China’s new Cybersecurity Law, effective from 1 June 2017, introduced a local data residency requirement that has raised questions and concerns among multinational companies operating in the country.
To implement the local data residency requirement, the Cyberspace Administration of China (CAC) released a draft Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data on 11 April 2017 to solicit public comments.
The Cybersecurity Law imposed an obligation on operators of “critical information infrastructure (CII)” to store “personal information and other important data collected and generated during operations within China” (local data) and requires that CII operators undertake security assessment before transferring such data abroad. The draft measures, however, seem to extend the applicability of the local data residency requirements from CII operators to all “network operators”.
The draft measures replicate the definition of “network operator” stipulated under the Cybersecurity Law. “Network operators” refers to owners and operators of networks, as well as network service providers. Based on this broad definition, arguably, any entity in China that uses computer systems connected to communication networks could be considered a network operator, and therefore would be subject to the local data residency requirement stipulated under the Cybersecurity Law. Should the draft measures be implemented as is, virtually all entities established in China that access and use the internet in the course of business operations could be required to keep a copy of local data in China.
You must be a
to read this content, please
Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by e-mailing Danian Zhang (Shanghai) at: firstname.lastname@example.org