Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases.
Cybersecurity Law requires “critical information infrastructure” providers to store “personal information” and “important data” within China unless their business requires them to store data overseas and they have passed a security assessment. At this point, it remains unclear what qualifies as “critical infrastructure” and “important data,” although its inclusion in the text of the law alongside “personal data” means that it likely refers to non-personal data.
The Personal Information Security Specification, (个人信息安全规范, GB/T 35273-2017) includes suggested best practices relating to personal data. When transmitting or storing sensitive personal information, the Specification recommends that security measures, such as encryption should be used.
Chinese law does not specifically address transferring employee data out of China. For now, it appears unlikely that most categories of employee data will be prevented from being lawfully transferred outside China. The “Draft Measures for the Security Assessment of Personal Information and Important Data to be Transferred Abroad,” includes a detailed definition of “important data.” These Draft Measures are still being considered by the Chinese government, but at this time it seems that the Draft Measures do not apply when employers process the personal data of their employees.