Yan Luo advises clients on a broad array of regulatory matters in connection with cybersecurity and data protection rules in China. With previous work experience in Washington, DC and Brussels before relocating to Beijing, Yan has fostered her government and regulatory skills in all three capitals. She is able to strategically advise international companies on Chinese regulatory matters and represent Chinese companies in regulatory reviews in other markets.

Over the past two years, Yan has provided practical advice to clients on nearly all aspects of China’s Cybersecurity Law. She continues to help them navigate the complex and quickly evolving regulatory regime, including on issues arising out of personal information protection, cross border data transfers, and various cybersecurity requirements.

What provisions of China’s Cybersecurity Law have caused the greatest concern for U.S. companies? What advice do you have for these companies when it comes to compliance?


China’s Cybersecurity Law, the country’s “fundamental law” in the area of cybersecurity, was passed on November 7, 2016 and took effect on June 1, 2017. Many provisions of the Law have the potential to profoundly impact multinationals’ operations in China. However, Article 37, which discusses cross-border data transfers, may cause the greatest concern.

Article 37 requires that operators of Critical Information Infrastructure (“CII”) store “citizens’ personal information and important data” collected or generated in the course of operations within China. If offshore data transfers are necessary for operational reasons, a security assessment must be conducted by designated agencies, unless otherwise specified by laws and regulations. On the basis of this provision, the Cyberspace Administration of China (“CAC”) issued a draft implementing regulation, Measures on Security Assessment of Cross-Border Data Transfer of Personal Information and Important Data (the draft “Measures”), that extends certain cross-border transfer obligations to “network operators,” a much broader term than “CII operators.” “Network operator” is defined to include “owners and managers of networks, as well as network service providers.”

According to the draft Measures, companies that may potentially be classified as “network operators” will likely be obliged to conduct a security assessment analyzing risks arising from the transfer(s) of data collected in China to other countries. Regulators may potentially review such assessments from companies to determine whether Chinese data is offered adequate post-transfer protection. In order to avoid a potential disruption of data transfers, it is important for companies to perform a security assessment of cross-border data flows out of China and be ready for a regulator’s review, if and when it is required.