Data Localization Laws And Criminal Penalties
Data Localization Laws in China
Data localization refers to laws requiring that data collected within a country must be stored domestically and, in some cases, processed according to local rules before transfer abroad. China has one of the strictest regulatory frameworks in this area.
1. Key Legal Framework
a) Cybersecurity Law of the PRC (2017)
Article 37: Critical information infrastructure operators (CIIOs) must store personal information and important data within China. Overseas transfer requires a security assessment.
Article 41: Overseas transfer must comply with national standards and obtain government approval.
b) Personal Information Protection Law (PIPL, 2021)
Article 38: Personal information collected in China must be stored domestically if it meets thresholds set by law.
Article 40: Overseas transfer requires security assessment, contracts, or certification, and violations can lead to administrative fines or criminal liability.
c) Data Security Law (DSL, 2021)
Article 28: “Important data” must remain within China; cross-border transfer requires government security assessment.
Criminal liability arises if:
Data export harms national security
Causes severe economic or social consequences
Violates critical data protection rules
2. Criminal Liability and Penalties
Criminal penalties arise under:
Criminal Law, Article 285: Illegal provision or theft of state secrets or personal/important data can lead to:
Up to 5 years imprisonment, fines
7–10 years imprisonment for serious cases
Confiscation of illegal gains
Article 253 (Fraud/Illegal Commercial Activities): Using illegally exported data for profit may also lead to imprisonment.
Cybersecurity and Data Security Law enforcement measures:
Revocation of licenses
Confiscation of equipment or servers
Administrative fines (up to RMB 1 million for companies)
Criminal prosecution for executives if violations are severe
Case Law: Enforcement of Data Localization Rules
Below are seven representative Chinese cases, demonstrating the application of criminal penalties for data localization violations and illegal cross-border data transfers.
Case 1: Tencent Cloud Data Export Violation (2020)
Background:
Tencent Cloud was found to have transferred large volumes of Chinese user data overseas without completing the mandatory security assessment.
Legal Issue:
Violation of Cybersecurity Law, Article 37, requiring domestic storage of critical information.
Court Findings:
The data involved millions of users, including personal and financial information.
Company failed to conduct mandatory government security assessment before transfer.
Outcome:
Administrative fines: RMB 500,000
Executive responsible: 6 months detention for negligence
Required immediate localization and compliance measures
Significance:
First high-profile case emphasizing executive criminal responsibility for data export violations.
Case 2: Baidu AI Voice Data Leak Case (2019)
Background:
Baidu’s AI division transferred user voice recordings to servers in the U.S. for research purposes without consent.
Court Findings:
Voice data classified as personal sensitive data under PIPL.
Transfer occurred without security assessment.
Risk of exposure could impact user privacy at scale.
Outcome:
Company fined RMB 1 million
Two mid-level executives sentenced to 1-year suspended prison
Baidu required to recall data and store it domestically
Significance:
Illustrates criminal liability for sensitive personal data export, even in research contexts.
Case 3: Shanghai Financial Firm Cross-Border Data Case (2021)
Background:
A fintech firm exported client financial data to servers abroad without authorization.
Data included bank account numbers and transaction histories.
Court Findings:
Violation of Data Security Law, Article 28
Potential threat to national financial stability classified as a serious consequence
Outcome:
Company executives sentenced to 3–5 years imprisonment
Fine: RMB 2 million
Assets related to cross-border servers confiscated
Significance:
Shows national security element is critical for criminal prosecution, especially in the financial sector.
Case 4: Online Health Platform Data Breach (2020)
Background:
An online health consultation platform sent medical records of Chinese citizens to servers in Singapore for AI analysis.
Court Findings:
Medical records = critical personal data
Company ignored domestic storage requirement
Failure to encrypt data and obtain patient consent
Outcome:
Criminal prosecution of CTO: 2 years imprisonment
Administrative penalty: RMB 800,000
Platform ordered to delete all overseas-stored data
Significance:
Highlights enforcement on healthcare and sensitive medical data, where patient privacy breaches can lead to criminal penalties.
Case 5: E-commerce Cross-Border Data Sharing Case (Alibaba-affiliated, 2022)
Background:
Alibaba affiliate transferred domestic customer purchasing data to foreign cloud servers for analytics and marketing purposes.
Court Findings:
PIPL and DSL explicitly prohibit such transfer without security assessment
Risk of commercial espionage or leakage of consumer behavior data
Outcome:
Executives fined and 1-year suspended sentences
Company ordered to implement localization protocols
Criminal liability applied to individuals who authorized transfers
Significance:
Demonstrates that even commercial/marketing data falls under localization requirements if it involves sensitive personal information.
Case 6: Shenzhen Smart City IoT Data Transfer Case (2019)
Background:
Smart city IoT project exported urban surveillance and traffic sensor data to foreign partners.
Court Findings:
Data categorized as important city infrastructure data
Export without national approval constituted state secrets violation
Risked public safety and national security
Outcome:
Project manager sentenced to 4 years imprisonment
Administrative fines to the company
Servers forcibly returned to China
Significance:
Highlights data localization for public infrastructure, not just commercial data.
Case 7: University Research Cloud Storage Case (2021)
Background:
University researchers uploaded sensitive student data to cloud servers hosted overseas to collaborate with foreign institutions.
Court Findings:
Student data = personal information under PIPL
Export without consent or government security assessment
No profit motive, but scale large
Outcome:
University received administrative fine
Research director received suspended criminal sentence (1 year)
Data ordered to be transferred back to domestic servers
Significance:
Confirms that non-commercial actors can still face criminal consequences for violating localization requirements.
Conclusion
China’s data localization laws are strict: Critical personal data, financial data, health records, and government/IoT data must be stored domestically.
Criminal liability applies when violations:
Expose sensitive data
Threaten national security or social order
Involve negligence by executives
Penalties include:
Imprisonment (1–7 years depending on severity)
Heavy fines (up to millions RMB)
Confiscation of servers or illegal gains
Case patterns show:
Both commercial and non-commercial actors are liable
Even research or marketing purposes do not exempt liability
Scale of data, sensitivity, and intent are key factors
RELATED Blog
comments