PRC's New Data Export Rules: 'Adequacy with Chinese Characteristics'?

(2017) 147 Privacy Laws & Business International Report 9-12

UNSW Law Research Paper No. 69

8 Pages Posted: 30 Aug 2017 Last revised: 11 Oct 2017

Scott Livingston

Simone IP Services (SIPS)

Graham Greenleaf

University of New South Wales, Faculty of Law

Date Written: June 26, 2017

Abstract

China’s draft Measures for the Security Assessment of Personal Information and Critical Data Leaving the Country (Draft for Public Comment) are intended as an implementing regulation for the PRC Cybersecurity Law (in force, July 2017). The Cybersecurity Law also contains a data localization provision requiring certain “Key Information Infrastructure Operators” (“KIIOs”) to store on PRC servers all personal and “important” data collected through their China operations.

These draft measures demonstrate a uniquely Chinese take on data export restrictions, one encompassing not just an individual’s personal right to privacy, as in the EU, but also China’s recent adoption of the principle of cyber-sovereignty - the right for all countries to have jurisdiction and control over data flows occurring within their borders.

This approach has raised concern for foreign companies operating in China over fears that the laws may be used to require them to turn over sensitive data or IP to state authorities upon request. In this article we detail the progressive implementation of China’s data localization/data export measures through further examination of the Cybersecurity Law and the draft Security Measures, and conclude with some general observations about the relationship between China’s approach and the EU’s ‘adequacy’ approach to data exports. It can be argued that, if China is to have a data privacy law of international standard, that requires a rule concerning personal data exports which is applicable in all situations. When these measures are finalised, China will have such a rule, like the EU and most other countries with data privacy laws. It would be inaccurate to refer to ‘adequacy with Chinese characteristics’, but it helps to put these Chinese developments in perspective.

Keywords: China, PRC, cybersecurity, data protection, privacy

Suggested Citation

Livingston, Scott and Greenleaf, Graham, PRC's New Data Export Rules: 'Adequacy with Chinese Characteristics'? (June 26, 2017). (2017) 147 Privacy Laws & Business International Report 9-12; UNSW Law Research Paper No. 69. Available at SSRN: https://ssrn.com/abstract=3026914

Scott Livingston

Simone IP Services (SIPS) ( email )

25th Floor, 3 Lockhart Road
Hong Kong
Hong Kong

Graham Greenleaf (Contact Author)

University of New South Wales, Faculty of Law ( email )

Sydney, New South Wales 2052
Australia
+61 2 9385 2233 (Phone)
+61 2 9385 1175 (Fax)

HOME PAGE: http://www2.austlii.edu.au/~graham

Register to save articles to
your library

Register

Paper statistics

Downloads
94
rank
248,503
Abstract Views
267
PlumX