalties for both violating companies and the directly responsible manager(s) or person(s) in charge.  Legal liabilities are specified in Article 59 through to Article 75 of the CSL.  For Network Operators, fines range from RMB 10,000 to 500,000, and for the directly responsible manager(s) or person(s) in charge, from RMB 5,000 and 100,000, depending on the article breached.  KII Operators, however, are subject to harsher penalties, and can be fined between RMB 50,000 and 1,000,000, and the directly responsible manager(s) or person(s) in charge, between RMB 10,000 and 100,000, depending on the article breached.  Additionally, penalties for all entities regulated under the CSL may also include the suspension of business operations, having the relevant business licenses or permits revoked, and potentially even being detained and serving a period of detention.

Concluding Remarks

While the CSL has already come into force, the Draft Measures, the Draft Guidelines and the Draft Regulation are still in draft form and haven’t yet been officially enacted.  With respect to the Draft Measures, while the second draft is the most up to date version available publically, and while reference has been made to a third draft by other industry sources, it is possible that there is an even more recent version which has not yet been released to the public.  As a result, there will still be uncertainty with regards to data localization and cross-border data transfers until the Draft Measures, the Draft Guidelines and the Draft Regulation are finalized.  It is expected that they will be finalized soon, and therefore both foreign and domestic Chinese companies should keep up to date with these legislative developments and prepare themselves for compliance with the new rules.