Along with the development of big data and cloud computing, the speed of information transmission has become more and more prominent, and the difficulty of cyber security and personal information protection has also increased. The Cyber Security Law of the People’s Republic of China (hereinafter referred to as the “Cyber Security Law”) is the first basic law to comprehensively regulate the security management of cyberspace in mainland China. Since its implementation, it has had a profound impact on the cybersecurity systems of enterprises.

 

According to the main body regulated by the Cyber Security Law, almost all enterprises that “construct, operate, maintain and use the network” in China are covered. The term “enterprise” within the legislation does not distinguish between domestic and foreign enterprises, therefore,  Chinese-funded enterprises and foreign-funded enterprise, as long as the enterprise “constructs, operates, maintains, and uses the network” in China, shall comply with the provisions of the Cyber Security Law . Taking a multinational enterprise that regularly processes and cross-border transmission of customer personal information as an example, it is necessary to pay attention to fulfilling compliance obligations related to the protection of personal information.

 

First of all, relevant multinational enterprises should clarify the definition of “personal information.” For example, the information of specific clients collected by enterprises for business development may be regarded as “personal information” as they can identify “specific individuals” from such data.

 

Secondly, enterprises should formulate a strict system of personal information collection and use. The means of obtaining, usage, and storage of clients’ personal information shall be considered by the enterprise. It is important to obtain the authorization of the information subject, especially, in situations where the transfer of user information is from China to overseas, the situation of the party receiving the information overseas should also be disclosed to the information subject in a timely manner.

 

It is recommended that relevant enterprises develop operational guidelines for the cross-border transmission of information and data, clarify the main responsibilities for the cross-border transmission of personal information, and strictly prohibit individuals who are not related to the business from contacting and transmitting personal information overseas in order to avoid possible legal risks.

 

Therefore, considering the above-mentioned scenario, we should suggest relevant investment enterprises to, while conducting cross-border investment business, take the provisions of personal information protection into account and understand the provisions of the Cyber Security Law in order to avoid potential compliance risks.