Yan Luo advises clients on a broad array of regulatory matters in connection with cybersecurity and data protection rules in China. With previous work experience in Washington, DC and Brussels before relocating to Beijing, Yan has fostered her government and regulatory skills in all three capitals. She is able to strategically advise international companies on Chinese regulatory matters and represent Chinese companies in regulatory reviews in other markets.

Over the past two years, Yan has provided practical advice to clients on nearly all aspects of China’s Cybersecurity Law. She continues to help them navigate the complex and quickly evolving regulatory regime, including on issues arising out of personal information protection, cross border data transfers, and various cybersecurity requirements.

What provisions of China’s Cybersecurity Law have caused the greatest concern for U.S. companies? What advice do you have for these companies when it comes to compliance?

Answer:

China’s Cybersecurity Law, the country’s “fundamental law” in the area of cybersecurity, was passed on November 7, 2016 and took effect on June 1, 2017. Many provisions of the Law have the potential to profoundly impact multinationals’ operations in China. However, Article 37, which discusses cross-border data transfers, may cause the greatest concern.

Article 37 requires that operators of Critical Information Infrastructure (“CII”) store “citizens’ personal information and important data” collected or generated in the course of operations within China. If offshore data transfers are necessary for operational reasons, a security assessment must be conducted by designated agencies, unless otherwise specified by laws and regulations. On the basis of this provision, the Cyberspace Administration of China (“CAC”) issued a draft implementing regulation, Measures on Security Assessment of Cross-Border Data Transfer of Personal Information and Important Data (the draft “Measures”), that extends certain cross-border transfer obligations to “network operators,” a much broader term than “CII operators.” “Network operator” is defined to include “owners and managers of networks, as well as network service providers.”

According to the draft Measures, companies that may potentially be classified as “network operators” will likely be obliged to conduct a security assessment analyzing risks arising from the transfer(s) of data collected in China to other countries. Regulators may potentially review such assessments from companies to determine whether Chinese data is offered adequate post-transfer protection. In order to avoid a potential disruption of data transfers, it is important for companies to perform a security assessment of cross-border data flows out of China and be ready for a regulator’s review, if and when it is required.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.