Quick Take | Foreign firms watch out, Beijing may require you to leave China data in China
The Cybersecurity Law will apply to any company dealing with China – and infringing it can get you fined, detained, or even imprisoned
China’s controls on data flows in and out of the country are likely to become even stricter, as shown by draft measures issued last month. Companies in China are already required to store data on local servers, but the new rules appear to require any company doing business with a Chinese entity, even those based overseas, to leave China-related data in China. Like Wolf Warrior 2, China is reaching out beyond its borders – and this matters to any company dealing with China, because infringing the Cybersecurity Law could get you fined, detained, or even imprisoned.
Most multinational companies are aware of the law, the text of which was finalised and issued in November 2016, and has been in force since June. It was assumed by many (including the compliance teams at GE, HSBC, and Morgan Stanley) that the final implementing regulations would be less onerous than the law suggested. Surely the Chinese regulatory authorities would not seriously expect international companies to store all the data of their Chinese subsidiaries in China? That would make no sense, since it would mean global management would be unable to administer their Chinese staff, and global CFOs would not be able to receive financial data without special approvals.
Well, implementing regulations have been issued piece by piece over the past few months, and suggest that the Cyberspace Administration of China (CAC) meant what they said last year. There are no exemptions, no relaxations – and the most recent draft regulation makes the application of the law even broader than before.
What’s drawing Chinese internet giants to Indian, Southeast Asian tech scenes?
It was previously hoped this would only be imposed on operators of “critical information infrastructure”. But it appears this is no longer the case. In April 2017, draft “Measures on Security Assessment relating to Export of Personal Information and Important Data” were issued, providing that all personal information and “important data” collected and generated by “network operators” must be stored within China. “Network operators” is so broadly defined that it covers pretty much any company that stores data on linked computers.
WATCH: China gets a new cyber censor-in-chief
