The Cyberspace Administration of China recently released the Measures for the Security Assessment of Personal Information and Critical Data Leaving the Country (the Measures), which regulates the transfer and storage of personal information and data leaving China. The Measures are part of China’s expansive Cybersecurity Law (the Law), which will come into effect on June 1.
Although the Measures are designed to aid in the implementation of the Law, they raise fresh concerns for foreign companies in China that store information overseas. In particular, stipulations governing the collection and storage of “personal information” could pose a challenge for foreign companies that centralize their HR operations for China-based employees outside of the country.
The extent to which the regulations will be enforced in practice remains unclear due to the ambiguity of the Law and how local authorities will interpret it. Nevertheless, companies with employees in China are strongly advised to thoroughly examine their current HR and IT systems and develop contingency plans to restructure them in order to comply with the stringent new requirements.
Companies affected by the Law
The data localization provisions of the Law mainly affect two types of organizations: “network operators” and “critical information infrastructure (CII) operators”. Due to the broad definitions of these organizations used in the Law, in practice an wide range of entities could be affected.
“Network operators” are defined as owners, administrators, and service providers of networks, which are systems comprised of computers and other information terminals and related equipment that gather, store, transmit, and process data.
While this definition invariably includes telecom companies and internet service providers, companies that have computer networks set up within a single office location and even individuals with multiple computers connected to a network could be considered network operators for the purpose of the Law.
“CII operators” are given a more narrow definition, but the Law still leaves room for interpretation. CII operators are network operators in sectors that are in China’s national interest, such as information services, transportation, water resources, and public services.
Businesses could also be deemed CII operators if their operations could affect national security, social or economic well-being, or the public interest if destroyed or breached. The qualification opens the door for a much wider variety of companies to be considered as CII operators. Ultimately, it is at the government’s discretion who is and who is not considered a CII operator.
Data localization obligations
The Measures expand the Law’s data localization requirements to also include network operators, which in the original only appeared to apply to CII operators.
According Article 37 of the Law, all personal information and other key data produced and gathered by CII operators (and now also network operators) must be stored in servers located in mainland China. To transfer data outside of the country, including to Hong Kong, Macau, and Taiwan, operators must receive government permission and undergo a security review.
“Personal information” is defined as information that can be used to verify an individual’s personal identity on its own or alongside other information. Notably, the law refers to personal information as belonging to “natural persons” rather than just Chinese citizens. The term “key data” refers to data closely related to national security, economic development, and social and public interests, but is not explicitly defined.
Failure to comply can lead to a warning, possible website shutdown, permit revocation, and fines ranging between RMB 50,000 and RMB 500,000 (about US$7,250 and US$72,500) for businesses or RMB 10,000 and RMB 100,000 (about US$1,450 and US$14,500) for individuals.
The Measures also extend the Law’s security assessment requirements to all “other individuals or organizations collecting or generating personal information or critical information within the territory of the People’s Republic of China”. Previously, this provision applied to only network operators, and CII operators by extension.
A commission to be established by the Cyberspace Administration of China will carry out security assessments, which will include a risk assessment covering the organization’s collection, storage, processing, and use of data.
Implications for foreign businesses
Given the broad definitions of network and CII operators and that any business with employees in China would store personal information for HR purposes, almost all foreign companies operating in China could potentially be impacted by the data localization requirements.
Foreign businesses that centralize their HR systems overseas may need to alter their systems to comply with the Law by storing data on servers located within mainland China. This could mean establishing a dedicated HR platform for employees in China, or moving the back-end of a system to servers located in China while the international front-end remains integrated for practical use.
On May 15, a coalition of 54 global business groups lobbied the Chinese government to delay the implementation of the Law due to concerns that the Law infringes on China’s free trade commitments and could jeopardize security of proprietary IP and data. However, it remains to be seen whether Beijing will scale back the law or add more clarity to its implementation.
Regardless, considering the breadth of the Law, its stringent requirements, lack of clarity, and upcoming implementation, any business operating in China should review their IT and HR systems and update them if necessary to ensure compliance with the new regulations.
China Briefing is published by Asia Briefing, a subsidiary of Dezan Shira & Associates. We produce material for foreign investors throughout Asia, including ASEAN, India, Indonesia, Russia, the Silk Road, and Vietnam. For editorial matters please contact us here, and for a complimentary subscription to our products, please click here.
Dezan Shira & Associates is a full service practice in China, providing business intelligence, due diligence, legal, tax, IT, HR, payroll, and advisory services throughout the China and Asian region. For assistance with China business issues or investments into China, please contact us at firstname.lastname@example.org or visit us at www.dezshira.com
Dezan Shira & Associates is a pan-Asia, multi-disciplinary professional services firm, providing legal, tax and operational advisory to international corporate investors. Operational throughout China, ASEAN and India, our mission is to guide foreign companies through Asia’s complex regulatory environment and assist them with all aspects of establishing, maintaining and growing their business operations in the region. This brochure provides an overview of the services and expertise Dezan Shira & Associates can provide.
This Dezan Shira & Associates 2017 China guide provides a comprehensive background and details of all aspects of setting up and operating an American business in China, including due diligence and compliance issues, IP protection, corporate establishment options, calculating tax liabilities, as well as discussing on-going operational issues such as managing bookkeeping, accounts, banking, HR, Payroll, annual license renewals, audit, FCPA compliance and consolidation with US standards and Head Office reporting.
In this issue of China Briefing magazine, we lay out the challenges presented by China’s payroll landscape, including its peculiar Dang An and Hu Kou systems. We then explore how companies of all sizes are leveraging IT-enabled solutions to meet their HR and payroll needs, and why outsourcing payroll is the answer for certain company structures. Finally, we consider the potential for China to emerge as Asia’s premier payroll processing center.