China Expands the Scope of the Data Localisation Requirement under its Cybersecurity Law

On 11 April 2017, the Cybersecurity Administration of China (CAC) released the draft Security Assessment Measures for Cross-Border Transfer of Personal Information and Important Data ("Draft Measures"). Draft measures and guidelines relating to the Cybersecurity Law (CSL) which was released in November last year, have been expected for a while. The hope has been that such guidelines and measures would shed light on the more opaque terms in the CSL and offer some clarity on the interpretation of broad definitions and concepts. The Draft Measures address the data localisation requirement but instead of narrowing down the concept, they appear to have further expanded the scope of this requirement, thus creating more uncertainty. The data localisation requirement was originally applicable to critical information infrastructures (CIIs) only. The Draft Measures indicate that it should cover both CIIs and network operators. If adopted, the Draft Measures will impose data localisation requirements on multinational companies (MNCs) which previously believed they were not CIIs thus not subject to these rules. The consultation period for the Draft Measures will end on 11 May, shortly before the 1 June effective date of the CSL.