Page 8 - The South China Business Journal
P. 8
pth

The Concerns and control and jurisdiction over cross-border
Consequences data.4 Several foreign firms operating in China
for Businesses on are unsure of how and where to store their
Data Cross-border data, while staying compliant with PRC law.
with the New Therefore, the procedure raises and remains a
big concern for foreign companies that the law
Cybersecurity Law may require them to turn over sensitive data
or IP to state authorities upon request.5 The
in Effect Chinese government has expressed that the
exclusion of foreign-owned security technology
By Alain Joyal MBA, Sr. Vice President, GOIP AULA Ltd is required for the control, protection and
stability of its IT sector.
On November 2016, the Cybersecurity Law was implemented
in China under President Xi Jinping’s administration. In As of the publishing of this article, it remains
2014, Xi Jinping stressed that a unilateral and comprehensive unclear whether the law’s final draft will
approach to network security is mandatory for turning China include all that was stipulated last May. The
into a “cyber power”.1 More recently, on June 1st 2017, the draft and other measures were included with
Cybersecurity Law was reinforced and has certainly slowed the new regulation, however it has not yet
down foreign businesses and operations as it requires quite been clarified. It was initially meant to be
some time to get familiarised with the new additions to the official with the cybersecurity law that came
law. From a day-to-day standpoint, it is rather complicated for into effect on June 1st, but the government
foreign businesses to operate in compliance with the new set of has not yet confirmed, nor indicated officially
regulations in China. Companies are criticizing that these laws that it is the final draft. The Cybersecurity
put them at a disadvantage and they need to assume a higher cost administration of China has only mentioned
of operation for cross-border data and virtual private network that the implementation of the regulations
(VPN) access. For many companies in China, sharing cross-border will be effective within a year.6 However, in the
data with their foreign offices or HQs is a necessary component interim, it is suggested companies operating in
to conducting their business. The law includes data localisation China should assume the Cybersecurity Law is
facilities, which requires certain “Key Information Infrastructure in effect and follow it accordingly.7 The current
Operators” (KIIO)2 to store companies’ personal and essential draft is so far the only indicator on what the
data relating to their China operation on Chinese servers.3 The final law may be. It is being speculated that the
recent cyber-sovereignty agreement on data export restrictions content of the draft is still being negotiated
reflects a general increase in data localization measures occurring with industry stakeholders from foreign and
throughout the world and gives the right for all countries to have domestic companies.8

1 Shackelford S., PhD., Russell S., Kuehn A., Defining Cybersecurity Due Diligence Security Assessments Necessary for Overseas Data Transfer
Under International Law: Lesson From Private Sector., Chapter 16,.Electronic copy
available at: http://ssrn.com/abstract=2594323 In general, network operators are allowed
2 These KIIO are sometimes referred to as “Critical Information infrastructure to self-assess the cross-border transfer based
Operators” depending on how the first term (guanjian) is translated. on the ‘type, volume and sensitivity’ of the
3 Greenleaf G., Livingston S., (2017) 147 Privacy Laws & Business International data.9 Network operators are then instructed
Report 9 [2017] UNSWLRS 69. PRC’s NEW DATA EXPRT RULES: ‘ADEQUACY WITH to review the security transfer whenever there
CHINESE CHARACTERISTICS’? UNSW Sydney NSW 2052 Australia. is a “large change in the purpose, scope, type
or volume of the cross-border transfer data,
6 AmCham South China or when the data recipient has changed or has
experienced a significant security incident.”10 In
any of the circumstances just mentioned, the
network operator is required to submit a report

4 Ibid.
5 Ibid.
6 Greenleaf G., Livingston S., (2017) 147 Privacy Laws &
Business International Report 9 [2017] UNSWLRS 69. PRC’s
NEW DATA EXPRT RULES: ‘ADEQUACY WITH CHINESE
CHARACTERISTICS’? UNSW Sydney NSW 2052 Australia
7 Ibid.
8 Ibid.
9 Greenleaf G., Livingston S., (2017) 147 Privacy Laws &
Business International Report 9 [2017] UNSWLRS 69. PRC’s
NEW DATA EXPRT RULES: ‘ADEQUACY WITH CHINESE
CHARACTERISTICS’? UNSW Sydney NSW 2052 Australia.
10 Ibid.
   3   4   5   6   7   8   9   10   11   12   13