China is not the first country to pursue data localization. Nigeria has required all subscriber and consumer data of ICT companies to be stored locally within the country, as well as government data, since December 2013. Germany stipulates telecommunication companies and ISPs to store data within its territory. Russia’s Federal Law No.242-FZ, which has been in effect since September 2016, specifies the requirement that all databases containing the personal data of Russian citizens to be located in Russia. Australia, British Columbia and Nova Scotia of Canada, and India also have laws that restrict data exportation within certain sectors, such as health and domestic governance. However, what is unique about China’s version of data localization is its comprehensiveness. It covers not only the personal data collection, but also “important data” concerning “critical information infrastructure.” This phrasing basically includes all major aspects of everyday life.
In particular, Chinese law uses a very broad definition of “critical information infrastructure.” In later wording this phrase was changed to “important data,” further broadening the regulating scope. The law provides detailed explanations of data localization regulation, but broad terminology leaves room for unrestricted government intervention in any industry. The lack of restriction adds to, instead of appeasing, the international business community’s concern of being surveilled by the Chinese government. In the meantime, the discrepancies between the official versions of the regulation and the two updated drafts leads to confusion. As the official implementation of data localization regulation has been delayed until the end of next year, how it will evolve is still the realm of speculation; but what is known for sure is, China’s data localization will remain to be all-embracing, fulfilling China’s dedication to building cyber sovereignty.
Ever since Snowden’s NSA surveillance revelations in 2013, the Chinese government has emphasized strengthening information and cyberspace security. This effort was evident in the establishment of the Central Leading Group for Internet Security and Informatization in November 2013 – a policy formation and implementation body specifically in charge of cyberspace – as well as a general push for cybersecurity legislation. Consequently, following two drafts released in 2015 and early 2016 respectively, in November 2016 China officially issued its first comprehensive cybersecurity law. The law was to take effect on June 1, 2017.
The law has several highly controversial terms, such as Article 24 and Article 61 demanding that all telecommunication service providers, instant messaging services and SNS included, request real-name registration from their users and pass the collected data to the government for law enforcement purposes. Among those terms, the data localization requirement is the most contentious. Hence, after a request made by a coalition of business lobby groups, the regulation governing cross-border data transfer was delayed and will be implemented at the end of 2018.
Article 37 of China’s Cybersecurity Law requires “critical information infrastructure” operators to store within mainland China all personal information and important data gathered or produced within the mainland territory, which the definition of “critical information infrastructure” is introduced in Article 31 to include but is not limited to “public communication and information services, energy, transportation, water resources, finance, public services, e-governance”. The law further asks for security assessment of the locally stored data, if cross-border data transfer is necessary (Article 37).
The data localization requirement has been included in various Chinese Internet-related legislation. As early as in 2011, China’s central bank made a guideline that provides “financial information collected in China’s territory” to be “stored, processed and analyzed” within China’s border. Similar measures appeared in the “trial guidelines” issued in 2014 regarding population and healthcare. The more comprehensive version of the data localization requirement was first mentioned in China’s Counterterrorism Law released in November 2014 and was incorporated in both drafts of the cybersecurity law.
In contrast to data localization within a specific sector, which are usually relatively well-received, the new extensive data localization rule has drawn public criticism, especially from the international community. The second draft of the cybersecurity law in May 2016 prompted more than 40 business groups from the U.S., Europe, and Japan to jointly make a statement that asked for an amendment to the law, but led to no result. Following the official release of the cybersecurity law, James Zimmerman, the chairman of the American Chamber of Commerce in China, also made a comment particular to data localization and indicates that the rule “provide[s] no security benefits but will create[s] barriers to Chinese as well as foreign companies,” because of the increasing cost to invest and to duplicate their facilities in China.
In addition to the worry that this is a growing barrier to accessing the Chinese market, the vague wording and the absent implementation rule of data localization are another concern. As Michael Chang, the executive with Nokia and the vice president of EU Chamber of Commerce in China indicated, “there’s unfortunately a lot of confusion.”
In fact, in response to the confusion among the public, the Chinese government on April 11, 2017 released the draft Security Assessment Measures for Cross-Border Transfer of Personal Information and Important Data (“Draft Measures”) to solicit public comments, and on May 19 a revised second draft, the draft Information Security Technology-Guidelines for Data Cross-Border Transfer Security Assessment (“Draft Guidelines”) was released. Both drafts have made certain clarifications regarding the data localization rule. For example, with regard to the security assessment for cross-border data transfer, the Draft Measures clarifies that the companies are primarily responsible for self-assessment; it rules the conditions required for the official review, such as having more than 500,000 data subjects or data volume over 1000 GB (Article 9), and indicates the official assessment should be finished less than 60 days (Article 10). The Draft Guidelines takes a step further and defines terms used in the draft, including network operators, sensitive personal information, important data, and data desensitization (Article 3). Appendix A of the Guidelines contains a long list of sectors and types of information considered to be “important,” and Appendix B provides a relatively detailed method for evaluating the risk of data exportation and necessity for government review.
Despite Chinese authority’s effort to elucidate the terms of the data localization policy, the ambiguity of the language used in the law and in the two updated drafts still leaves people guessing. One example is the use of incomplete enumeration in the drafts. The Draft Guidelines does offer detailed instructions about how to identify “important data,” such as Appendix A.13 governing geographical information using numbers to prescribe the scale of maps, but while formulating the concept of “important data,” the Draft Guidelines in every section of Appendix A declares important data “includes but is not limited to” the terms written.
Meanwhile, apart from the sectors identified in the Guidelines, the section on “Other” (Appendix A. 28) points out that the Guidelines only “partially” present the relevant industries and sectors, and the relevant agencies are responsible for making decisions beyond the Guidelines and to make updates in the future. In other words, although the Guidelines serves as a reference for companies to determine their status of retaining “important information” and attempts to facilitate the process, the government has the last say and can intervene at any time deemed necessary.
Another bewildering element is the contradiction between the official Cybersecurity Law and the updated drafts. While Article 37 of the Law requires data localization only by “critical information infrastructure” operators, the Draft Measures and the Draft Guidelines modify the language, and indicate all “network operators” are obliged to comply (Draft Measures Article 2 and Draft Guidelines Article 3.1). Since the Measures and the Guidelines are only drafts and not known for the release date of the finalized version, who exactly is subjected to the data localization requirement is unclear. If the Draft Guidelines is to become an amendment to the law instead of being merely a non-binding guideline, it implies the scope of the rule extends from managing industries closely related to traditional security to a comprehensive penetration into the society.
On the other hand, the adoption of the data localization regulation in China suggests that all foreign companies are required to cooperate with Chinese data centers for data storage. Such measure is similar to the Russian government’s call for Russian and U.S. companies to move their data to Russian data centers, following the implementation of their data localization law. Foreign investment in ICT industries is tightly restricted by the Chinese government. Since data center licensing is only open to investors based in the Mainland, Hongkong and Macao, foreign tech companies, such as Apple, Microsoft, IBM and Amazon can only work with Chinese data centers for data storage. This requirement has already provoked strong reactions among U.S. companies in China, because of the concern for the intellectual property theft. The worry of surveillance also intensified as Apple began to store all cloud data in Guizhou-Cloud Big Data, a government-owned data center in Guizhou, in order to comply with the new law. While Apple emphasized that no back doors would be left for the government, the newly established working committee chartered by the communist party to “facilitate the progress of iCloud construction and deepen the cooperation with Apple” does not help ease the concern.
Nonetheless, neither all data centers in China are owned by the government, nor the companies are obliged to store their data in government-owned data centers. 21Vianet Group Inc., the data center that Microsoft has cooperated with since 2014 to support its Azure cloud service in China, declares itself to be a “third-party independent” data center; it also provides service to IBM’s Bluemix cloud service. Beijing Sinnet Techonology which provides internet data center service to Amazon cloud service AWS is also private-owned. In other words, the Chinese government does not seem omnipotent in coercing companies to use government-owned data centers or overseeing the data. Theoretically, the private-owned data centers are independent of government influence and should be able to guarantee the information safety of the data stored in the data centers. However, whether these data centers will be compromised under government pressure in the future is still an unknown question.
In conclusion, the free flow of information is one of the most noted features of the Internet. However, the data freedom accompanied by cyber threats also casts concern to the security aspects of the cyberspace. In order to address these threats and to maximize data security, data localization, the regulation that requires data to be stored locally in the country where the data was collected, and restricts cross-border data transfer in some cases, is adopted by countries and becomes a trend spreading throughout the world. Along its line of strengthened control of the internet, China also states its commitment to data localization stated in its Cybersecurity Law. Nevertheless, as China’s data localization regulation is the most comprehensive case in the world, how it will be implemented and to what extent it may affect the transnational businesses in China remains an unknown question.