China's Cybersecurity Law: Cross-Border Data Transfer Download As part of our series providing insights into the Cybersecurity Law of the People’s Republic of China (PRC), this fifth installment focuses on the cross-border transfer of data — or data localisation — that is outlined in Article 37. This article covers the transfer and access of personal information and important data collected by critical information infrastructure (CII) operators in mainland China. However, other measures and guidelines currently under discussion (including Cross-Border Transfer Assessment Measures for Personal Information and Important Data as well as Security Assessment Guideline for Data Cross-Border Transfer) could extend network operator requirements.On the surface, the China's Cross-Border Data Transfer clause seems simple as it only involves two requirements. The major one is data storage localisation, which limits the transfer and access of personal information and other important information out of mainland China. But it is important to understand the impact this has on existing business models and system architecture, and the potential scope of financial costs, effort, and technical adjustments. Although the Cybersecurity Law permits cross-border data transfers, these are only allowed in compliance with industry regulations and after an official assessment on security measures and formal approval have been completed. Download Overview of Cross-Border Data Transfer Compliance requirements of Cross-Border Data Transfer + Under the Cybersecurity Law, personal information and other important data collected in mainland China by CII operators must be stored within the borders of mainland China. Security assessments and approval from industry regulatory bodies are required for their transfer outside mainland China, making any transfers nearly impossible for industries like banking or for specific types of data such as geolocation. ArticleLegal RequirementsArticle 37Critical information infrastructure operators (network operators) shall:store personal information or important data within mainland China.conduct a security assessment for approval before cross-border transfer, if necessary According to the Security Assessment Guideline for Data Cross-Border Transfer, there are three major types of cross-border transfers: Active data cross-border transfers Example: data transfer from mainland China to the United States. Passive data cross-border transfer Example: data in mainland China accessed by system administrators in Australia. Data transfer into territories outside of mainland China’s jurisdiction Example: data transfer to Hong Kong or the Canadian embassy. In the past, many foreign companies adopted a centralised system and data architecture, which were often located in the United States or Europe. As this is no longer in compliance with the requirements of Article 37, companies can choose to implement either decentralisation or sanitisation. The decentralisation method requires the local setup of a complete and separate infrastructure and system (as well as associated administration) managing the storage and processing of personal information and other important data within mainland China. The technical support, system administration, and security operations of the infrastructure and system should also be located in mainland China. This requires a separate and independent IT team and IT environment, which could incur high costs, as well as misalign with existing architecture. The sanitisation method requires the removal of any important data and details that could identify personal information, before transferring the data to the central application and infrastructure outside mainland China for storage and processing. Compared with decentralisation, this may require a relatively smaller IT team and environment. However, this method may entail extensive business and IT planning in order to identify which data must be transferred to headquarters, as well as the level or method of sanitisation. Security assessment for Cross-Border Data Transfer + According to Cross-Border Transfer Assessment Measures for Personal Information and Important Data, assessments may be conducted by industry regulatory bodies or companies themselves. When conducting self-assessment, a company must consider a number of factors, including: Legitimacy: the information and data to be transferred must not contravene any laws or regulatory requirements.Necessity: data providers should ensure that it is necessary to transfer the information and data because of business operations and legal obligations.Personal information characteristics: personal information should undergo effective deidentification and desensitisation.Important Data CharacteristicsAmount and Frequency of Data Transferred: the amount and frequency of data transfer should be limited to what is necessary to maintain business operations.Security Capability of Data Provider and Receiver: the legal contract signed between data providers and receivers should be reviewed to ensure that obligations on compliance issues as well as data security and privacy protection are well-defined.Political and Legal Environment of Receiver’s Location: assessment should take into considerations if the receiver’s country has specific data security and privacy laws, especially if the laws might give local authority access to the transferred information. If any of the following criteria are met, assessment by industry regulatory bodies is required: The number of personal information records exceeds a cumulative number of 0.5 million.The personal information or important data volume is above 1,000 GB.The data comes from the following fields or industries:Nuclear facilitiesChemical and biologicalNational defenseMedical and healthMajor engineering or construction programmeSeas and oceansGeolocationThe transfer involves cybersecurity information on CII.The transfer involves personal information and important data from CII.Other fields involving national security or social interests. Compliance challenges Extensive capital and ongoing expenses + As noted earlier, decentralisation requires the localisation of infrastructure, systems, and administration in mainland China, which may lead to significant implementation costs and an increase in a company’s annual IT budget. Companies must factor in costs for data center operations, security operations, IT management, maintenance of infrastructure and systems, and IT resources. These all require capital as well as ongoing operating expenses for as long as the separate infrastructure and systems are operational in mainland China. Technical incompetence and incomprehensive design often result in security incidents or lack of compliance with the Law or other standards. These also entail potential costs ensuing from redesign, remediation, risk mitigation, recovery, as well as business interruption. Therefore, when building up the IT environment and IT team for mainland China, companies should ensure comprehensiveness of technical documentation and technical competency. Adequate IT competence in mainland China + Both decentralisation and sanitisation methods require a certain level of infrastructure system architecture changes. It’s arguable that the decentralisation method requires less effort in architecture redesign, but decentralisation may also require building a complete set of infrastructure and systems. For both methods, companies have to ensure adequately skilled IT resources within mainland China that can support the running of the local IT infrastructure and systems, as well as local business needs. In particular, companies will have to engage a local cybersecurity team (including security governance and security operations) to ensure proper cybersecurity protection and comply with the Law. Some companies may face difficulties building and managing their own IT team locally, resulting in the possibility of outsourcing certain functions to experienced local service providers. How Protiviti can help Protiviti aids businesses in ensuring that their IT services meet legal requirements and regulatory rules on both national and industry-specific levels. With a team of IT security professionals, compliance experts, auditors, and other professionals, Protiviti keeps track of evolving regulations based on industry innovations, environmental trends, and emerging risks.Protiviti security and privacy services will evaluate your current compliance according to relevant legal requirements and regulatory rules and develop technical solutions that correspond with your current technology, procedures, and resources competency. We will close gaps in your IT technology and processes in line with your budget plan, as well as prevent disruptions to normal IT and business operations from compliance activities. Learn more about other specific sections of the China’s Cybersecurity Law: Featured insights WHITEPAPER Interpretations of the Updates to China’s Cybersecurity Law All companies incorporated within Mainland China are required to abide by the Cybersecurity Law of The People's Republic of China (PRC), which went into effect 1 June 2017. WHITEPAPER China’s Cybersecurity Law: Personal Information Protection Law (PIPL) Overview As part of our series providing insights into the Cybersecurity Law of the People’s Republic of China (PRC), this Point of View (POV) highlights a key area pertaining to personal information protection. WHITEPAPER China's Cybersecurity Law: Multi-Level Protection Scheme (MLPS) In part one of our Point of View (POV) seriesInterpretations of the updates to China’s Cybersecurity Law, we highlighted the updated legal requirements that impact organisations looking to do business in mainland China. WHITEPAPER China's Cybersecurity Law: Critical Information Infrastructure (CII) According to the Cybersecurity Law, CII is defined as any information infrastructure that can endanger national security, national strategy, and civil welfare in the event of a data breach, compromised network, or system malfunction. Button Button Topics Cybersecurity and Privacy IT Management, Applications and Transformation Industries Healthcare To access the whole series Click here Leadership Tim Speelman Tim is a director with a track record of developing and implementing strategic plans that align with the demands and gaps of global and local enterprises. Before joining Protiviti, Tim was a regional CISO responsible for APAC within a large recruitment company with core ... Learn More Krishnan Venkatraman Krishnan is a director with over 14 years’ experience in professional services. He has specific expertise in technology risk consulting and has been advising clients both in the public and private sector in designing and implementing information security controls.Major ... Learn More