Cross-Border Data Transfer and Data Localization Requirements in China

Andrea Tang
Author: Andrea Tang, FIP, CIPP/E, CIPM, ISO27001LA
Date Published: 6 July 2021

In 2020, China launched a global data security initiative focused on strengthening international coordination for cross-border data flow and outlining the principle of personal information protection. A large number of Chinese customers’ personal information are collected and generated within the operations of the People’s Republic of China (PRC) and transferred to other countries for storage and processing. Therefore, it can be a challenge for multinational enterprises (MNEs) to balance data subjects’ privacy rights while also providing better service. As a result, China’s National People’s Congress (NPC) and the National Committee of the Chinese People’s Political Consultative Conference (PCC) put forward suggestions on legislation addressing cross-border data transfer.1

There are 3 pain points when it comes to MNEs complying with cross-border data transfer requirements regarding the privacy of personal information and important data:

  1. The diversity of organizations increases the complexity of the transfer circumstances, which makes it difficult to determine the applicability.
  2. Decentralization requirements are scattered across multiple jurisdictions, laws, regulations and national standards and measures (including their draft versions).
  3. Inconsistency and uncertainty among these requirements make it difficult to comply with the requirements.

Moreover, the privacy legislation landscape in China has become complex with the publication of several laws, regulations and measures, including stringent requirements on the transfer of personal information that is stored within the territory of China to overseas parties to protect the privacy right of the data subjects in China. To address these pain points, it is necessary for MNEs that need to transfer personal information and important data from China to the rest of the world to have an overall understanding of the current and future legislation landscape of China in relation to cross-border data transfer and data localization and the impact of that legislation.

Laws, Regulations and Measures in China

China’s Cybersecurity Law (CSL) serves as the foundation for legal requirements on data localization and cross-border data transfer.2 China’s recently published Data Security Law (DSL) regulates specific requirements on the transfer of important data overseas and approval rules for the provision of data requested by foreign judicial and enforcement agents.3 In addition, the second draft of the Personal Information Protection Law (PIPL) contains requirements for  personal information handler’s when they transfer personal information overseas.4 Two additional measures on cross-border data transfer security assessment were published in 2017 and 2019, respectively, and they established a base framework for cross-border data transfer. The Information Security Technology Guidelines for Data Cross-Border Security Assessment further supplements the details of the drafted measures and the law, serves as the recommended standard and provides practical instructions for the compliance of cross-border data transfers.5 Figure 1 illustrates the applicable laws, regulations, guidelines and standards in China.

Figure 1—Applicable Laws, Regulations, Guidelines and Standards in China
Figure 1—Applicable Laws, Regulations, Guidelines and Standards in  China

Cybersecurity Law
The CSL took effect on 1 July 2017, and it regulates that “critical information infrastructure operators (CIIOs) shall store personal information and important data gathered and produced during operations within the territory of PRC.”6 Where it is necessary to provide such information and data to overseas parties due to business requirements, a security assessment shall be conducted in accordance with the measures formulated by the Cyberspace Administration of China (CAC) in concert with the relevant departments under the State Council of the People’s Republic of China. The law is only applicable in industries in which critical information infrastructure (CII) exists. The drafted Regulations on the Security Protection of CII further extends the scope of CIIs including entities providing cloud computing, big data and other large-scale public information network services.7

Guidelines for Data Cross-Border Security Assessment
These guidelines complement the CSL by providing more detailed definitions and instructions with regard to the cross-border transfer of personal information and important data. There are 5 significant changes from the CSL:

  • Expanded applicability scope—The security assessment carried out by network operators in accordance with authority is now also being applied to the guidance and supervision of industry directors and regulatory departments.
  • Refined cross-border data transfer scenarios—The scope of responsibility is being expanded to users when they use functions of products or services and provide personal information and important data to overseas institutions or individuals.
  • Listed specific definition of important data—Typical important data defined in different industries are listed.
  • Introduced data minimization principle—The cross-border data transfer should be directly related to function, minimum frequency and minimum quantity based on the scope.
  • Detailed key points of assessment—Some adjustments have been made. For example, necessity is not listed as an individual point. Instead, it is incorporated into legality and legitimate assessment.

Measures on Security Assessment on Cross-Border Data Transfer
There are 2 measures on security assessment on cross-border transfer published by the CAC that are still in draft form and have nonbinding legal effects: the 2017 measures for personal information and important data8 and the 2019 measures specifically for personal information.9 Both drafted measures supplement the CSL by putting forward stringent data localization requirements and providing MNEs with proposed mechanisms for security assessment and expanding applicability beyond CIIOs under the CSL to all network operators, which is broadly defined as the owner or manager of a network or a network service provider. Both the measures list key factors that should be weighed when conducting a security assessment of a cross-border data transfer (i.e., the necessity of the data transfer and the privacy consent of the data subject). However, there are some differences between the 2 measures. The 2017 measures require cross-border data transfer on the basis of “principle-allowed and exception-prohibition,” while the 2019 measures require only “approval-based” data transfers. In terms of triggering a regulatory assessment, compared with 6 limited conditions required by the 2017 measures (i.e., where the data involve personal information of more 500,000 individuals or where the data volume exceeds 1,000GB), the 2019 measures expand the conditions into all cross-border data transfer scenarios. The requirements on the roles of relevant authorities for report review have been changed from industrial administrations, supervisory authorities or CAC authorities under the 2017 measures to provincial-level cyberspace authorities in accordance with the 2019 measures. Figure 2 shows the comparison between the 2019 and 2017 measures.

Figure 2—Comparison Between Security Assessment in 2019 and 2017 Measures
Figure 2—Comparison Between Security Assessment in 2019 and 2017 Measures


Figure 3 and figure 4 illustrate the procedures of security assessment, respectively, based on the 2017 and 2019 measures.

Figure 3—Security Assessment Procedure Based on the 2017 Measures
Figure 3—Security Assessment Procedure Based on the 2017 Measures

Figure 4—Security Assessment Procedure Based on the 2019 Measures
Figure 4—Security Assessment Procedure Based on the 2019 Measures

Personal Information Protection Law (Second Draft) and Data Security Law
Although the second draft of the PIPL and the DSL do not clearly delineate the threshold of personal information of data localization, the provisions indicate positive mechanisms for cross-border data transfer and data localization requirements. These laws focus on establishing more complicated security assessment mechanisms. The following list highlights the requirements with regard to cross-border data transfer:

  • PIPL—Issued on 29 April 2021 for solicited public opinions, it lays down the safeguards on the export of personal information and the requirements on data localization. Compared with the CSL and 2 draft measures, there are 4 significant updates:
  1. Stricter data localization requirements
  2. Alternative safeguards on cross-border data transfer
  3. Mandatory requirements on risk assessment
  4. Requirements for relevant approval
  • DSL—Issued on 10 June 2021 and will take effect on 1 September 2021, it provides some high-level principles and restrictions on data security. Although the DSL first put forward requirements on export control over data pertaining to controlled items related to fulfilling international obligations and maintaining national security, it does not list specific types of data that are subject to export control. The requirements of cross-border data transfer of important data in DSL is built on the foundation of the CSL with 3 significant changes:
  1. Separated requirements of overseas transfer
  2. Updated relevant approval rules
  3. Specified penalties for violations

Finance Industry-Specific Regulations
Following the trend of foreign invested banks taking advantage of their global service connections to enhance their profitability, a large number of foreign invested banks are planning to develop within the Chinese market. However, in the light of regulatory requirements on data localization and cross-border data transfer, a highly regulated legislation system exists, on the basis of “principle-prohibited and exception-allowed.” Personal financial information collected within the territory of PRC shall be stored, processed and analyzed in China principally, subject to exceptions made by the law.10 The Financial Data Security Data Lifecycle Security Specification, which came into effect on 8 April 2021,11 regulates that level 5 data (important data that is mainly used in large financial institutions for critical business such as financial transactions that can affect national security or the rights and interests of the public if security is breached) generated in China must only be stored in mainland China and cannot be transferred or accessed outside of mainland China. Under the Chinese regulatory requirements, although financial data of levels 1 to 4 (Level 1 data refers to public data, Level 2 data refers to basic information about business, Level 3 data refers to personal financial information and Level 4 data refers to payment data) shall be stored in China principally, with the fulfilment of the necessary compliance safeguards such as consent and security assessment provided by financial institutions, then overseas access and transfer of personal information can be allowed.

On one side, “principle-prohibited” means that financial institutions are explicitly prohibited to access and process personal financial information obtained through access to the credit, payment and other systems of the People's Bank of China (PBOC), and they are prohibited to share and entrust overseas enterprises to process personal financial information. In addition to the prohibited activities, there are some types of data that are prohibited to transfer overseas: customer confidential information and regulatory reporting data required by overseas regulatory law enforcement authorities or judicial organizations on the purpose of antimoney laundering (AML) and antiterrorism financing and sanctions. On the other hand, “exception-allowed” means it is allowed when it is necessary for organizations to transfer personal financial information to overseas institutions, and 4 other conditions are required to be met, including written consent, associated institutions, agreement, or other regulatory requirements. Figure 5 highlights data localization and cross-border data transfer in China.

Figure 5—Data Localization and Cross-Border Transfer in China Highlights
Data Localization and Cross-Border Transfer in China  Highlights

Future Landscape of Legislation and Impact on MNEs

The CSL, the newly issued DSL and the upcoming PIPL are working to improve the rules of cross-border provisions of personal information and create substantial requirements for governing security management for cross-border data transfers, including penalties.The legislative authority will further improve security assessment mechanisms by providing more choices for security safeguards, including self-assessment, regulatory assessment or approval, and expand who is applicable from CIIOs to network operators, data handlers and personal information handlers. The latest publication of Financial Data Security Data Lifecycle Security Specification puts forward stricter data localization obligations in China’s financial industry, which could involve significant effort and cost if such data is not currently stored in China. In the meantime, MNEs that have business in China or have a large number of employees in China, particularly for Internet content service providers, should be prepared to invest significantly to establish local storage facilities, servers and cloud-based servers to process data locally in China. MNEs should also be aware that not all cross-border data transfer is applicable to specific requirements. For example, data have not been transferred and stored in places outside China but can be accessed and viewed by overseas institutions, organizations and individuals (except the access of public information on the Internet).

MNEs that have business in China or have a large number of employees in China, particularly for Internet content service providers, should be prepared to invest significantly to establish local storage facilities, servers and cloud-based servers to process data locally in China.

Compliance for MNEs

In light of the regulatory landscape of cross-border data transfer in China, MNEs should use these steps as a guide for compliance:

  1. Classify data that are necessary to transfer abroad—Data can be classified into personal information, sensitive personal information and important data.
  2. Establish a cross-border data transfer plan—The plan should include the purpose, scope, categories and scale of the cross-border data transfer; the information systems involved; the transit country and region (if applicable); the basic information of the data recipients and country or region; and security control measures.
  3. Determine and implement safeguards for cross-border data transferIn addition to self-assessment and regulatory assessment, the second draft of PIPL provides multiple choices for personal information and important data transfer from China to the rest of the world, such as personal information protection certification, a contract signed with data recipients and government-approval on the purpose of international judicial assistance. The following are the applicability and requirements of the self-assessment, regulatory assessment and multijurisdictional assessment:
    • Self-assessment—MNEs should conduct self-assessments when products or services provide personal information or important data to other countries. The self-assessments should cover legality, legitimacy, necessity and controllable risk assessments. MNEs should pay attention to the cross-border data transfer when involving individual investigations (e.g., due diligence and AML investigations for employees required data from a subsidiary in China to its parent company overseas).
    • Regulatory assessment—Different laws and regulations contain inconsistencies and uncertainties on when to conduct a regulatory assessment and which authorities the assessment should be declared to. MNEs should declare the data transfer to the relevant competent authorities, conduct a security assessment, including a risk assessment, to obtain relevant approval.
    • Multijurisdictional assessment—When internal investigations undertaken by MNEs involving personal information, important data or trade secrets, MNEs must conduct a multijurisdictional assessment of the proposed data transfer to meet enforced requirements.
  4. Re-establish and reassess the cross-border data transfer plan—After conducting a security assessment, if the risk is still high, MNEs should update the plan and network operators should take administrative measures including simplifying the data transfer scenarios, selecting new data recipients with higher political legal environment safeguard capabilities, or technical measures including reducing the sensitivity of data to mitigate the risk of cross-border data transfer and conduct a reassessment.

Conclusion

From the global trade perspective, the development of several initiatives indicates the trend of strengthening international coordination for cross-border data flow. An increasing number of MNEs are expanding their market to China, which means more personal information and important data are being collected and generated during operations within the PRC have to be transferred to other countries where data are stored and processed. This leads to significant compliance challenges in relation to data localization and cross-border data transfer from China to rest of the world. From the legislation perspective, the privacy landscape is changing. It is expected that China’s national legislator will improve and enrich privacy regulations on cross-border data transfer. Where it is critical to business to provide personal information and important data to overseas organizations, MNEs will likely be subject to the comprehensive mechanisms of self-assessment, contract, regulatory assessment or approval.

Endnotes

1 Information Security and Communication Confidentiality Magazine, A Comprehensive Understanding of the 2021 ‘Two Sessions’ Cybersecurity Proposal, 10 March 2021
2 Cyberspace Administration of China (CAC), Cybersecurity Law of the People's Republic of China, China, 7 November 2017
3 The Standing Committee of the National People’s Congress (NPC), Data Security Law, China, 10 June 2021
4 The Standing Committee of the National People’s Congress (NPC), Personal Information Protection Law of the People’s Republic of China (Second Draft), China, 29 April 2021
5 State Administration of Market Regulation (SAMR), Standardization Administration of China (SAC), Information Security Technology-Guidelines for Data Cross-Border Security Assessment, 25 August 2017
6 Op cit Cyberspace Administration of China
7 Cyberspace Administration of China (CAC), Regulations on the Security Protection of Critical Information Infrastructure (Draft), China, 7 November 2017
8 Cyberspace Administration of China (CAC), Administrative Measures on Security Assessment on Cross-Border Transfer of Personal Information and Important Data (Draft), China, 11 April 2017
9 Cyberspace Administration of China (CAC), Measures for Security Assessment on Cross-Border Transfer of Personal Information (Draft), China, 13 June 2019
10 People’s Bank of China (PBOC), Measures on the PBOC on the Protection of Financial Consumers' Rights and Interests, China, 14 December 2016
11 People’s Bank of China (PBOC), Financial Data Security Data Lifecycle Security Specification, China, 8 April 2021

Andrea Tang, CIPM, CIPP/E, ISO 27001 LA

Works at Ernst & Young providing privacy services to financial institutions. She serves as the leader of the ISACA® China WeChat group. She has been a guest speaker for the Hong Kong Baptist University School of Business, Master of Science (fintech and data analytics) program. Tang has published privacy-focused articles in the ISACA® Journal and contributed to guidebooks released by the ISACA China Technical Committee.