Foreign companies operating in China, or looking to enter the Chinese market, are increasingly concerned as to whether Chinese law restricts cross-border transfers of personal data collected in China. In light of recent developments, is there a growing trend in China towards data localisation?
As is generally the case with China’s data privacy framework, there is not one comprehensive law in China that regulates cross-border data transfers. Instead, the current legal landscape comprises a mixture of different laws, regulations and guidelines. Therefore, the compliance obligations involved – and the approach to enforcement – vary depending on the industry or the type of data involved.
As a starting point, personal data of Chinese citizens that is handled in information systems by private sector organisations can be transferred outside of China provided that explicit consent is obtained from data subjects (or if express authorisation from relevant authorities is obtained, or specific laws permit the transfer). This is set out in a guideline drafted under the guidance of the Ministry of Industry and Information Technology so that, while not legally binding, it may be used as a base standard for compliance, and the Chinese authorities encourage compliance with it.
Other rules and regulations require organisations more generally to obtain consent from individuals before their personal data is handled and disclosed (within and outside China). These include rules relating to personal data of consumers (under consumer rights laws); Internet users (under telecoms and Internet laws); and employees (under employment laws, by which employers must get employees’ written consent to disclose their personal information to third parties).
But some prohibitions
However, for some industries and some data there are specific requirements to keep the data on servers within the People’s Republic of China. For example:
- Some Chinese industry regulators prohibit the offshore transfer of certain personal data. For example, transfers of “personal financial information” by banks, and of “personal health information” by certain organisations within the healthcare sector, are not permitted.
- Personal data constituting “state secrets” should not be transferred outside of China.
- The draft PRC Cyber Security Law, issued in July 2015, requires “key information infrastructure operators” to store Chinese citizens’ personal information and other important data gathered and produced during operations within the territory of the People’s Republic of China. The draft law suggests cross-border transfers of such data may be permitted if required for operational reasons, provided the organisation complies with security measures (to be) formulated by the relevant authorities. Detailed guidance is awaited as to how this would be interpreted in practice.
In light of uncertainty over the legal environment in China, foreign organisations should consider the following:
- Identify the personal data within your China operations that you would like to transfer outside of China, and ascertain whether it falls within the classes of data that should not leave China. If appropriate, consider data segregation.
- For personal data not subject to absolute prohibitions on data transfer, obtain explicit consent from data subjects before transferring the data.
- For data that is required by law or regulations to stay in the People’s Republic of China, server localisation may be the only practical solution, whether by establishing local data infrastructure or via third party solutions.
- According to some regulators, encryption and anonymisation are currently not considered to be adequate practical workarounds to the data transfer rules, because of the risk of de-encryption or re-identification. This may change, but for now do not assume you can rely on these.
- Put in place appropriate data security safeguards and data use and retention policies to ensure that personal data transferred overseas remains compliant with relevant Chinese data protection rules.
There is a growing body of regulations requiring certain data within specific industries/organisations to be retained within the borders of the People’s Republic of China. However, this must be assessed on a case by case basis, as in many circumstances obtaining individuals consent may well be sufficient provided that the data does not involve national secrets or violate national security. Where transfer prohibitions apply, compliance strategies should be carefully considered in light of potential enforcement activities and sanctions. Unfortunately there is not always clear guidance on how the rules will be interpreted and enforced in practice, and so any compliance programme in China should be kept under regular review.