The Chinese Cybersecurity Law: The Impacts on Multinational Organizations Operating Communities in China

Posted by Luc Vezina on Mar 7, 2019 10:17:32 AM

5 minute read

Chinese Cybersecurity Law CSL

In 2017, China introduced a new law that regulates the governance of data for companies operating in China: the Cybersecurity Law (CSL). This article aims to provide you with a brief overview of common questions regarding the CSL in relation to community forums operating in China for Chinese nationals.

The key questions that will be addressed are as follows:

  1. How is the GDPR different than the Chinese privacy laws?

  2. Can I store this personal data outside of China?

  3. Can I transfer personal information outside China?

  4. What type of data can be transferred outside of China?

 

How is the GDPR different than the Chinese privacy laws?

The best way to tackle this first question is through a comparative table, which illustrates the similarities and differences of the two.

GDPR versus CSL
Similarities Differences

Requests: Individual can requests to have their personal data/ information deleted or amended

Consent: Consent must be freely given by individuals in order to collect their personal data/ information and must be aware of the use of their data

Definition of Personal Data: The definition of what constitutes “personal data”

Fines: In the case of a violation of the laws, both require the organization in question to pay a fee, though the fees for violating the GDPR are usually higher

Scope of Data: The GDPR is only concerned with personal data/ information, whereas the CSL is also concerned with “important data,” the definition of which, is deliberately left ambiguous

Assessment Framework: The CSL has a two-tier assessment framework, whereas the GDPR only has one (Data Protection Impact Assessment). In the CSL two-tier framework, the Cyberspace Administration of China (CAC) can conduct a review at any point at their own discretion

Data Localization: The CSL requires all data collected in China to be stored in China (data localization) whereas the GDPR does not

 

Can I Store Personal Data of Chinese Citizens Outside of China?

The simple answer: no.

One of the major aspects of the CSL is the data localization requirements; ultimately, data that is collected in China must remain stored in China.

The Cyberspace Administration of China (CAC) who crafted the CSL added a provision, namely Article 37, to restrict the free-flow of data across borders. All organization whose operations fall under the jurisdiction of the CSL are required to submit security checks and store their user data in China. The localization of data means that law enforcement and intelligence services in China will legally have access to all of its contents.

Given these localization requirements, some communities may be faced with a dilemma; back out of the largest retail market in the world, or pay for the cost of data localization. There are a number of different cost factors to consider if making the decision to localize data in China, including:

  • Determining whether new cloud services are needed to store data

  • Determining the operational costs associated with storing data in China

  • Whether new servers are needed to store this data

  • Whether new software and applications are needed

  • If using servers, determining a location for these servers to be stored in China

  • Whether an IT maintenance and support team is needed to manage these servers

Although personal data from China cannot be stored outside China, it is possible to have this data transferred outside China

Can I transfer personal information outside China?

In short, yes, however only if certain requirements are met, namely:

  • Obtaining explicit consent from users

  • Undergoing a two-tier security assessment (and passing)

Personal data stored in China may be eligible for a cross-border transfer if the above qualification have been satisfied.

While the requirements guiding the transfer of data across borders are still being drafted, adequate conclusions about the content of the regulations can be determined based on the draft versions that have been released to the public.

User Consent

First and foremost, before being permitted to transfer across borders, organizations must ensure they have user consent. It has been recommended to adopt a check box which is not checked by default in order to obtain this consent. Implicit consent is not acceptable. Users must also be notified as to the purpose of collecting this information, and what the organization intends to use it for.

Two-Tier Security Assessment

Next, in order to qualify for a cross-border data transfer, all organizations must undergo a security assessment conducted by either itself or by a third party. In most cases where data transfers happen frequently to their foreign parent company headquarters, this only needs to be done once a year.

As part of this assessment, organizations must disclose the purpose for the transfer, the scope of the information, the consent given by users and the country/ region that the data is being transferred to.

According to the Guidelines, the security assessment is a five step process:

  1. Initiate self-assessments

  2. Determine plans for data export

  3. Assess the lawfulness, appropriateness and risk of the data export plans

  4. Generating assessment reports

  5. Revise the data export plan and security measures on an annual basis

After the review, if the risks associated with a cross-border data transfer are found to be “high” or “very high,” it’s likely that the data transfer will not be permitted.

Further, because the assessment process is a two-tier process, the CAC can review the assessment report at any time, at their own discretion. It’s therefore imperative that each assessment report is kept for two years in case of a review.

What type of data can be transferred outside of China?

Both “personal data” and “important data” can be transferred outside of China, if, after the security assessment, it is determined that there is little risk involved.

While the definition of “personal data” is uniform across many other data laws, including the GDPR, the CSL is unique in that it also includes a provision for “important data.”

“Important data” is deliberately ambiguous in its legal definition so that the CAC and authorities can make decision on a case-by-case basis. It can be broadly understood as referring to anything related to national security, economic and financial development or social and public interests. Some examples of what this data might include are:

  • Business information of the parent company

  • Data about the product or sales

  • Market research

  • Any financial plans

  • Statistics of user behaviour generated from this data

The regulations that govern the legal transmittance of data across border applies to both personal and important data.

Conclusion

Ultimately, the decision to remain present in the Chinese consumer market comes with a number of challenges, however many companies are already making the moves necessary to remain in China.

Hopefully, this article has provided some direction to inform your decision regarding operating a community in China.  

Calculate your community ROI

Topics: Community, News

Related posts

Subscribe to the Community Corner Newsletter and get expert insight and analysis on how to get the most out of your online community every Friday.

Search this blog

Recent Posts

community playbook

Have an Article for Vanilla's Blog?

Send us an email to pr@vanillaforums.com with your topic idea and we'll circle back with our publishing guidelines.