This year is a pivotal year for data laws in China, with two very significant pieces of new legislation coming into force – the Data Security Law (“DSL“), governing important/core data, and the Personal Information Protection Law (“PIPL“), governing personal information, on 1 September 2021 and 1 November 2021 respectively.
The key issue is how the these new laws will affect the transfer of data out of mainland China.
Most multinational companies have stopped taking a wait-and-see approach and have put China data/server localisation and China data/cyber related compliance issues on their boards’ agendas.
Much has been written about these new laws, but little has been said about the practical impact. The most common issue we have been asked about is whether data will be able to be exported from China, and whether there is any need to localise data in China to future-proof relevant business activities.
The restrictions on the export of data under the DSL and PIPL, in addition to the existing Cybersecurity Laws (“CSL“) – which took effect in 2017 – are highly complex. Whether data should be localised in China or can be exported from China will at least depend on (i) the nature of the business or industrial sector the company is in (e.g. whether the data handling organisation is a Critical Information Infrastructure Operator (“CIIO“)); (ii) the nature of the data (e.g. whether the data constitutes important/core data and/or personal information); and (iii) the amount of data being collected/number of data subjects involved. There may also be other provincial local laws and sectoral regulations that further complicate the analysis.
Although most multinational companies are unlikely to be CIIOs, the data localisation requirements and data export restrictions under the new laws may still apply if those companies (i) process a large amount of individual consumers’ personal information; or (ii) generate or receive important data or core data in China, e.g. by providing products or services to CIIOs in China. Further, companies that are vendors to CIIOs in China may be subject to applicable supply chain security requirements and may be required by CIIOs to assist them to comply with the new laws.
The multi-level protection scheme (“MLPS“) under the CSL, being a mandatory security level assessment for IT systems used by companies in China, has also received increased attention from multinational companies.
We note that the 2020 version of the Information Security Technology—Personal Information Security Specification (“Specification“) remains relevant as the recommended best practice on processing of personal information in China. There are also local data regulations in Shenzhen and Shanghai, and sectoral requirements such as additional requirements for personal financial information in the banking sector.
A number of the key concepts and requirements under the new laws are still subject to guidelines and implementation rules from Chinese authorities.
Our China data and cyber law offering
We are an award-winning data and cybersecurity team globally and in China.
We have extensive experience assisting companies in complying with data and cybersecurity laws in China, across Asia Pacific and the world.
We have been helping clients understand how the new laws in China impact their businesses, identify key risk areas and gaps, and make recommendations on their data strategy and action plans.
We are also partnering with clients in this evolving area to anticipate and support their needs.
Our Joint Operation, Herbert Smith Freehills Kewei, enables us to provide an end-to-end legal service integrating PRC law and international law and legal service standards. It also gives us a deeper understanding of Chinese business methods and corporate culture, and an in-depth knowledge of China’s complex regulatory and political environment.