Printer Friendly, PDF & Email

Who's responsible for what here? Questions surround updates made to China's Cybersecurity Law

In the two years since China’s Cybersecurity Law (CSL) has officially been in force, companies doing business in China have adopted a “wait and see” attitude toward a number of provisions in the law. Chinese authorities have made tweaks and changes to the law over the past 18 months, including arguably the most anticipated draft measure, Second Draft Measures on Security Assessment for Export of Personal Information, released on June 13. The Second Draft Measures are open for public consultation until 13 July 2019. An unofficial translation of the draft can be read here.

These measures address the data localization and data transfer provisions of China’s Cybersecurity Law, provisions that foreign companies active in China feared could lead to the loss of business secrets to competitors or to the Chinese authorities themselves. The article in question, Article 37, reads as follows:

Critical information infrastructure operators that gather or produce personal information or important data during operations within the mainland territory of the People’s Republic of China, shall store it within mainland China. Where due to business requirements it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State cybersecurity and informatization departments and the relevant departments of the State Council to conduct a security assessment; where laws and administrative regulations provide otherwise, follow those provisions.

There have been a few key changes to the language that companies should be aware of.

This document is only available to subscribers. Please log in or purchase access