When it comes to data protection in China, data localization is inevitable for foreign companies. The basic requirements are currently mainly set out in the Cyber Security Law, and many service providers such as the financial sector, providers of public health information, and online cab booking services have issued their own data localization requirements.
The Cyber Security Law distinguishes between CIIOs (critical information infrastructure operators) and non-CIIOs and requires CIIOs to store personal information and critical data in China. For other general network operators or data collectors, the Cyber Security Law does not require them to locate data.
However, some recent regulations such as the Data Security Measures (Draft) and the Personal Information Assessment Measures (Draft) propose more detailed data localization rules for all network operators. This means that more companies will have to comply with the data localization requirements. These regulations have not yet gone into effect, but they reflect the current trend to regulate more cross-border data transfers. In addition, the Personal Information Protection Law (Draft) expands the subject matter of data localization to include CIIOs and personal information processors.
All of this will present further challenges. On the one hand, there is no clear scope for CIIOs, making it difficult for foreign companies to predict whether they will be subject to data localization under the Cybersecurity Law. On the other hand, it is possible that data localization requirements will apply in the future even if the company is not a CIIO. The best way to avoid risk is to closely monitor the latest policy developments, especially regulations that have not yet formally gone into effect. Companies should also be alert and responsive to various restrictions in the law – not only in the country where the data resides, but also in the states where the data is processed and used.