中國數據安全相關法規(guī)的白皮書

StrategiesforDataComplianceinChina|ExecutiveSummary

ExecutiveSummary

TargetAudienceforthisWhitePaper

ThispaperisappropriateformediumtolargecorporationswithsignificantbusinessintheChinesemainland,

orplanstoexpandbusinessintheChinesemainland.

CorporationsandtheChineseMarket

TheChinesemainlandoffers

substantialbusinessopportunities

formultinationalcorporations.Itis

thesecondlargesteconomyinthe

worldbynominalGDPandfirstby

purchasingpowerparity.China’sGDPislargerthanitsnextfourcompetitorscombined.

China’sGDPgrewat5.2%

in2023

—farfasterthanmostother

economiesofitsscale.Businesscasesareoftenmadeontotaladdressablemarketoronmarketgrowth,and

Chinaisaleaderinboth.

However,therearealsobusinessrisksassociatedwiththeChinesemarket—amongthem,recentdatalawsand

regulations.

TheCybersecurityLaw

waspassedin2017,followedbythe

DataSecurityLaw

,andthe

Personal

InformationProtectionLawin2021

.

TheselawssignificantlychangedthenatureofdoingbusinessinChina.

Regulatorytrendscontinuetobecomemorestringentandcomplexatan

increasingspeed,includingsemi-annualreviewsbytheCyberspaceAdministrationofChina.

Multinationalcompaniesare

challengedtocomplywiththeseregulationsinatimelymanner.EnterpriseITprojectscanbe

significantlylongerthanthesemi-

annualperiodsofregulatoryupdates.Inthattime,companiesareexpectedto:

?Classifyalldata,eventhatwhichdoesnotgotoChina,includingthelevelofsensitivityofthatdata

?UndergoasecurityassessmentbytheCybersecurityAuthorityofChina(thisdependsonthescaleoftheoperation)

?Buildandobtainapprovalonmany

technicalandresourceitems,including:

–Findingalegalapproachtocomply

withChineseregulations

–Communicatingwithlocalregulators

–Procuringsoftware

–Staffingalocalteamtoensurelocalcomplianceregulationsaremet

–Settingupnewservicesandconfiguretherelevantapps

–Planning,testing,andexecutingadataandcodemigration

–Onboardingusers

Corporationsneedtochoose

strategiesthatareresilientto

regulatorychange,enablegrowthintheChinamarket,andallowbusinessalignmentbetweentheirChinese

Mainlandoperationsandtherestoftheworld.TherearestepsandstrategiescorporationscantakenowtoconductbusinessinChina

whileprotectingcustomerdataandaddressingregulatoryandlegal

concerns.

01

02

StrategiesforDataComplianceinChina|OverviewofChina’sDataRegulations

OverviewofChina’sDataRegulations

TherearemultipleoverlappinglawsandregulationsrelatedtothecareandprocessingofcustomerdataintheChinesemainland,includingthe

guIationondataandcy

CybersecurityLaw(CSL)in2017,the

DataSecurityLaw(DSL)in2021,the

PersonalInformationProtectionLaw

(PIPL)in2021,andtheCryptography

Lawin2020.

Similarlawsand

regulationsarealsopresentinHongKongandMacau.

Selective

~13MONTHS~7MONTHS

PersonalInformationProtectionLaw(PIPL)

13thOct,2020

.ThefirstdraftofPIPLwassubmittedtotheNationalPeople’sCongressofthePeople’sRepublicofChinaforreview

19thNov,2020

.Closedpublic

commentforPIPLdraft

30thApr,2021

.TheseconddraftofPIPLwasreleasedforpubliccomment

20thAug,2021

.Issuedbythe

StandingCommitteeoftheNational

People’sCongressofthePRC

1stNov.,2021

.Cameintoeffect

21stOct,2020

.TheNationalPeople’s

CongresspublishedPIPL(Draft)andinvitedpubliccomment

TheMeasureofCBDTSecurityAssessment

7thJul.,2022

.‘ThemeasureofCBDTsecurity

assessment,and‘standard’issuedbytheCAC

1stSep.2022

.‘Themeasureofcross-borderDataTransfer

securityassessment,cameintoeffect

28thFeb.2023

Completethecross-borderdatatransfermaterial

submissionworkbytheendofFeb.2023

2024

2023

2022

2021

2020

Mar,2024

.Cameintoeffect

Regulations

on

Promoting

and

Regulating

theCross-

borderData

Flow

Midof2015

.CSL(draft)publishedandopenedforpubliccomments

.CLSwasfurther

modifiedbasedonthecommentsfrompublic

Nov,2016

.CSLpassedbytheNationalPeople’s

Congress

Jun,2017

.CSLenactedbytheStanding

CommitteeoftheNationalPeople'sCongressandwentintoeffect

ChinaCybersecurityLaw(CSL)

Sep,2023

.ToclarifythosebusinessscenarioswhichdonotneedCBDTsecurityassessmentandgovernmentauthorization

.Theregulationwaspublishedforpubliccomments

RegulationonCBDT*

Standardizationand

Facilitation

10111245678910111479393

Jul2nd,2020

.TheStanding

Committeeofthe

NationalPeople’s

CongressofChina

(“NPC”)releasedthe

draftDataSecurityLaw(“DraftLaw”)forpubliccomment

Apr29th,2021

.Releasedthe

updateddraftforpubliccomment

Jun10th,2021

.Issuedbythe

Standing

CommitteeoftheNationalPeople’sCongressofthePRC

Sep1st,2021

.Cameintoeffect

DataSecurityLaw(DSL)

~24months

6months

6months

~14months

StrategiesforDataComplianceinChina|OverviewofChina’sDataRegulations

03

ThelawsnotonlyapplytocorporationswithintheChinesemainland,but

alsotoentitiesoutsidetheChinesemainlandthatareofferinggoods

orservicestoindividualsinsidetheChinesemainlandormonitoringtheirbehavior(suchasmarketingand

marketinganalytics).

These

regulations

arecomplex,butthereareafewkeypoints:

?Personalinformationprocessedin

thecourseofdoingbusinessintheChinesemainlandneedstobestoredinChina,abovecertainthresholds

?Consentisneededtoprocesspersonaldata

?TransfersofpersonaldataoutsideofChinarequirelegalbasis

Thereareavarietyofmeasuresinplaceto

regulatecross-borderdata

transfers(CBDT)

ofpersonaldata,theprotectionofminorsonline,

managementofinfrastructuresecurity,processingofpersonalorsensitive

data,collectionofpersonaldata,

collectionofdatausingmobiledevices,andmore.Dependingonthescale

andclassificationofdatatransfer,thedatatransferwouldneedtobepre-approvedbyregulators.

Theinterpretationandimplementation

ofalloftheseregulationsare

frequentlyexaminedandrefined.

DecipheringtheRegulationHierarchy

Chinahasanoverlappingmatrixof

dataregulationsandmanycompaniesfinditconfusingtoknowwhichlawsapplytothem.

Currently,thetheChinesemainlanddataandcyberregulationscanbebrokendownintofourcategories:

?Nationallaws

?Nationalregulations

?Industryregulations

?Regionalregulations

TheNationalPeople’sCongress

passeslawsapplicablenationally,andhaveprecedenceoverotherlawsandregulations.Next,regulationsdraftedbystatecouncilsanddepartments

willaddmoredetailtothenational

laws,followedbyindustryregulationsdraftedbyindustrialregulators,followedbyregulationsfromregionalregulators.

Forexample,asanauto

manufacturerinShenzhen,notonly

isyourcorporationaffectedbythe

Cybersecuritylaw,butalsobythe

nationalregulationsthatfurtherdefinenationallaws,andalsotheregulationsspecifictoyourindustry,andfinallybytheregulationsintheregionswhere

yourcorporationdoesbusiness.All

needtobeconsideredinplanningyourdatastrategy.

Enacted&draftedtheChinesemainlanddataandcyberregulation

Nati0nalLaws

.pubIishedbytheNationaIpeopIe,scongressstandingcommittee

DatasecurityLaw

(2021.09.01)

Measuresonthestandardcontractforcross-borderTransferofpersonaI

Information(2024.03.22)

.AppIicabIetoaIIentitiesinchina

cybersecurityLaw

(2017.06.01)

personaIInformationprotectionLaw

(2021.11.01)

Nati0nalRegulati0n

.pubIishedbythestatecounciIofchinaanditssubordinatedepartments

.AppIicabIetoaIIentitiesinchina

ReguIationsonpromotingandReguIatingthecross-borderDataFIow(2024.03.22)

MeasuresforthesecurityAssessmentofcross-borderDataTransfer(2024.03.22)

RuIesforDatacIassificationandGrading(pubIished,wiIIenactfrom2024.10.01)

IndustryRegulati0n

.pubIishedbytheindustriaIreguIatorssuchasMinistryofIndustryand

InformationTechnoIogy

china(Tianjin)piIotFreeTradezoneDataExportManagementList(NegativeList)

(2024.05.09)

.AppIicabIetoentitiesdefinedinspecificreguIation

certainprovisionsontheManagementof

AutomobiIeDatasecurity(TriaI)1

(2021.10.01)

GuideIinesforDatacIassificationand

GradingintheHeaIthcareIndustry(TriaI)

MeasuresfortheManagementofData

securityofBankingandlnsurance

Institutions(Draftforcomments

2024.3.23)

Regi0nalRegulati0n

.pubIishedbytheregionaIreguIatorssuchasprovinciaIgovernment

.AppIicabIetoentitiesdefinedbyspecificreguIation

specificationofEnterpriseData

cIassificationstandardsforchina(Tianjin)

piIotFreeTradezone(2024.02.07)

MeasuresforcIassificationandGradingManagementofcross-borderData

TransferinSHALin-gangSpeciaIArea

(TriaI)(2024.02.08)*

GeneraIdataIistofscenarioizationcross-BorderDataTransferinSHALin-gang

SpeciaIArea(connectedcar;pubIicFund;LsHc-TriaI)(2024.05.17)*

CoIorCode:

foIIow

reference

Legend:

Enacted

StrategiesforDataComplianceinChina|PlanningRecommendations

PlanningRecommendations

Teamswillneedtocarefullyconsidertheirtime,dedication,resources,andbudgetiftheyplantomoveforward.Theconsequencesformishandlingdatacanbesevereandcostly.Lawsandregulationssurroundingdata

complianceinChinaoverlapand

aresubjecttorevisionandmultipleinterpretations.Keeptrackof

restrictionsastheymaychangewhile

you’replanningorexecutingyourstrategy.

Dependingoninternalcircumstancesandgoals,companiesshouldconsidertheserecommendedsteps:

?Scopetheopportunityandtherisk:Understandstrategiesfor

riskanddeterminewhichoneyourbusinesswilluse.

?Identifythedataandsystems

thatneedprotection:Classify

dataandsystemsfortheirlevelofsensitivity.Planfordataremediationanddatatransfersaswell.

?Formulatealocalizationstrategy:

Fitthestrategytoneedsandscale,andalignitwithcompliancetrends

04

StrategiesforDataComplianceinChina|ManagingOpportunityandRisk

05

ManagingOpportunityandRisk

Corporationstypicallyentermarkets

afterqualifyingtheaddressablemarketsize,creatingbusinessplans,anddoingduediligence.Thetargetaudienceofthisdocumenthasalreadyscopedandqualifiedtheopportunities,andmanyofthecostsandrisks.

Inthissection,wewillassumethat

themarketopportunityissignificant,andsharemethodstoreducerisk.Asmentionedpreviously,therisksincludecivilpenaltiessuchasfines,market

exclusion,andcriminalpenalties.

StrategiesforRisk

Therearemultiplestrategiesfor

corporationstoaddressbusinessriskwhenconsideringconductingbusinessinChina.Threeofthekeystrategies

organizationsemploywhenmanagingrestrictionstotheChinesemarketareavoidance,acceptanceandmitigation.

Avoidanceiswhenanenterprise

leavestheChinamarketplacefortheir

competitors.Forthevastmajorityof

multinationalcorporations,themarketsizeandmarketopportunityofworkinginChinaistoolargeforthisstrategytobepractical.

Acceptanceofresidualriskafter

mitigationisacommonstrategy,

butthefullpenaltiescanbeharsh.

Individualsheldresponsiblecanbe

personallyfinedsignificantamountsofmoney,inadditiontofeesbilledtotheorganization.

Anyincomeassociatedwiththe

violationscanbeconfiscated.

Individualsheldresponsiblecanbe

sentencedtojailtimeofuptosevenyearsandcanbebannedfromdoingbusinessinChinaforaperiodoftime.Tortliabilitiesalsoexist.

InJuly2022,theCybersecurity

AuthorityofChina(“CAC”)finedone

company$1.2billion,whichwasnearly5%ofthecompany’stotalrevenue.The

globalCEOwasalsopersonallyfined,andthecompanywasbannedfrom

addingnewuserswhiletheirmobile

appswereremovedfromChinamobileappstoresforaperiodoftime.

Mitigationmeansprimarilyin

implementingalong-termstrategy

thatenablescompliancetothelawsandregulationsandisrobustenoughtohandletheongoingevolution

ofthoseregulations.Technology

andoperationalprocessesplayanimportantroleinmitigatingrisk—

includingmaintainingdataresidency,controllingaccesstoregulateddata,andobtainingconsent.Mitigationisoftenthebeststrategy.

Ifyourcompanychoosestomitigatetherisk,thenextstepwouldbetoidentifyandassesswhatdataisimpacted.

StrategiesforDataComplianceinChina|IdentifyingDataAffectedbyPrivacyandDataSecurityRegulations

06

IdentifyingDataAffectedbyPrivacyandDataSecurityRegulations

Understandingregulateddatain

Chinacanbeconfusingbecauseof

thevaryingdefinitions.InlawslikethePIPL,theCybersecurityLaw,theDataSecurityLaw,previouslegislation,

andaffiliatedregulations,protected

dataisdefinedinseveraldifferent

ways.ThePIPLcovers“personal”dataand“sensitivepersonal”data.The

CybersecurityLawandtheDataSecurityLawbothcover“important”data.

Furthermore,thereisaMulti-Level

ProtectionScheme(MLPS2.0)whichdefinesfivelevelsofimpact—rangingfromimpacttoorganizationsand

individuals,attheleastregulatedlevel,uptonationalsecurityimpactsasthemostregulatedlevel.

Soalternately,insomesituations

datamaybecategorizedaspersonal,sensitive,orimportant;inothers,it

maybedefinedbyMLPSlevelsand

impactlevels.Whenplanning,both

categorizationschemescanbeuseful.

Businessdatacanfallintomanyof

thesecategories.Names,phone

numbers,andotherpersonally

identifiablefieldsinonescheme

wouldbeconsidered“personaldata”,andmayalsofitintoMLPSlevel1.

PersonalHealthInformation(PHI)

wouldbeconsidered“sensitive”

underthePIPL,andwouldrequirea

higherlevelofprotection.Thishigherlevelofprotectioncanbeseenin

accesscontrol,theneedforastronger

justificationandconsentforprocessingthe

data,andmorerestrictionsontransferringthedataacrossnationalboundaries.

Otherexamplesofsensitive

informationincludereligiousbeliefsoraffiliation,financialdata,andlocationtracking.Thisdataisoftenstored

inbusinesssystems—forexample,providermanagement,HR,accountmanagement,scheduling,andretailexecutioncanallincludevarious

formsofsensitiveinformation.Someexamplesmightinclude:

Theguidanceonthedataclassificationcanbeconcludedbydifferentobjectswithimpactlevels,

asdefinedby

MLPS2.0.andaswellthelatestGB/T43697-2024,Thelevelsareasfollows:

StrategiesforDataComplianceinChina|IdentifyingDataAffectedbyPrivacyandDataSecurityRegulations

07

?CoreData:Directlyimpactsnationalsecurity,politicalsecurity,people’s

livelihoods,andmajorpublicinterests.

?ImportantData:Mayaffectnationalsecurity,economicoperation,socialstability,healthorsafety.Datathat

affectsasingleorganizationor

individualtypicallydoesnotqualifyforthiscategory.

?GeneralData:Doesnotfallintothe

CoreDataorImportantDatacategories.

?PersonalData:Personallyidentifiableinformation.

?SensitivePersonalData:Personalinformation,whichifleakedor

destroyed,couldimpactanindividual’shealth,safety,orproperty.

Coredataismoresensitive(hasa

higherrisk)thanImportantdata,

whichisinturnmoresensitivethangeneraldata.Datashouldbegradedandevaluatedbythepotential

impactbasedonthescaleofthe

effectandthescaleandprecisionofthedata.

ImpactLevel

Categories

Especiallysevere

Severe

Normal

NationalSecurity

Coredata

Coredata

Importantdata

Economy

Coredata

Importantdata

Generaldata

SocialOrder

Coredata

Importantdata

Generaldata

PublicInterest

Coredata

Importantdata

Generaldata

Org/Indrights

Generaldata

Generaldata

Generaldata

Furthermore,dependingonthe

industryortheregion,additional

restrictionscancomeintoplay.For

example,IoTdataisrestrictedfrom

cross-borderdatatransfer.Inhealth

care,treatmentinformationisrestricted.Additionalexamplesinclude:

?AutomotiveManufacturing:A

luxurycarmanufacturerdevelops

apersonalizeddriverassistance

systemthatlearnsfromindividual

drivinghabits.Thesystemcollects

andprocessesdataonaccelerationpatterns,brakingbehavior,androutepreferences.Thisinformation,whilecrucialforoptimizingthedriving

experience,ishighlysensitiveasitcouldrevealpersonalroutinesandlocationsifcompromised.

?LifeSciences:Apharmaceuticalcompanyconductsclinicaltrialsforanewcancertreatment.

Theycollectextensivepatient

data,includinggeneticmarkers,treatmentresponses,andqualityoflifeindicators.Thisinformationisnotonlymedicallysensitivebutalsopotentiallyrevealingaboutindividuals'long-termhealth

prospectsandcouldaffecttheir

insurabilityoremploymentifdisclosed.

?LuxuryRetail:Ahigh-endjewelrybrandoffersabespokeservice

whereclientscandesigncustom

pieces.Thecompanymaintains

adatabaseofclientpreferences,

purchasehistory,andpersonal

events(e.g.,anniversaries,birthdays).

Thisinformation,whilevaluableforpersonalizedmarketing,issensitiveasitcouldrevealaclient'sfinancialstatus,personalrelationships,andlifestylechoicesifbreached.

Corporationsmaychoosetoclassifydatausingmultipleparameters:

?Classifydatabylevelofsensitivity.Thiscantypicallybedonebasedonthedataschema.

?Classifycross-borderdatatransfersbylevelofsensitivity.Cross-borderdatatransfersaretreatedmore

strictlythandataprocessing;data

maybeacceptabletoprocessinChinabutnottotransferoutsideofChina.

StrategiesforDataComplianceinChina|FormulatingaLocalizationStrategy

08

FormulatingaLocalizationStrategy

Onceacompanyhasassessedrisk

andclassifieddata,itistimetobuildadigitalstrategytoensurethehandlingofthatdataiscompliant.

Corporationsshouldcarefullyconsiderglobalandregionalgovernance,localmarketbusinesssupport,regulation

constraints,andcostefficiency.

Companieswillneedtoconsidermultiplefactorstofindsuccess,including:

?Cybersecurityissuessuchaswhethersensitivedataisinvolved

?Systemperformancequalityandmaintainingaconsistentuser

experiencewhiletransactionvolumeincreases

?ThelevelofintegrationdependencyonChina’sdigitalecosystemstofulfilllocalizedusecases

?Howtobestmanageandleverageglobalassetsacrossborders

cyber,DataandprivacyReguIatorycompIiance

considerationsofwhetherPIIorothersensitivedataisinvoIved

throughoutdatacoIIection,storage,processingandusageIifecycIeundercsL,PIPLandotherreguIationrequirements

cyber&Datasecurity

cross-BorderDataTransfer

AIignment

Empower

PrivacyProtection

c.chinaMarketBusinessGrowth

BusinesscontinuityundercompIexGeopoIitics

AssetsynergyandcapitaIEfficiency

considerationofhowto

IeveragegIobaIassetsto

achievecrossregionsynergy

andmorescaIabIearchitecture

chinaspecificExperienceDeIiveryDependency

considerationsoftheIeveIof

integrationdependencyonchinadigitaIecosystemstofuIfiII

IocaIizedbusinessusecases

A.ReguIations&constraints

D.GIobaI&

RegionaIsynergyandGovernance

TcOandTOM

governance,incIudingsupportcapabiIities;whiIecrossborderdataaccesswouIdbeoneof

thekeyfactorstoimpactTcO

B.systemperformanceRequirement

systemPerformance

systemAvaiIabiIity

甲甲

systemperformance&AvaiIabiIityNecessity

TheimportanceofstabIeperformanceandIeveIofRTO&RPOunderincreasingtransactionvoIumeandbusinesscompIexitytomaintainconsistentuserexperience

StrategiesforDataComplianceinChina|FormulatingaLocalizationStrategy

09

Giventhepotentialbreadthofa

corporation'scustomerrelationshipmanagement(CRM)system,thedatawithinitshouldbestoredlocallytomeetlocalizationrequirements,havepropersecuritymeasuresinplacetocontrolaccessandcompliancewithlocallawsandregulations,allwhilebeinguseabletomeetthebusiness

needs.Theaffecteddataandtechnicaldomainscanbewide-ranging,

includingemployeedata,customerdata,businesspartnerdataand

identity,andmore.

Acorporation’sCRMisoften

connectedtotheirmarketingsystems,socialmedia,enterpriseresource

planning(ERP)software,analytics

platform,dataplatform,andmore

systems,furtheraffectingwhichdataneedstobeprotectedandcompliant.Sincesensitivedataisstoredand

sharedfromthesesystems,allofthemareaffectedtosomedegree,andtheirintegrationsalsoneedtobesecure

andcompliant.

ERP

?ChinaERPwithowninstance

?LocallysourcedERP

Workspace&Collaboration

?O365(includingE-mail)

?CollaborationTools

?ITILtools

Sales&Marketing

?WeChattouchpoints

?E-Commerce/orderingportal

?SalesEnablement

?CRM(i.e.Salesforce)

DataPlatform

?ConsumerDataPlatform

?OtherDataPlatformincludingimportantdata

KeyAreas

ofLocalized

Solutions

Security

?IAM/ADSeparation/MFA

?ZeroTrust

?VulnerabilityscanandPentest

?CyberSecurity

HR

?Global/localsplitoftheHRsystemsin

viewoftheregulatoryrequirementsandlocalecosystem

Sales&Marketing

?StandardGlobalsolutionhostedinChina

?Chinalocalizedsolutionwithcustomization

?Tailor-madesolutionwithcloudprovidersinChina

DataPlatform

?DedicatedDomainforCNservices(Certificate/ICP)

?LocalauthorizedDNS

?IndependentVPCs/subnetsforChinas

?Localaccessforuserprofilee.g.,VPN,Identity

CybersecurityConsiderations

AchievingcompliancewhileenhancingthecybersecuritylevelinChinaandtherestoftheworldisachallenge.

Forexample,specificdataisnot

allowedtoleavetheChinesemainland,likeSensitivePersonalInformation.

Non-compliancecanresultinfines,butimprovingcybersecurityiskeytoprotectingintellectualproperty.

Companieswillneedtofindabalancebetweenthetwotosatisfyallpartiesandkeepinformationsecure.

10

StrategiesforDataComplianceinChina|FormulatingaLocalizationStrategy

Compliance

?Localcybersecurityofficerisrequired

?Possiblyalocaldataprotectionofficer

CybersecurityOrganization

Cybersecuritymaturity

?LocalizedCybersecurityOrganizationshouldbeconsidereddueto

?Limitationsofdatatransfer

?Potentiallyothertools/solutionsthaninrestoftheworld

?SpecificdataisnotallowedtoleavetheChinesemainland

?SenstiviePersonalinformation(SPI)

?Importantdata

DataTransfer&Network

?LimitationsofnetworkaccessfromandtoChinapreventingattacks

?Preventionofdataleakageandinsiderthreats

?e.g.,segmentationsofnetworks,networkenforcementpoints

?SystemswhicharedeployedoroperatedinChinahavetocomplytospecifichardening

?e.g.,operatingsystems,networktechnology,cybersecuritytools

Technology

?Globallytrustedtechnologystandardsandsolutionstoensuresecureworkingandcollaboration

?Somefunctionsmightnotbeavailableinothersolutions

?KeyNetworkProduct&ServiceChallenges

?Salespermit&certificationsisrequired

?Listofproducts(firstbatch,scope,standards)

NetworkProduct&Service

?Taking‘TradePolicies’intoconsideration,attentionsneededonproductssupplydisruptionandthe

inabilityofproductupdate

?Limitationofallowedcryptographicsolutions

?Commercialcryptographyimportsmustbepermitted

Non-compliancecanresultinfines,

suspensionofbusiness,revocation

oflicenses,andindustryrestrictions

forinvolvedstaff

Cryptography

?Globalstandardstoensurehighlysecuredataencryptionandexchange

Appropriatemeasuresneededimproving

cybersecuritylevelinordertoprotect

intellectualproperty

DataResidency,DataAccess,andCross-borderDataTransfers

Hostingbusinessapplications

andtheirdatainChinasupports

compliancewiththeCybersecurityLaw(CSL),DataSecurityLaw(DSL),and

PersonalInformationProtectionLaw(PIPL)regulations,aswellasmeetingChinamarketdynamicsandspeed,andensuringbothglobalandlocalcybersecurity.

China’scurrentcyberspace

governancestrategyistofocuson

cybersecurityandprotectpersonal

dataandimportantdatacross-bordertransmission.Formultinational

corporations(MNCs)inChina,properisolationandcross-borderdata

transfercontrolisbecominganurgentrequirement.

Balancingtimelinesswithneedcan

causecomplicationsacrossindustries.Threecomplianceaspectscommonlyariseatthispoint:

?DataResidency:Tocomplywiththelawsandregulationsdiscussedin

thisdocument,datathatisgatheredinChinaneedstobeprocessedandstoredinChinaunlessthereisan

exceptiongranted.

?DataAccess:Processorsneeda

legalreasontoprocessdata,and

actorsneedalegalreasontoaccessthedata.Accesscontrolisnecessarytoensurethattheindividuals

accessingthedataareentitledtothatprivilege.

?Cross-borderDataTransfers:Thedefaultforregulateddataisthatitneedsjustificationandapprovalto

transmitacrossborders.APIsareonemechanism,butremoteaccessofanykindisadatatransfer.

Akeystartingpointforcorporationstherefore,istoconsiderproperisolationthroughdataresidencyinChina.

CommonScenariosforDataResidency

Applicationscontainmassiveamountsofnon-HR(non-

employee)personalInfo,coredata,andimportantdata

Over1millionrecordswithclient

informationaresubjecttolocalizationrequirementsandanycross-borderdatatransferactivitiesmustbe

approvedinadvance.Coredataandimportantdatamayimpactnationalsecurity,socialstabilityandpublicinterest,facingmorerestricted

StrategiesforDataComplianceinChina|FormulatingaLocalizationStrategy

11

regulationthansensitivepersonalinfo.CertaindataisnotallowedtoleavetheChinesemainlandatall.

Localadministrationforbusinessapplications,ITinfrastructure