Understanding China’s Data Security Law: An Intro for Foreign Businesses
China boasts the highest number of internet users in the world with 802 million internet users in 2018 as reported by the China Internet Network Information Centre. 42% of global e-commerce transactions come from the country and the Chinese government has been implementing various laws and regulations in bid to crack-down on cyber-crime and to increase cybersecurity within China. China is already well-known for their restrictive internet policy along with their Great Firewall which censors and blocks citizens from searching certain terms online and prevents the access of numerous Western internet sites and services that the government has put on its blacklist.
After a year of legislative proceedings following its enactment on November 7th, 2016, the Cyber Security Law of the People’s Republic of China took effect on June 1st, 2017. The implementation of China’s Cybersecurity Law has raised many concerns from foreign firms; this is due to the current effects it has had on companies doing business in China.
Article 37 of the Cybersecurity Law requires personal information and important data collected by operators of critical information infrastructure (CII) to be stored within China’s border, while Article 41 states that network operators are required to gather and store personal information in accordance with the law, administrative regulations and their agreements with users. The Cybersecurity Law defines “network operators” as network owners, managers and network service providers. Any enterprises or institutions that provide services and conduct business activities through networks may also be defined as network operators. Meanwhile, a “critical information infrastructure operator” is described as any public communication and information services, power, traffic, water resources, finance, public service, e-government, and other critical information infrastructure which — if destroyed, suffering a loss of function, or experiencing leakage of data — might seriously endanger national security, national welfare, the people’s livelihood, or the public interest. CII operators have more rigorous requirements in terms of security, network products and services procurement, data storage and data transfers. If they need to transfer data abroad, it must first pass a security assessment by the Chinese government to do so.
In short, all businesses that collect and generate the personal data of Chinese citizens are legally required to store that data domestically within the People’s Republic of China.
Many international companies have chosen to hire local data server providers to migrate their data of Chinese citizens in compliance with regulations. Data centre services in China have been rising rapidly. Huawei, Tencent and Alibaba have been expanding and investing in data centres both locally and abroad, challenging companies like Microsoft, Google and Amazon who don’t have the same home advantage as they do in China.
Some foreign companies have also opted for either colocation or to just build their own data centres in China. A colocation facility is a data centre space which an organisation can rent to co-locate their servers and other equipment. Apple for example, were outsourcing its Chinese iCloud operations to south China based Guizhou-Cloud Big Data. Soon after, they announced that they were investing in the building of 2 new data centres in China due to begin operation in 2020, to store their Chinese iCloud data in accordance to the Cybersecurity Law.
There have been worries that the Cybersecurity Law enables the Chinese government to access data being kept on local servers for nefarious use. International organisations have raised concerns regarding the possibility of corporate theft and cyber espionage by the Chinese government, many scrutinised the language used in the law and called for reforms during the early stages before enactment but to no avail. Any company that refuses to comply with data localisation rules could be fined, face having their business suspended and have their business licence revoked for failing to store Chinese data domestically.
However, adhering to these regulations doesn’t mean that businesses have to compromise on the privacy or security of their data. Making sure that your cloud service provider has strong privacy policies and doesn’t share data with any third parties will help reduce the chances of the data being jeopardised. Encryption also makes sure that data stays safe in the cloud; cryptography can be employed to protect data in transit and at rest. Any company operating in China should take care to review and update their cybersecurity in accordance to the Cybersecurity Law.
Translation: Cybersecurity Law of the People's Republic of China (Effective June 1, 2017)
Where Article 44 of this Law is violated in stealing or using other illegal means to obtain, illegally sell, or…
Assessing China’s Cybersecurity Law, Aimin Qi, Guosong Shao, Wentong Zheng
Overview of China’s Cybersecurity Law, KPMG
- All views and opinions expressed are my own and not that of any company.
Join our community Slack and read our weekly Faun topics ⬇