Frequently Asked Questions on Cybersecurity and Data Law in China

Summary

---

|

• China has now established a comprehensive regulatory framework on cybersecurity and data compliance matters, leading to many questions for foreign companies
• Some provisions of PRC law will apply to entities outside of China in certain circumstances
• There are specific considerations where, for example, personal or 'important data' being processed, or where freelancers or consultants are hired
• Foreign companies must also understand the cybersecurity and data compliance position where a Chinese company is being acquired

In the past five years, with the promulgation of three major laws (the PRC Cybersecurity Law (the CSL) (中华人民共和国网络安全法), the PRC Data Security Law (the DSL) (中华人民共和国数据安全法), and the PRC Personal Information Protection Law (the PIPL) (中华人民共和国个人信息保护法)) and various underlying implementation regulations, rules and standards, China has established a comprehensive regulatory framework on cybersecurity and data compliance matters. Such regulatory framework includes rules on the use of networks and the collection, processing, and transfer of data for entities operating in China, including Chinese affiliates of multinational companies. It is important to note that, in addition to entities located within China, these Chinese laws and regulations will also apply to entities outside of China that conduct business with or in China. Foreign companies doing business with China are likely to have many questions related to China's cybersecurity and data transfer laws; below are some of the most frequently asked.

1 .  When a foreign company (without a presence in China) organizes events in China and collects personal information there, can it store data it collects in servers outside China? What other PRC statutory obligations will it be subject to?