China's Cybersecurity Law: Cross-Border Data Transfer

Under the Cybersecurity Law, personal information and other important data collected in mainland China by CII operators must be stored within the borders of mainland China. Security assessments and approval from industry regulatory bodies are required for their transfer outside mainland China, making any transfers nearly impossible for industries like banking or for specific types of data such as geolocation.   
 

According to the Security Assessment Guideline for Data Cross-Border Transfer, there are three major types of cross-border transfers:  
 

• Active data cross-border transfers  
   

Example: data transfer from mainland China to the United States.

• Passive data cross-border transfer  
   

Example: data in mainland China accessed by system administrators in Australia.

• Data transfer into territories outside of mainland China’s jurisdiction  
   

Example: data transfer to Hong Kong or the Canadian embassy. 
 

In the past, many foreign companies adopted a centralised system and data architecture, which were often located in the United States or Europe. As this is no longer in compliance with the requirements of Article 37, companies can choose to implement either decentralisation or sanitisation.  
 

The decentralisation method requires the local setup of a complete and separate infrastructure and system (as well as associated administration) managing the storage and processing of personal information and other important data within mainland China. The technical support, system administration, and security operations of the infrastructure and system should also be located in mainland China. This requires a separate and independent IT team and IT environment, which could incur high costs, as well as misalign with existing architecture.  
 

The sanitisation method requires the removal of any important data and details that could identify personal information, before transferring the data to the central application and infrastructure outside mainland China for storage and processing. Compared with decentralisation, this may require a relatively smaller IT team and environment. However, this method may entail extensive business and IT planning in order to identify which data must be transferred to headquarters, as well as the level or method of sanitisation.

According to Cross-Border Transfer Assessment Measures for Personal Information and Important Data, assessments may be conducted by industry regulatory bodies or companies themselves. When conducting self-assessment, a company must consider a number of factors, including:  
 

• Legitimacy: the information and data to be transferred must not contravene any laws or regulatory requirements.
• Necessity: data providers should ensure that it is necessary to transfer the information and data because of business operations and legal obligations.
• Personal information characteristics: personal information should undergo effective deidentification and desensitisation.
• Important Data Characteristics
• Amount and Frequency of Data Transferred: the amount and frequency of data transfer should be limited to what is necessary to maintain business operations.
• Security Capability of Data Provider and Receiver: the legal contract signed between data providers and receivers should be reviewed to ensure that obligations on compliance issues as well as data security and privacy protection are well-defined.
• Political and Legal Environment of Receiver’s Location: assessment should take into considerations if the receiver’s country has specific data security and privacy laws, especially if the laws might give local authority access to the transferred information. 
   

If any of the following criteria are met, assessment by industry regulatory bodies is required:
 

• The number of personal information records exceeds a cumulative number of 0.5 million.
• The personal information or important data volume is above 1,000 GB.
• The data comes from the following fields or industries:
  • Nuclear facilities
  • Chemical and biological
  • National defense
  • Medical and health
  • Major engineering or construction programme
  • Seas and oceans
  • Geolocation
• The transfer involves cybersecurity information on CII.
• The transfer involves personal information and important data from CII.
• Other fields involving national security or social interests.

As noted earlier, decentralisation requires the localisation of infrastructure, systems, and administration in mainland China, which may lead to significant implementation costs and an increase in a company’s annual IT budget. Companies must factor in costs for data center operations, security operations, IT management, maintenance of infrastructure and systems, and IT resources. These all require capital as well as ongoing operating expenses for as long as the separate infrastructure and systems are operational in mainland China.
 

Technical incompetence and incomprehensive design often result in security incidents or lack of compliance with the Law or other standards. These also entail potential costs ensuing from redesign, remediation, risk mitigation, recovery, as well as business interruption. Therefore, when building up the IT environment and IT team for mainland China, companies should ensure comprehensiveness of technical documentation and technical competency.

Both decentralisation and sanitisation methods require a certain level of infrastructure system architecture changes. It’s arguable that the decentralisation method requires less effort in architecture redesign, but decentralisation may also require building a complete set of infrastructure and systems.
 

For both methods, companies have to ensure adequately skilled IT resources within mainland China that can support the running of the local IT infrastructure and systems, as well as local business needs. In particular, companies will have to engage a local cybersecurity team (including security governance and security operations) to ensure proper cybersecurity protection and comply with the Law. Some companies may face difficulties building and managing their own IT team locally, resulting in the possibility of outsourcing certain functions to experienced local service providers.