China’s Cybersecurity Law imposes data localization requirements on critical information infrastructure operators (“CIIOs”), a subset of network operators, to store “important data” collected and generated in their China operation within the territory of China and conduct security assessments before transferring “important data” overseas.
The Cybersecurity Law also requires network operators to encrypt and create back-up copies of “important data.” “Important data” is broadly defined as data that is closely related to national security, economic development or public interest, a definition that provides little helpful guidance. The Draft Measures clarify that the definition of “important data” does not include production, operational and internal administrative data of enterprises, or personal information (Article 38). The Draft Measures also provide additional examples of “important data,” including non-public government information and significant volumes of data related to population, genetics and health care, geographic, and/or mineral resources.
Data Localization and Cross-border Data Transfers
The data localization requirement has been included in various Chinese Internet-related legislation. As early as in 2011, China’s central bank made a guideline that provides “financial information collected in China’s territory” to be “stored, processed and analyzed” within China’s border. The draft PIPL contains data localization requirements for critical information infrastructure operators (CIIOs) that are similar to those contained in the Cybersecurity Law, which currently requires CIIOs to store personal information collected or generated in China within the territory of China. The options of mechanisms for cross-border transfer of personal data are provided in the draft PIPL. A separate consent of data subjects is required regardless of which mechanism of cross-border data transfer is used. For the personal data processors and CIIO that are subject to the data localization requirement, the completion of the security assessment organized by CAC is required.
The draft PIPL would apply to the processing of personal information of individuals located in China that is conducted outside of China, including by Chinese and foreign businesses and individuals, under certain circumstances, including for the purposes of providing products or services to individuals located in China, and for analyzing and evaluating the behavior of individuals located in China. This closely mirrors the way extraterritorial applicability is handled under GDPR as set forth in Article 3(2) of the GDPR.