“Forewarned Is Forearmed” - The Rise of Chinese Data-Flow Restrictions
Manufacturers with operations, employees, and/or customers in China must be aware of a long list of China-specific data-flow and content restrictions. Data-flow restrictions in particular affect manufacturers employing or launching mobile apps and other IT initiatives, both internal and external. Manufacturers must be very sensitive to China’s rules and guidelines restricting data flow, as these can affect plans for data storage, transmission and even analysis.
American industry associations have called upon China to openly discuss changes to its data-flow rules. These associations argue China’s rules are “overly broad, opaque, [and a] discriminatory approach to cybersecurity policy.” According to the associations, the Chinese rules may, among other things, require companies to divulge sensitive intellectual property and restrict cross-border flows of commercial data. Chinese entrepreneurs have reportedly marketed Chinese-developed replacements for foreign technology, which validates U.S. industry concerns.
While U.S. government and industry negotiators continue to push for resolution of industry concerns, manufacturers utilizing or implementing cross-border data flows must adjust their plans to enjoy continued business success, minimize business continuity risks, and even avoid criminal liability in China.
Personal Data Privacy. China’s personal data privacy laws and guidelines have been expanding over the last few years in particular. These include provisions referencing data-flow restrictions.
For instance, according to the Information Security Technology – Guidelines for Personal Information Protection within Information Systems for Public and Commercial Services (GB/Z 28828-2012), Section 5.4.5, “without express consent of the subject of personal information, the express requirement of any law or regulation, or the consent of the competent authority, a personal information administrator should not transmit personal information to any overseas personal information recipient, including an individual located abroad or an organization or institution registered abroad.” This provision underscores a trend, albeit in the form of a national “guiding” [指导] standard, toward personal information data-flow restrictions. The authors note from experience that such standards should not be dismissed when considering compliance obligations and risks. The reasons for this observation include the facts that such standards serve as an influence for future laws on this subject and that conformity with such standards may be made mandatory as a function of other legal norm-creating measures.
As many U.S. manufacturers often collect personal information during their normal business operations in China, they should factor into their planning the potential for restrictions involving the transmission of personal information to servers abroad.
Healthcare Information and Patient Privacy. Measures issued last year potentially apply to a vast array of health information which medical, healthcare and family planning service agencies of all types and at all levels generate within China while providing services or managing healthcare operations. These measures prohibit storage of such information “in overseas servers, [or in] hosted or rented overseas servers.” Thus, medical device manufacturers and pharmaceutical companies must be careful not to run afoul of these rules while transacting business in China or with healthcare companies and organizations operating in China.
Criminal Liability. In the draft 9th Amendment to the Criminal Law, China has proposed criminalizing unauthorized “sale[s] or offers to sell personal information obtained…during the provision of services.” If enacted, the text would explicitly expand the scope of such criminal liability under the version of the Criminal Law currently in effect, which limits the crime subjects to the employees of specified and other industries.
The possibility of criminal sanctions tied to unauthorized sales associated with personal information transfers adds teeth to an already expanding array of personal information protection measures.
National Security. Under the proposed Counter-Terrorism Law of the People’s Republic of China, domestic and foreign companies, including foreign manufacturers operating in China, would need to store customer data on Chinese servers and provide technical interfaces and encryption keys to public security agencies. National security issues driving China’s restrictions on data flow and content are not limited to this proposal. The proposed National Security Law of China introduces, in proposed Section 26, the concept of “internet sovereignty,” which essentially provides that a country has the right to determine what data flows in and out of its territory. Existing Chinese laws, such as the State Secrets Law of the People’s Republic of China and Foreign Trade Law of the People’s Republic of China, also address these issues for company data flow and content restrictions.
Financial Information. China recently temporarily suspended the implementation of new banking sector Guidelines that would require companies which provide IT equipment to Chinese banks to, among other things, turn over source code. Specifically, goals indicated in the Guidelines included substantially increasing financial institution use of “safe and controllable” information technology by the end of 2019. Manufacturers providing such equipment to the banking sector must be wary of revealing trade secrets or other confidential information.
Much of the promise for Internet-based and other technology innovations used in manufacturing is based on predictable and reliable data flow and globally accepted standards to address security improvements. Monitoring data-flow restrictions such as those described above is therefore an increasingly important aspect of manufacturer compliance and risk management for China. Some manufacturers may even use these examples to strengthen their advocacy and perspectives brought to the negotiating table.
For further information on these restrictions and a list of selected laws and guidance documents associated with this summary, please refer to the attached PDF.