Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

China's Second Draft Cybersecurity Law's Expanded Data Localization Requirement

By Tiana Zhang, Jodi Wu, Sally Han and Mike He
October 14, 2016

Cybersecurity has remained a priority for the Chinese government in 2016. Following closely on the heels of the enactment of the National Security Law and the Anti-Terrorism Law, the second draft of the Cybersecurity Law was released for public comment on July 5, 2016. Although still in draft form, when it is adopted, the Cybersecurity Law will impose a number of requirements on companies with business operations within the territory of China that have been subject to heated discussions among multinational companies (MNCs). This article provides a review of a significant amendment in the second draft of the Cybersecurity Law that could have a substantial impact on MNCs' China operations ' the expansion of the law to require the storage of a broad array of personal and business information within China.

The Expanded Data Localization Requirement

The first draft of the Cybersecurity Law included a data localization requirement that was relatively limited in scope with respect to both the type of the companies that would be subject to the requirement and the type of data had to be stored within China. Despite these limitations, private industry, including the MNCs, expressed concerns about the lack of clarity regarding the scope of the requirement. Instead of paring back the data localization requirement or clarifying its scope, as hoped for by MNCs, the second draft Cybersecurity Law goes even further than the original proposal, expanding the data localization requirement to an even broader set of companies and data.

The data localization requirement in the second draft requires critical information infrastructure operators (CIIOs), an ambiguously defined term, to store both personal information and “important business information” collected or generated while conducting business in China. If adopted, this data localization requirement may restrict the ability of MNCs to transfer or export data collected and generated as part of their routine business operations outside of China.

It should be noted that, like the first draft law, the second draft provides that if there is a genuine business need to transfer personal information and important business data outside China, companies must go through a “security assessment” conducted by Chinese network information administration authorities. The law delegates responsibility for defining the requirements of the security assessment to the State Council, the country's highest governmental body.

Expanded Definition of CIIOs

The Cybersecurity Law limits the data localization requirement to CIIOs. The first draft law provided examples of companies that fall within the definition of CIIOs. These examples included companies that provided network infrastructures for: 1) public telecommunications and media broadcasting; 2) key industries, such as energy, transportation, water resources, finance, etc.; 3) public services, such as the supply of electricity, water, gas, health care and social security services; 4) military and government agencies above the municipal level; and 5) network services used by a “very large” number of users.

The second draft completely replaced these examples with a general and ambiguous definition of CIIOs that could be interpreted to apply to an even broader scope of companies. The second draft defined CIIOs to include any company that maintains systems that, if destroyed, disabled, or attacked “might seriously endanger national security, national welfare and the people's livelihood, or the public interest.” However, the second draft law provides no detail regarding what constitutes “national security, national welfare, and the people's livelihood, or the public interest,” and under what circumstances “national security, national welfare, and the people's livelihood, or the public interest” might be endangered. Other Chinese laws and regulations also provide no clarity on these topics. Instead, the second draft law delegates the responsibility for further defining the scope of CIIOs, i.e., what companies must comply with the data localization requirement, to the State Council.

The lack of clarity regarding the definition of CIIOs puts multinational companies in a difficult state of limbo regarding whether or not they need to comply with the data localization requirement.

Addition of Undefined 'Important Business Information'

In addition to the lack of clarity regarding what companies will be subject to the data localization requirement, there is additional ambiguity regarding what information is subject to the requirement. The data localization requirement in the first draft Cybersecurity Law applied to “important data collected or generated in [the CIIO's] operations, such as citizens' personal information.” Although broad on its face, the data requirement appeared to be focused on “citizens' personal information.” Many hoped that the second draft law would clearly limit “important data” to personal information. Instead, the new draft adds an additional category of data ' “important business information” ' to the types of data that must be stored within China. “Important business information” is a broad term that is left undefined and could apply to anything ranging from financial forecast data to trade secrets to strategic plans regarding a company's China operations. Further, the second draft does not specify whether the definition of “important business information” will be clarified in other laws and regulations.

Increasing the Stakes of Violations

For MNCs that are concerned about the seemingly expanded restrictions imposed by the prospective Cybersecurity Law, another critical change in the new draft is the inclusion of more concrete consequences for violations. The second draft adds a new requirement that administrative decisions for violations of the Cybersecurity Law must be made public and included in the entities' credit history.

This is the first time that Chinese government has formally required the publication of penalties on cybersecurity-related issues. In addition, although currently not directly linked to the data localization requirement, the second draft provides that the legal representative or other key individuals associated with a company might be interviewed by Chinese authorities in the case of cybersecurity-related incidents or when a network is exposed to high risks. The second draft remains unclear regarding how such interviews should be conducted and under what circumstances companies can expect to be investigated.

What to Expect Next

The draft Cybersecurity Law must still go through another round of review by the legislative body, which meets every two months, before being formally enacted. Although the legislative body did not review the law during its most recent meeting on Aug. 29, 2016, cybersecurity legislation has remained a top priority for Chinese government in 2016. Many observers and experts predict that the final version of China's Cybersecurity Law will be issued soon, and possibly before the end of the year. Whether or not the data localization requirement remains part of the law is a question that all companies, including MNCs, will watch carefully in the coming year.


Tiana Zhang and Jodi Wu'are partners in the Shanghai office of Kirkland & Ellis International LLP. They advise clients on government enforcement matters, internal investigations, and cross-border litigation. Their main practice areas include anti-corruption, antitrust and data security. Sally Han is an associate and Mike He is a foreign legal consultant in the firm's Shanghai office.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.