Transferring data overseas under the Cybersecurity Law

The first draft of the PRC Cybersecurity Law (CSL) was published at the beginning of 2015, aimed at bringing China in line with global best practices for cybersecurity. Two years and three versions later, the law officially came into force on June 1, 2017. This highly condensed legislative process indicates China's eagerness to have the CSL in place as soon as possible. However, having the new law promulgated so swiftly with a lack of key supporting implementing rules and guidelines left many fundamental principles unclear.

As at the date of writing, a number of key concepts under the CSL require further guidance and clarification. According to a Q&A released by the Cybersecurity Coordination Bureau of the Cyberspace Administration of China (CAC) on May 31, relevant authorities and ministries are expected to promulgate regulations and implementing measures within 12 months from the date the CSL entered into effect.

With a phase-in period of less than a year, businesses operating in China are eager to understand what they need to prepare for compliance with the new law. Of particular concern is the data localization requirement—which mandates data to be stored within the PRC—and the related restrictions on exporting or transferring data outside of the country. The Q&A, together with some draft implementing measures and guidelines on data export, have raised more concerns among businesses than expected.