Disclaimer: This guide is intended for informational purposes only and does not constitute legal advice. Chinafy is not a legal or corporate advisory entity. Given that legal obligations vary by business type and context, we recommend consulting with qualified legal counsel for advice specific to your organization. If needed, Chinafy can connect you with one of our experienced legal partners.
Data localization, or data residency, refers to the practice of storing data within a specific country or region. In China, this means certain data categories (e.g., personal data, financial data, health data) must be stored on servers physically located within the country's borders.
In practice, this means for businesses operating within mainland China, any data collected, processed, and stored must remain within China’s geographical boundaries before any transfer overseas.
Some of the reasons data localization has been deemed necessary by the government in China include:
Protecting the data privacy of Chinese residents
National strategic objectives like long-term economic and technological development
Strengthening law enforcement capabilities within mainland China by ensuring data remains accessible to domestic authorities
In general, China uses data localization policies to secure national information and assert control over its digital domain.
The primary legal framework driving data localization in China is made of three pillars:
The Cybersecurity Law (CSL) (2017) governs how businesses operate networks and manage data in China.
The Data Security Law (DSL) (2021) regulates how data is processed, classified, and protected within and outside China.
The Personal Information Protection Law (PIPL), (2021) is similar to the EU’s GDPR, laying out the rules for personal data processing and cross-border data transfers.
China’s data laws apply to any business that collects, stores, uses, sells, or shares personal data from individuals in mainland China, regardless of whether they have a physical presence in China. This includes both data owners and data processors. The regulations are stricter if businesses are Critical Information Infrastructure Operators (CIIOs) or if they process "important" data.
Specific requirements may vary by law or regulation, but here are some of the types of data generally subject to localization:
Personal data
Financial data
Health data
Intellectual property
Customer and e-Commerce data
Education data
Employee data
Critical infrastructure data
Government data
Vehicle data
Non-personal and non-sensitive data, data that is publicly available, stored abroad, or has been anonymized, or is part of international agreements/treaties or specific exemptions, are typically not subject to these requirements.
Recent CAC rules (the Provisions on Promoting and Regulating Cross-Border Data Flows, effective 22 March 2024) give certain businesses a lighter compliance path. If you are not classified as a Critical Information Infrastructure Operator (CIIO) and the cumulative amount of personal information you export from China since 1 January of the current year:
involves fewer than 100 000 individuals’ non-sensitive personal data, and
does not contain “important data” or any sensitive personal information,
then you may not need to conduct a CAC security assessment, file the Standard Contract, or obtain a certification. For sensitive personal information, the more stringent security assessment trigger still starts at 10,000 individuals.
These thresholds are cumulative, sector-specific catalogues can raise or lower them, and regulators may adjust the numbers over time, so every business should map its data flows and confirm the latest position before relying on an exemption.
The key requirements for data storage in China include:
Local storage: Store personal and important data collected in China on servers located within mainland China.
Server location: Store the specified data on servers physically located within China's territory.
Data security standards: Implement strict data security measures, including encryption, access controls, and regular security assessments. Report data breaches or leaks to authorities.
Data impact assessments: Conduct data impact assessments to evaluate potential risks associated with data collection and processing. (PIPL Article 55)
Government inspections: Prepare for regulatory inspections as authorities have the right to inspect businesses to ensure compliance.
Read more about cross-border data transfer
Chinafy collaborates with specialized partners, such as Lianwei Pancloud and MS Advisory, who can offer insight into specifics related to your company, regulatory trends and compliance considerations.
Get in touch with Chinafy today to better understand the next steps for your company’s website and data in China.