Paul D. McKenzie and Gordon A. Milner
China and Privacy + Data Security
Late last month, the National Information Security Standardization Technical Committee of China (also known as “TC260”) released a number of draft CSL-related guidelines and standards. Among them was a second draft of Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (信息安全技术 数据出境安全评估指南(征求意见稿); the “Export Guidelines”). The Export Guidelines include a provision suggesting that data localization requirements under the CSL and draft implementing rules should be interpreted to apply to overseas companies that provide products and services “to” China, even if they do not have computer infrastructure or any business registration in China.
China’s Cyber Security Law (网络安全法; “CSL”) came into effect on June 1, 2017. Due to the vagueness of its drafting and the dearth of implementing rules, much remains uncertain about the scope and requirements of the law. One basic principle that did seem clear was that the CSL only applies to the construction, operation, maintenance and use of networks within the territory of the People's Republic of China. A new draft technical guideline calls this into question, with language that suggests that the data localization requirements of the CSL may in some cases to apply to overseas companies as well as companies incorporated in China.
Data localization requirements of the CSL and draft implementing regulations apply to personal data and certain other data collected “in the course of business operations in China” (“在中华人民共和国境内运营”). While one might infer that the language “business operations in China” describes business operations of a company incorporated in China and operating computer infrastructure in the country, the Export Guidelines suggest that the data localization requirements ought also to apply to a foreign company offering products and services to China. According to the Export Guidelines, criteria to be considered in determining whether a foreign company is subject to the data localization requirements include:
Conversely, the Export Guidelines specify that provision by a network operator in China of products and services to foreign entities or individuals will not qualify as “business operations in China”, if that provision does not involve any personal information or important data in relation to any citizen in China.
The scope of the data localization requirements under the CSL was already uncertain. Do they apply only to operators of “critical information infrastructure” as the law itself contemplates or also to other network operators as draft implementing regulations contemplate? Specifically what data is subject to the requirements? The Export Guidelines further confuse what is already one of the most challenging and confusing facets of the CSL.
As a matter of legislative process, the Export Guidelines, even if finalized in their current form, would not operate to amend the CSL. The creative interpretation of the term “business operations in China” in order to try to bring overseas companies within the ambit of the data localization requirements appears to be in direct contradiction to the CSL and guidelines cannot be adopted to override the actual legislation. They nonetheless evidence a worrisome desire on the part of some officials to push a more expansive approach to the data localization provisions of the CSL.
Competing views within the Chinese government about the proper scope of data localization requirements urgently need to be resolved so companies can take the steps needed to comply. Until that happens, international companies that do not have operations in China but that sell products and services to Chinese customers should monitor developments in regard to the CSL, especially if they meet one or more of the criteria listed in the Export Guidelines.
©1996-2019 Morrison & Foerster LLP. All rights reserved.