China Further Expands Reach of Data Localization Law to Multinationals

Countries are continuing to escalate restrictions on storage location and transfers of data, with China being the most recent to follow suit. China broadened its cybersecurity initiatives significantly in 2016 with the release of the Cybersecurity Law (Law). Scheduled to come into effect June 1, 2017, the Law introduced many new requirements concerning the handling of personally identifiable information (PII). Among the most controversial is the data localization mandate requiring “operators of key information structure” (CIIOs) to retain critical data and PII generated within the course of business in China. Specifically, the Law requires “personal information and other important data gathered or produced” during CIIO operations to be kept within the “mainland territory of the People’s Republic of China.” [1]

The definition of a CIIO in the Law is ambiguous and described as public-facing entities that maintain “critical information infrastructure that if destroyed, losing function or leaking data might seriously endanger national security, national welfare and the people’s livelihood…” Examples of the sectors subject to this definition include businesses operating in public communications and information services, power, traffic, water, etc., which may very well implicate multinational corporations (Multinationals).

On April 11, 2017, the Cyberspace Administration of China released the draft Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data (Draft Measures). Designed to implement the Law, the Draft Measures take a more expansive approach and extend the data localization requirements to Network Operators, in addition to CIIOs.

The definition of Network Operators includes, “those who own or administer a network, and to network service providers.”[2]  Based on this definition, the reach of the law now extends to not only network service providers, but also those who own or administer a network, which is conceivably any private company, including Multinationals.

Although the Draft Measures are not final, they do offer a strong indication of things to come. The language of the Law and Draft Measures appear crafted ambiguously and broadly to impose sweeping measures on a range of entities, including Multinationals. For this reason, it is important for Multinationals to stay abreast of these changes and prepare for compliance once the Law and Draft Measures are effective.

Contact Zasio today to see how our consulting services can help you stay complaint and ahead of the laws evolving around the world.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

 

[1] http://www.chinalawtranslate.com/cybersecuritylaw/?lang=en

[2] https://www.huntonprivacyblog.com/wp-content/uploads/sites/18/2017/04/Draft-of-Measures-on-Security-Assessments-for-Public-Comment-English-translation-c.pdf