The Standing Committee of the National People’s Congress of China enacted a new Cybersecurity Law in November 2016. The final Cybersecurity Law will apply to many multinational companies starting June 1, 2017.

Under the new law, operators of key information infrastructure (which may include multinational companies) are subject to a data localization requirement, under which they must retain, within the territory of China, critical and personal information which they collect and produce during their operations in China. They may still be able to transmit this information overseas, but only after undergoing and passing a security review. In addition, when operators of key information infrastructure procure network products or services that may affect national security, a national security inspection is required. Operators of key information infrastructure will also be required to undergo a network safety assessment at least once a year.