Database

Article 5.4.5. of the Guidelines for Personal Information Protection Within Public and Commercial Services Information Systems prohibit the transfer of personal data abroad without express consent of the data subject, government permission or explicit regulatory approval "absent express consent of the subject of the personal information, or explicit legal or regulatory permission, or absent the consent of the competent authorities". If these conditions are not fulfilled, "the administrator of personal information shall not transfer the personal information to any overseas receiver of personal information, including any individuals located overseas or any organizations and institutions registered overseas."

Although the Guidelines are a voluntary technical document, they might serve as a regulatory basis for judicial authorities and lawmakers.

The Cybersecurity Law includes requirements for personal information of Chinese citizens and “important data” collected by "key information infrastructure operators" (KIIOs) to be kept within the borders of China (Art. 37). If transfers of data offshore are necessary for operational reasons, a security assessment must be conducted by designated agencies, unless otherwise regulated by laws and regulations. The definition of KIIOs remains to be finalised. As a result, it is reported that in February 2018, Apple began hosting Chinese users's iCloud accounts, along with their encryption keys, on a Chinese data center so as to comply with these new measures.

Additionally, the Draft Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data, issued in April 2017 by the Cyberspace Administration of China, would expand this restriction to all "network operators". This expands the scope of the measure to cover most, if not all, cloud service providers. The draft measures allow some smaller organizations (or smaller transfers) to be subject to a simple self-assessment regime, as long as the data they seek to transfer is not deemed relevant to national security, or social and public interest. However, larger organizations and larger transfers (e.g., over 500,000 records) must be assessed by the competent authority.

Additionally, a Personal Information Security Specification, which came into force in May 2018, further cements the need for security assessments when outsourcing data processing to a third party, and mandates the need for audits and contractually obligated security measures. The Specification is not a legally binding text, but the Chinese government agencies are likely to refer to it as a standard to determine whether companies are following China’s data protection rules.

China's Telecommunications Regulations require all data collected inside China to be stored on Chinese servers. The US International Trade Commission reports that as a result of this regulation, Hewlett Packard, Qualcomm, and Uber were required to divest more than 50 percent of their businesses in China to Chinese companies, to avoid fines.

China instituted a licensing system for online taxi companies which requires them to host user data on Chinese servers.

Online maps are required to set up their server inside of the country and must acquire an official certificate.

China has data residency laws that declare companies can store the data they collect only on servers in country.

China instituted a licensing system for online taxi companies which requires them to host user data on Chinese servers.

The transfer abroad of data containing state secrets is prohibited.

Population health information needs to be stored and processed within China. In addition, storage is not allowed overseas.

The "Notice to Urge Banking Financial Institutions to Protect Personal Financial Information" states that the processing of personal information collected by commercial banks must be stored, handled and analysed within the territory of China and such personal information is not allowed to be transferred overseas.