Yes. Financial institutions in China may be subject to the following data residency requirements under current PRC laws:
1. Local operation of core systems of commercial banks
Under the Guidelines for the Information Technology Risk Management of Commercial Banks (Yin Jian Fa [2009] No. 19), a bank must independently operate its core systems (involving customer information, financial information and product information, etc.) in China. It must maintain the highest administrative permissions, enable the China Banking and Insurance Regulatory Commission ("CBIRC") to supervise and conduct an on-site inspection, and prevent cross-border risks. If core systems are still operated by a bank in China, but a copy of the data from these core systems is transmitted abroad (e.g., for central storage and processing by the overseas headquarters), arguably this data transmission and overseas storage will not constitute a violation of these requirements.
Therefore, for cloud services associated with the storage and processing of any personal financial information obtained in China, a financial institution should generally only engage a cloud service provider operating in China with servers located in China. The exception is in the case of a Chinese branch of a foreign bank where the relevant conditions imposed by the People's Bank of China ("PBOC") Shanghai Notice are met.
2. Local residency requirement and restrictions on data export transfer applicable to personal information and important data of an operator of critical information infrastructure ("CII")
The PRC Cybersecurity Law ("CSL") also requires that any personal information or important data collected and/or generated by a CII operator through its China operations must be stored on servers within China. As stated in Q&A 5 on "Does the outsourcing need to be notified to the regulator?", a financial institution may be regulated as a CII operator and, therefore, be subject to the data localization requirement under the CSL. In this context, "personal information" and "important data" are defined as follows:
-
"Personal information" includes all kinds of information recorded electronically or otherwise that relates to an identified or identifiable natural person, excluding anonymized information under the PRC Personal Information Protection Law (the "PIPL"). The mainstream view is that the personal information subject to the data residency requirement is that directly related to the operation of the relevant CII.
-
"Important data," which is not defined in the CSL, means "any data, the manipulation, damage, leakage, or illegal acquisition or use of which, once it takes place, may endanger national security, economy operation, social stability, public health and security etc." under the Measures for the Security Assessment of Outbound Data Provision issued by the Cyberspace Administration of China ("CAC") on 7 July 2022 ("CBDT Assessment Measures").
Local governments and industrial regulators will formulate specific catalogues of important data and organize data processors within their jurisdiction to identify their important data. For example, according to the Financial Data Security — Guidelines for Data Security Classification (JR/T 0197-2020), a set of recommended industrial standards issued by the PBOC on 23 September 2020 (with no mandatory force), the PBOC takes the position that (a) important data is data (including raw data and derivative data) that is closely related to national security, economic development and public interests, (b) important data may include macro feature data, derivative feature data derived from massive information aggregation, data in the decision-making and law enforcement process of industry regulators, and information on network security defects in CII, etc., and (c) an enterprise's production, operation and internal management information, and personal information is generally not considered important data.
The CSL also provides that a CII operator must only provide personal information or important data overseas for "truly necessary" (this is not defined in the CSL) business reasons, and it must undergo a security assessment and obtain governmental clearance in accordance with the CBDT Assessment Measures ("CAC Security Assessment").
3. Local residency requirement and restrictions on onward transfer applicable to personal information of a personal information operator that processes a large volume of personal information
The PIPL, effective from 1 November 2021, further requires that any personal information processor ("PIP", akin to a controller in EU terminology) located in China that processes an over-the-threshold volume of personal information should also store the personal information it collects and/or generates through its China operations on servers within China. "Truly necessary" outbound provision of such personal information is generally subject to the CAC Security Assessment and other requirements under the PIPL and the CBDT Assessment Measures (including obtaining individuals' standalone consent).
Where the CAC Security Assessment is not triggered and applicable under the CSL, the PIPL and the CBDT Assessment Measures, a PIP in China (such as a financial institution in China) should either (i) pass a voluntary personal information protection certification by a qualified institution in China in accordance with the Announcement on the Implementation of Personal Information Protection Certification and its related rules, or (ii) conclude a data transfer contract based on the Standard Contract for Outbound Personal Information Provision ("Standard Contract") with the overseas recipient of personal information provided abroad ("Overseas Recipient") in accordance with the Measures for Standard Contracts for Outbound Personal Information Provision. These measures will take effect from 1 June 2023, and grant a six-month grace period until 30 November 2023 for rectification. The Standard Contract is prescribed by the CAC and provides for extensive personal information protection rights and imposes obligations on the parties to the Standard Contract. The PIP in China and the Overseas Recipient are only allowed to enter into supplemental agreements that are compatible with the Standard Contract. The executed Standard Contract, together with a personal information protection impact assessment report concerning the export of personal information, should be filed with the provincial office of the CAC for recordal within 10 working days after the Standard Contract takes effect.