Yan Luo advises clients on a broad array of regulatory matters in connection with cybersecurity and data protection rules in China. With previous work experience in Washington, DC and Brussels before relocating to Beijing, Yan has fostered her government and regulatory skills in all three capitals. She is able to strategically advise international companies on Chinese regulatory matters and represent Chinese companies in regulatory reviews in other markets.

Over the past two years, Yan has provided practical advice to clients on nearly all aspects of China’s Cybersecurity Law. She continues to help them navigate the complex and quickly evolving regulatory regime, including on issues arising out of personal information protection, cross border data transfers, and various cybersecurity requirements.

What provisions of China’s Cybersecurity Law have caused the greatest concern for U.S. companies? What advice do you have for these companies when it comes to compliance?

Answer:

China’s Cybersecurity Law, the country’s “fundamental law” in the area of cybersecurity, was passed on November 7, 2016 and took effect on June 1, 2017. Many provisions of the Law have the potential to profoundly impact multinationals’ operations in China. However, Article 37, which discusses cross-border data transfers, may cause the greatest concern.

Article 37 requires that operators of Critical Information Infrastructure (“CII”) store “citizens’ personal information and important data” collected or generated in the course of operations within China. If offshore data transfers are necessary for operational reasons, a security assessment must be conducted by designated agencies, unless otherwise specified by laws and regulations. On the basis of this provision, the Cyberspace Administration of China (“CAC”) issued a draft implementing regulation, Measures on Security Assessment of Cross-Border Data Transfer of Personal Information and Important Data (the draft “Measures”), that extends certain cross-border transfer obligations to “network operators,” a much broader term than “CII operators.” “Network operator” is defined to include “owners and managers of networks, as well as network service providers.”

According to the draft Measures, companies that may potentially be classified as “network operators” will likely be obliged to conduct a security assessment analyzing risks arising from the transfer(s) of data collected in China to other countries. Regulators may potentially review such assessments from companies to determine whether Chinese data is offered adequate post-transfer protection. In order to avoid a potential disruption of data transfers, it is important for companies to perform a security assessment of cross-border data flows out of China and be ready for a regulator’s review, if and when it is required.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.