"Forewarned Is Forearmed" – The Rise of Chinese Data-Flow Restrictions

27 May 2015 Manufacturing Industry Advisor Blog

Manufacturers with operations, employees, and/or customers in China must be aware of a long list of China-specific data-flow and content restrictions. Data-flow restrictions in particular affect manufacturers employing or launching mobile apps and other IT initiatives, both internal and external. Manufacturers must be very sensitive to China’s rules and guidelines restricting data flow, as these can affect plans for data storage, transmission and even analysis.

American industry associations have called upon China to openly discuss changes to its data-flow rules. These associations argue China’s rules are “overly broad, opaque, [and a] discriminatory approach to cybersecurity policy.” According to the associations, the Chinese rules may, among other things, require companies to divulge sensitive intellectual property and restrict cross-border flows of commercial data. Chinese entrepreneurs have reportedly marketed Chinese-developed replacements for foreign technology, which validates U.S. industry concerns.

While U.S. government and industry negotiators continue to push for resolution of industry concerns, manufacturers utilizing or implementing cross-border data flows must adjust their plans to enjoy continued business success, minimize business continuity risks, and even avoid criminal liability in China.

Personal Data Privacy. China’s personal data privacy laws and guidelines have been expanding over the last few years in particular. These include provisions referencing data-flow restrictions.

For instance, according to the Information Security Technology – Guidelines for Personal Information Protection within Information Systems for Public and Commercial Services (GB/Z 28828-2012), Section 5.4.5, “without express consent of the subject of personal information, the express requirement of any law or regulation, or the consent of the competent authority, a personal information administrator should not transmit personal information to any overseas personal information recipient, including an individual located abroad or an organization or institution registered abroad.”  This provision underscores a trend, albeit in the form of a national “guiding” [指导] standard, toward personal information data-flow restrictions. The authors note from experience that such standards should not be dismissed when considering compliance obligations and risks. The reasons for this observation include the facts that such standards serve as an influence for future laws on this subject and that conformity with such standards may be made mandatory as a function of other legal norm-creating measures.

As many U.S. manufacturers often collect personal information during their normal business operations in China, they should factor into their planning the potential for restrictions involving the transmission of personal information to servers abroad.

Healthcare Information and Patient Privacy. Measures issued last year potentially apply to a vast array of health information which medical, healthcare and family planning service agencies of all types and at all levels generate within China while providing services or managing healthcare operations. These measures prohibit storage of such information “in overseas servers, [or in] hosted or rented overseas servers.” Thus, medical device manufacturers and pharmaceutical companies must be careful not to run afoul of these rules while transacting business in China or with healthcare companies and organizations operating in China.

Criminal Liability. In the draft 9th Amendment to the Criminal Law, China has proposed criminalizing unauthorized “sale[s] or offers to sell personal information obtained…during the provision of services.”  If enacted, the text would explicitly expand the scope of such criminal liability under the version of the Criminal Law currently in effect, which limits the crime subjects to the employees of specified and other industries.

The possibility of criminal sanctions tied to unauthorized sales associated with personal information transfers adds teeth to an already expanding array of personal information protection measures.

National Security. Under the proposed Counter-Terrorism Law of the People’s Republic of China, domestic and foreign companies, including foreign manufacturers operating in China, would need to store customer data on Chinese servers and provide technical interfaces and encryption keys to public security agencies. National security issues driving China’s restrictions on data flow and content are not limited to this proposal. The proposed National Security Law of China introduces, in proposed Section 26, the concept of “internet sovereignty,” which essentially provides that a country has the right to determine what data flows in and out of its territory. Existing Chinese laws, such as the State Secrets Law of the People’s Republic of China and Foreign Trade Law of the People’s Republic of China, also address these issues for company data flow and content restrictions.

Financial Information. China recently temporarily suspended the implementation of new banking sector Guidelines that would require companies which provide IT equipment to Chinese banks to, among other things, turn over source code. Specifically, goals indicated in the Guidelines included substantially increasing financial institution use of “safe and controllable” information technology by the end of 2019. Manufacturers providing such equipment to the banking sector must be wary of revealing trade secrets or other confidential information.

Much of the promise for Internet-based and other technology innovations used in manufacturing is based on predictable and reliable data flow and globally accepted standards to address security improvements. Monitoring data-flow restrictions such as those described above is therefore an increasingly important aspect of manufacturer compliance and risk management for China. Some manufacturers may even use these examples to strengthen their advocacy and perspectives brought to the negotiating table.

For further information on these restrictions and a list of selected laws and guidance documents associated with this summary, please refer to the attached PDF.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services