top of page

XL INSIGHTS+
Legal Alerts and News Updates

U.S. University Access to Academic Database Suspended Over Data Privacy and Data Security Concerns

  • Several U.S. universities’ access to China’s largest academic database has been suspended as of April 1 due to data privacy and data security concerns.

  • It is unclear when university access will be restored.

Last month, several universities and research institutes in the United States, Taiwan and Hong

Kong were notified by the China National Knowledge Infrastructure (CNKI), the largest academic

database in China, that their access would be suspended as of April 1 due to data privacy and

data security concerns.


The suspension follows the June 23, 2022 announcement by the Cyberspace Administration of

China (CAC) that “In order to prevent national data security risks, maintain national security,

and protect the public interest, the CAC interviewed the person in charge of CNKI and launched

a cybersecurity review against CNKI in accordance with the National Security Law, the

Cybersecurity Law, the Data Security Law and the Measures for Cybersecurity Review.”

According to the CAC’s announcement, “It has been reported that CNKI has an excessive

amount of personal information and important data in key industries such as national defense,

industry, telecommunications, transportation, natural resources, health, and finance, as well as

other sensitive information covering major projects, important scientific and technological

achievements, and key technological developments.” To date, the result and details of the

cybersecurity review against CNKI have not been published.


As background, the National Security Law, the Cybersecurity Law, and the Data Security Law are

some of the primary laws that comprise China’s complex data privacy and security framework,

along with China’s Personal Information Protection Law (PIPL). Under the PIPL, there are

specific handling, management and security requirements regarding the sharing or transfer of

PRC personal information that must be met before any personal information (PI) or sensitive

personal information (SPI) can be shared or transferred out of country. China’s Outbound Data

Transfer Security Assessment Measures, which took effect September 1, 2022, requires that

data handlers conduct security assessments in the following situations: (i) where the data

handler is providing “important” data; (ii) the data handler is providing the PI of more than one

million people; (iii) a critical information infrastructure operator (CIIO) is providing PI; (iv) the

data handler provided the PI of more than 1,000,000 people or the SPI of more than 10,000

people since January of the previous year; and (v) other circumstances as provided by the CAC.

The Outbound Data Transfer Security Assessment Measures define “important data” as “any

data that, if it is tampered with, destroyed, divulged, illegally obtained, or illegally used, among

others, may endanger national security, economic operation, social stability, public health and

security, among others.”


The Measures for Cybersecurity Review, in effect since February 15, 2022, provide that a

cybersecurity review is launched only if: 1) a critical information infrastructure operator

purchases network products and services which affect or may affect national security; or 2) an

online platform operator conducts data processing which affects or may affect national

security. Several factors are involved in the review process, including an assessment of the risks

of core data, important data, or a large amount of PI being stolen, leaked, damaged, illegally

used, or illegally transferred to another country or jurisdiction.


CNKI’s March 17 notice (available in Chinese and English) told its customers that “In accordance

with the Measures of Data Cross-Border Transfer Assessment and relevant laws effective

September 1, 2022, CNKI will have to take actions to ensure our cross-border services are in

compliance with the law. As a result, part of your institution’s access to CNKI will be suspended

from April 1, 2023. Date of resumption of access will be further notified.”


Some university faculty and staff have already expressed concerns about loss of access, even if

the suspension is only temporary. Whatever the outcome in this particular case, the suspension

may be a harbinger of the significant impact of China’s data privacy and data security laws on

U.S. institutions of higher education.



U.S
. University Access to Academic Database Suspended Over Data Privacy and Data Security
Download UNIVERSITY ACCESS TO ACADEMIC DATABASE SUSPENDED OVER DATA PRIVACY AND DATA SECURITY • 1.86MB



Comments


bottom of page