Cross Border Data Flow Control in China

The Chinese Cyber Security Law (CSL) has beenimplemented on June 1st and now we’re about 6 months in.

As a refresher, it was developed because Chinahad basically no legal framework for protecting data: personal data, important data.

They had no cyber security regulations.

Their state-owned sector, the government agencieswere basically employing zero to little information security and cyber security practices, sothere was a real need for the Chinese government to develop a framework to protect some ofthe critical industries and personal information.

So it’s understandable why it was implemented.

In fact it’s really a global phenomenonwhat’s happening with cyber security rules and data privacy rules.

China is not the first country to do so andcertainly won’t be the last either.

The first thing that came out was the lawitself, and subsequently we’ve seen a bunch of implementing regulations that are kindof filling in the gaps.

The law is quite vague and broad.

We call it the omnibus law.

It covers issues ranging from cyber securityto data privacy to data protection to content.

Now we’re seeing the implementing regulationsfilling in the gap.

They are coming out and will continue to comeout for the next year and half.

The head agency in charge of the CSL is theCyberspace Administration of China, CAC.

CAC has stipulated that the industry regulatorsare supposed to develop industry specific regulations, such as the China Food and DragAgency, the Ministry of Industry and Information Technology, etc.

They are all now responsible for developingtheir own industry specific cyber security regulations, which makes sense, because they’llknow the actual issues facing their industries.

So we expect, within the next 6 months toa year, a whole additional flurry of activity that’s specific to industry.

Another key point we’ve seen over the past6 months is the emergence of the police.

The Ministry of Public Security is the keyenforcer of the CSL.

They announced a campaign back in March (2017) thatthey were going to meet with party, government, industry to review their cyber security situation,and certainly they’ve been issuing thousands of rectification notices.

Anecdotally they have approached foreign companiesas well.

CSL has a data component and it is that criticalinformation infrastructure has to localize personal and important data to China.

We’ve got more details in the implementingregulations for what’s considered as important data.

But from a personal standpoint, personal datais any data that can identify a natural person either by itself or with another piece ofdata.

I won’t go into too much detail about thepersonal aspect.

But for important data, there’s been animplementing regulation that has come out and it’s still in draft form.

It’s expected that the finalized versionwill come out by the end of this year (2017), although that’s not guaranteed.

It has listed 27 or so industries and what’sconsidered important data to them.

So the CAC officials have said that importantdata is not data that’s important to business but data that’s important to the government.

So it’s data that they consider from a nationalsecurity standpoint to be sensitive.

And if you read through the appendix thatlists what is important data for these industries, it’s certainly data that the Chinese governmentwould consider sensitive.

For example, for the chemical industry, theylisted data about where the chemical factories are located, or their layout, and this isdirectly linked to the huge chemical factory blast in Tianjin.

I highly recommend companies go read thatappendix, and you can start getting your own sense, if any kind of data that you have asa company could be considered sensitive from a national security view in the eyes of theChinese government, because that data is now subject to cross border data flow regulations.

It’s possible that data would have to bereviewed before it gets out of China by an industry regulator.

In recognition of the potential impact onbusiness because of the cross border data flow guidelines and regulations, the governmenthas given a grace period for companies to be compliant till December 31, 2018.

The actual finalized version of the crossborder data flow guidelines is supposed to be out by the end of this year (2017).

Certainly if they’ve given a grace periodonly till 2018 they would have to have this out soon.

So we’re hoping by the end of this year (2017)we’re going to have a finalized draft.

The grace period of a year and half is recognitionthat it will take companies a long time to sort out where their data is, what kind ofdata they have, where it’s stored.

And then if it’s potentially not compliant,start preparing for localization.

This will take several months.

Companies should therefore, if they haven’tstarted doing this process, start now! Basically you need to map out the data.

What kind of data do you have? Where is it stored? Is it flowing from China to Canada? Or even flowing from Canada to China? If you do have so called important data that’spotentially sensitive from a national security standpoint, we’re recommending you seriouslyconsider localization, because this is a priority of the administration, and this law is heavilyinfluenced by national security considerations, and frankly it’s not going away.

A concrete example would be a Canadian companythat is receiving data from China, from a Chinese client or Chinese customer, analyzingthe data and sending it back, that’s considered a cross border data flow in the eyes of thegovernment.

The question for that company would be thedata received from China, is that regulated now because of the CSL? Is it either important data, or personal data? Personal data is easier to understand, butfor important data, this is tricky.

As I mentioned before, there’s a guidelinethat has spelt out for various industries what’s considered as important data, andthat’s a really good starting point to see if anything you have might be considered important.

To make plans for localization is tricky,and it’s going to require having a server here in China, and I think it’s going torequire having a presence in China too, because even having a piece of the Chinese cloud,if you’re looking at that data from Canada, even though it’s stored in China, that’salso considered a cross border data transfer flow.

That’s not alleviating their national securityconcern that a foreigner is looking at that data which is considered important.

It’s going to be costly, frankly, for somecompanies to be compliant in this respect.

The Chinese government is aware of that, andthis has been raised to them several times.

Frankly their answer is that not that theydon’t care, but this is a priority for them and this is moving forward.

Source: Youtube