The Cyber Security Law of the People’s Republic of China (“CSL”), which came into effect on 1 June 2017, poses new challenges for companies operating in China to comply with cross-border data transfer requirements. Different from data protection laws in other jurisdictions, to safeguard national security and public interest, the CSL not only limits cross-border transfer of personal information but also that of important data, and it distinguishes operators of critical information infrastructure from other network operators to set stricter compliance requirements. Since the CSL is still in grace period, companies operating in China are advised to catch up closely with the progress of the enactment of relevant laws and policies, prepare to initiate security assessments, and establish internal compliance systems.

1. Introduction

Following EU’s release of General Data Protection Regulation (“GDPR”) and numerous nations’ or regions’ issuance of data protection laws, including Russia, Singapore, Australia, Canada, India, and South Korea, China’s first comprehensive law of data protection, i.e., the Cybersecurity Law of the People’s Republic of China (“CSL”), took effect on June 1, 2017. Compared with EU’s so-called the strictest privacy law GDPR, the CSL appears to be even more strict than that in terms of cross-border data transfer for the purposes of which include safeguarding cyberspace sovereignty, national security, and public interests far beyond the ordinary legislative purpose of protecting citizen’s personal information.

This article’s objective is to shed light on the latest progress of cross-border data transfer requirements in China and to provide compliance recommendations for multinational companies operating business in China.