Foreign Firms May Be Required to Leave Data in China
Source: South China Morning Post, Nicolas Groffman
Companies in China are already required to store data on local servers, but the new rules appear to require any company doing business with a Chinese entity, even those based overseas, to leave China-related data in China.
Infringing the Cybersecurity Law could get you fined, detained, or even imprisoned.
China’s controls on data flows in and out of the country are likely to become even stricter, as shown by draft measures issued last month.
Most multinational companies are aware of the law, the text of which was finalised and issued in November 2016, and has been in force since June. It was assumed by many (including the compliance teams at GE, HSBC, and Morgan Stanley) that the final implementing regulations would be less onerous than the law suggested.
Surely the Chinese regulatory authorities would not seriously expect international companies to store all the data of their Chinese subsidiaries in China? That would make no sense, since it would mean global management would be unable to administer their Chinese staff, and global CFOs would not be able to receive financial data without special approvals.
Well, implementing regulations have been issued piece by piece over the past few months, and suggest that the Cyberspace Administration of China (CAC) meant what they said last year.
There are no exemptions, no relaxations – and the most recent draft regulation makes the application of the law even broader than before.
In April 2017, draft “Measures on Security Assessment relating to Export of Personal Information and Important Data” were issued, providing that all personal information and “important data” collected and generated by “network operators” must be stored within China. “Network operators” is so broadly defined that it covers pretty much any company that stores data on linked computers.
In July, the CAC issued further regulations on the definition of Critical Information Infrastructure, and in August, the guidelines from May were re-released, supposedly to take account of the comments received on the first draft.
Comments from multinationals and foreign chambers of commerce in China were either ignored or had been prepared incompetently because the second draft takes no account of the complaints made by foreigners. More surprisingly, the draft contained that provision for the rules to apply to companies outside China.
A company that is not registered in China but that conducts business in or provides products or services to China must also be deemed as conducting “operations within the territory of China” and is covered by these regulations.
Clause 3.2 of the regulations provides that a company with the following attributes might be considered to be doing business in China and therefore covered:
• If it has a website in Chinese,
• If payment can be made in Chinese currency, and
• If it will deliver commodities to China.
With these regulations, the Chinese authorities are thus doing what many legal advisers have always maintained China does not do, which is to apply its rules to overseas companies with no presence in China.
The one bright spot is that in many circumstances, an affected company can conduct a self-assessment to avoid the need for government assessment. In other respects, we can pin our hopes on the final version of the regulations removing some of the more intense provisions. But if the past twelve months is anything to go by, that is not going to happen.
If you have any information or questions please leave a comment below.