Many international companies that operate in China have Chinese websites and some kind of network system, whether for selling their own products or solely for internal use. In many cases, these websites and internal systems are hosted on servers outside China. I and the other lawyers on our China cyberlaw team are frequently asked whether a company that collects personal information within China must store that information within China.
The short answer is yes.
China’s Cybersecurity law took effect last year and it requires critical information infrastructure operators (CIIOs) to store personal information and important data collected and generated within the territory of the PRC. Whether a network operator is a CIIO typically depends on its industry and on how much a data breach would harm the public interest. Network operators in industries like public communication and information service providers, energy, finance, and public services are more likely to be considered CIIOs.
China is also in the process of establishing rules for cross-border transmitting of personal information and important data via draft Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (个人信息和重要数据出境安全评估办法, the Measures) and draft Guidelines for Data Cross-Border Transfer Security Assessment (数据出境安全评估指南, the Guidelines). Under the existing drafts, the Measures and the Guidelines will apply to any company that is a network operator engaged in “domestic operation.”
The term “network operator” is defined to include any person or entity that owns and manages any network and also network service providers. If a company uses its internal network for its internal company operations and uses its company website to provide information to its customers and this system and website are owned and managed by its foreign parent, the foreign parent company is a network operator.
Under the Guidelines, domestic operation means providing products or services within China. A foreign network operator that is not registered in China but provides products or services to customers in China is engaged in domestic operation and will be subject to China’s cross-border data transfer requirements.
The Guidelines also set forth how to determine whether a foreign company is engaged in domestic operation. The factors that will lead to such a finding include using the Chinese language, settling payments with RMB, and delivering or distributing products or services to China citizens or companies. If one or more of these exist, a foreign company will be deemed to be engaging in “domestic operation” and therefore will be required to conduct a security assessment before engaging in any cross-border transfer of personal information and important data. But a network operator located in China that provides only products or services to foreign entities and whose operation does not involve any personal information of Chinese citizens or important data will not be considered to be a domestic operation and therefore will not be subject to China’s cross-border data transfer rules.
China Cross-Border Data Transfer Requirements.
Non-CIIO network operators may transmit personal information to a server located outside China so long as the subject of the relevant data has consented to such transmission and so long as the entity (usually a company) that initiates the transfer has undergone a security assessment regarding its data transfers. These requirements are laid out in the Measures and the Guidelines. The company should conduct the security assessment, either by itself or engaging a third-party professional service provider. Report of such assessment shall be kept for at least two years. In certain circumstances, the relevant industry regulator will review the assessment.
Under Article 7 of the second draft of the Draft Measures, the relevant regulatory authority will conduct when the data transfer involves any of the following:
- Data containing or accumulatively containing personal information of more than 500,000 individuals
- Data related to nuclear facilities, chemical biology, national defense, or military, population and healthcare
- Data related to large-scale engineering activities, the marine environment, or sensitive geographical information
- Data related to the cybersecurity information of key information infrastructure, such as system vulnerabilities and security protection measures
- Other factors that may potentially affect China’s national security and public interests
- The Required Consent
To transfer personal information outside China, a network operator must first obtain consent from the subject of the personal information. This consent must either be in writing or by some other sort of affirmative action by the subject of the data. Consent can be achieved by, for example, an online pop-up notification asking the data subject to click yes or no, or by sending a text message to the data subject requiring a “yes” or “no” reply to the cross-border transfer.
Consent can be implied in certain circumstances, such as making international calls, sending an email internationally, international instant messaging, and conducting cross-border transactions via the Internet.
- The Required Data Security Assessment
The Measures require the company transmitting personal information and important data outside China to conduct (or use a third party to conduct) a security assessment of the cross-border data transfer system it will use to send the personal information and important data. Industry regulators or regulatory authorities will be responsible for monitoring these assessments and they shall do their own cross-border data inspections “regularly.” According to the Guidelines, when there are multiple entities involved in an outbound data transmission, the entity that initiates the transmission shall conduct the security assessment.
Only one security assessment is needed for “continuous” cross-border transmissions. If two separate data transfers occur within a year and the purpose and recipient of both transfers are the same, and the scope, type, and quantity of information are similar, these transmissions will be considered “continuous.” Take for example, a Chinese subsidiary of a foreign retailer that collects its customers’ personal information on any initial order and then transmits that information to its foreign parent company. This sort of transmission may happen instantly many times every day with the receiver, scope and type of information remaining the same. These transmissions would likely be considered continuous and therefore not require a separate security assessment for each single transfer.
In my next post I will provide more on the nuts and bolts of what foreign companies that are doing business in China need to do to comply with China’s cybersecurity and internet privacy laws.