China’s controls on data flows in and out of the country are likely to become even stricter, as shown by draft measures issued last month. Companies in China are already required to store data on local servers, but the new rules appear to require any company doing business with a Chinese entity, even those based overseas, to leave China-related data in China. Like Wolf Warrior 2, China is reaching out beyond its borders – and this matters to any company dealing with China, because infringing the Cybersecurity Law could get you fined, detained, or even imprisoned.
Most multinational companies are aware of the law, the text of which was finalised and issued in November 2016, and has been in force since June. It was assumed by many (including the compliance teams at GE, HSBC, and Morgan Stanley) that the final implementing regulations would be less onerous than the law suggested. Surely the Chinese regulatory authorities would not seriously expect international companies to store all the data of their Chinese subsidiaries in China? That would make no sense, since it would mean global management would be unable to administer their Chinese staff, and global CFOs would not be able to receive financial data without special approvals.
Well, implementing regulations have been issued piece by piece over the past few months, and suggest that the Cyberspace Administration of China (CAC) meant what they said last year. There are no exemptions, no relaxations – and the most recent draft regulation makes the application of the law even broader than before.
It was previously hoped this would only be imposed on operators of “critical information infrastructure”. But it appears this is no longer the case. In April 2017, draft “Measures on Security Assessment relating to Export of Personal Information and Important Data” were issued, providing that all personal information and “important data” collected and generated by “network operators” must be stored within China. “Network operators” is so broadly defined that it covers pretty much any company that stores data on linked computers.
WATCH: China gets a new cyber censor-in-chief
With echoes of the General Data Protection Regulation (GDPR) so much talked about in the European Union, if personal data is included, network operators must obtain consent from the personal data subject. And even if personal data is not included, other data that might be considered important can only be sent outside China after a security assessment. This requirement is commonly referred to as the “data localisation requirement”.
In May 2017 a new set of guidelines also implied that any “network operator” was covered by the data localisation requirement. Oddly enough, in the same month a CAC official referred back to the old view that the data localisation requirement was only applicable to operators of Critical Information Infrastructure, but this is not what the regulations say. The May guidelines also made it clear that “important data” does not just mean state secrets. It includes business and commercial information as well.
The data localisation requirement arises between group companies – so the Chinese subsidiary of a British company would need to obtain consent from its Chinese employees before sending human resources records to the head office in Britain.
In July, the CAC issued further regulations on the definition of Critical Information Infrastructure, and in August, the guidelines from May were re-released, supposedly to take account of the comments received on the first draft. Comments from multinationals and foreign chambers of commerce in China were either ignored or had been prepared incompetently because the second draft takes no account of the complaints made by grumbling foreigners. More surprisingly, the draft contained that provision for the rules to apply to companies outside China.
WATCH: A leap forward in cybersecurity of Chinese mobile payments
A company that is not registered in China but that conducts business in or provides products or services to China must also be deemed as conducting “operations within the territory of China” and is covered by these regulations. Clause 3.2 of the regulations provides that a company with the following attributes might be considered to be doing business in China and therefore covered:
• if it has a website in Chinese,
• if payment can be made in Chinese currency, and
• if it will deliver commodities to China.
With these regulations, the Chinese authorities are thus doing what many legal advisers have always maintained China does not do, which is to apply its rules to overseas companies with no presence in China.
The one bright spot is that in many circumstances, an affected company can conduct a self-assessment to avoid the need for government assessment. In other respects, we can pin our hopes on the final version of the regulations removing some of the more draconian provisions. But if the past twelve months is anything to go by, that is not going to happen. ■
Nicolas Groffman writes on China, practised law in Beijing and Shanghai, and is currently a partner at law firm Harrison Clark Rickerbys