As part of our series providing insights into the Cybersecurity Law of the People’s Republic of China (PRC), this fifth installment focuses on the cross-border transfer of data — or data localization — that is outlined in Article 37. This article covers the transfer and access of personal information and important data collected by critical information infrastructure (CII) operators in mainland China. However, other measures and guidelines currently under discussion (including Cross-Border Transfer Assessment Measures for Personal Information and Important Data as well as Security Assessment Guideline for Data Cross-Border Transfer) could extend network operator requirements.
On the surface, the data cross-border transfer clause seems simple as it only involves two requirements. The major one is data storage localization, which limits the transfer and access of personal information and other important information out of mainland China. But it is important to understand the impact this has on existing business models and system architecture, and the potential scope of financial costs, effort, and technical adjustments. Although the Cybersecurity Law permits data cross-border transfers, these are only allowed in compliance with industry regulations and after an official assessment on security measures and formal approval have been completed.
Overview of Critical Information Infrastructure
Compliance Requirements of Data Cross-Border Transfer
Under the Law, personal information and other important data collected in mainland China by CII operators must be stored within the borders of mainland China. Security assessments and approval from industry regulatory bodies are required for their transfer outside mainland China, making any transfers nearly impossible for industries like banking or for specific types of data such as geolocation.
Security Assessment for Data Cross-Border Transfer
According to Cross-Border Transfer Assessment Measures for Personal Information and Important Data, assessments may be conducted by industry regulatory bodies or companies themselves. When conducting self-assessment, a company must consider a number of factors.
Extensive Capital and Ongoing Expenses
As noted earlier, decentralization requires the localization of infrastructure, systems, and administration in mainland China, which may lead to significant implementation costs and an increase in a company’s annual IT budget. Companies must factor in costs for data center operations, security operations, IT management, maintenance of infrastructure and systems, and IT resources. These all require capital as well as ongoing operating expenses for as long as the separate infrastructure and systems are operational in mainland China.
Adequate IT Competence in Mainland China
Both decentralization and sanitization methods require a certain level of infrastructure system architecture changes. It’s arguable that the decentralization method requires less effort in architecture redesign, but decentralization may also require building a complete set of infrastructure and systems.
Click “Download” to read the full article.