Several U.S. universities’ access to China’s largest academic database has been suspended as of April 1 due to data privacy and data security concerns.
It is unclear when university access will be restored.
Last month, several universities and research institutes in the United States, Taiwan and Hong
Kong were notified by the China National Knowledge Infrastructure (CNKI), the largest academic
database in China, that their access would be suspended as of April 1 due to data privacy and
data security concerns.
The suspension follows the June 23, 2022 announcement by the Cyberspace Administration of
China (CAC) that “In order to prevent national data security risks, maintain national security,
and protect the public interest, the CAC interviewed the person in charge of CNKI and launched
a cybersecurity review against CNKI in accordance with the National Security Law, the
Cybersecurity Law, the Data Security Law and the Measures for Cybersecurity Review.”
According to the CAC’s announcement, “It has been reported that CNKI has an excessive
amount of personal information and important data in key industries such as national defense,
industry, telecommunications, transportation, natural resources, health, and finance, as well as
other sensitive information covering major projects, important scientific and technological
achievements, and key technological developments.” To date, the result and details of the
cybersecurity review against CNKI have not been published.
As background, the National Security Law, the Cybersecurity Law, and the Data Security Law are
some of the primary laws that comprise China’s complex data privacy and security framework,
along with China’s Personal Information Protection Law (PIPL). Under the PIPL, there are
specific handling, management and security requirements regarding the sharing or transfer of
PRC personal information that must be met before any personal information (PI) or sensitive
personal information (SPI) can be shared or transferred out of country. China’s Outbound Data
Transfer Security Assessment Measures, which took effect September 1, 2022, requires that
data handlers conduct security assessments in the following situations: (i) where the data
handler is providing “important” data; (ii) the data handler is providing the PI of more than one
million people; (iii) a critical information infrastructure operator (CIIO) is providing PI; (iv) the
data handler provided the PI of more than 1,000,000 people or the SPI of more than 10,000
people since January of the previous year; and (v) other circumstances as provided by the CAC.
The Outbound Data Transfer Security Assessment Measures define “important data” as “any
data that, if it is tampered with, destroyed, divulged, illegally obtained, or illegally used, among
others, may endanger national security, economic operation, social stability, public health and
security, among others.”
The Measures for Cybersecurity Review, in effect since February 15, 2022, provide that a
cybersecurity review is launched only if: 1) a critical information infrastructure operator
purchases network products and services which affect or may affect national security; or 2) an
online platform operator conducts data processing which affects or may affect national
security. Several factors are involved in the review process, including an assessment of the risks
of core data, important data, or a large amount of PI being stolen, leaked, damaged, illegally
used, or illegally transferred to another country or jurisdiction.
with the Measures of Data Cross-Border Transfer Assessment and relevant laws effective
September 1, 2022, CNKI will have to take actions to ensure our cross-border services are in
compliance with the law. As a result, part of your institution’s access to CNKI will be suspended
from April 1, 2023. Date of resumption of access will be further notified.”
Some university faculty and staff have already expressed concerns about loss of access, even if
the suspension is only temporary. Whatever the outcome in this particular case, the suspension
may be a harbinger of the significant impact of China’s data privacy and data security laws on
U.S. institutions of higher education.