PRC's New Data Export Rules: 'Adequacy with Chinese Characteristics'?
(2017) 147 Privacy Laws & Business International Report 9-12
8 Pages Posted: 30 Aug 2017 Last revised: 13 Jul 2018
Date Written: June 26, 2017
China’s draft Measures for the Security Assessment of Personal Information and Critical Data Leaving the Country (Draft for Public Comment) are intended as an implementing regulation for the PRC Cybersecurity Law (in force, July 2017). The Cybersecurity Law also contains a data localization provision requiring certain “Key Information Infrastructure Operators” (“KIIOs”) to store on PRC servers all personal and “important” data collected through their China operations.
These draft measures demonstrate a uniquely Chinese take on data export restrictions, one encompassing not just an individual’s personal right to privacy, as in the EU, but also China’s recent adoption of the principle of cyber-sovereignty - the right for all countries to have jurisdiction and control over data flows occurring within their borders.
This approach has raised concern for foreign companies operating in China over fears that the laws may be used to require them to turn over sensitive data or IP to state authorities upon request. In this article we detail the progressive implementation of China’s data localization/data export measures through further examination of the Cybersecurity Law and the draft Security Measures, and conclude with some general observations about the relationship between China’s approach and the EU’s ‘adequacy’ approach to data exports. It can be argued that, if China is to have a data privacy law of international standard, that requires a rule concerning personal data exports which is applicable in all situations. When these measures are finalised, China will have such a rule, like the EU and most other countries with data privacy laws. It would be inaccurate to refer to ‘adequacy with Chinese characteristics’, but it helps to put these Chinese developments in perspective.
Keywords: China, PRC, cybersecurity, data protection, privacy
Suggested Citation: Suggested Citation