Pain Point

China Data Localization

The cumulative regulatory effect of the PRC Cybersecurity Law (2017), Data Security Law (2021), and Personal Information Protection Law (2021) — jointly prohibiting cross-border export of "important data," PRC-citizen personal information, and state-secret-adjacent data without explicit Cyberspace Administration of China (CAC) review.

8 connections 2 resources 4 posts

Summary

What it is

The cumulative regulatory effect of the PRC Cybersecurity Law (2017), Data Security Law (2021), and Personal Information Protection Law (2021) — jointly prohibiting cross-border export of "important data," PRC-citizen personal information, and state-secret-adjacent data without explicit Cyberspace Administration of China (CAC) review.

Where it fits

The PRC-side gravity well. The single biggest reason the index now lists Aliyun OSS, Tencent COS, and Huawei OBS as first-class nodes — workloads inside China are not architecturally portable to non-PRC providers without regulatory work that takes quarters and may simply fail.

Misconceptions / Traps
  • Data localization is not just personal data — "important data" is broad and discretionary, and CAC interpretation has tightened over time.
  • "Set up an AWS region in China" does not solve this — AWS China is operated by Sinnet/NWCD as separate legal entities under PRC law, with reduced feature parity.
  • Multinational replication strategies that include PRC users typically fork into a PRC-local stack and a global stack, with deliberate non-replication at the boundary.
Key Connections
  • Drives Aliyun OSS / Tencent COS / Huawei OBS adoption inside China
  • enables East Data West Computing as the lawful pattern
  • scoped_to Sovereign Storage, S3, Object Storage

Definition

What it is

The cumulative effect of three PRC laws — the **Cybersecurity Law (2017)**, **Data Security Law (2021)**, and **Personal Information Protection Law (2021)** — that jointly **prohibit cross-border export** of "important data," personal information of PRC citizens, and any data classified as state-secret-adjacent unless an explicit Cyberspace Administration of China (CAC) security review is passed. In practice this is the regulatory backdrop that makes **Aliyun OSS, Tencent COS, and Huawei OBS** the only viable storage tier for any AI workload involving Chinese-domiciled users, including most foundation-model training corpora collected inside China.

Recent developments

Latest signals
  • CSL first revision effective January 1, 2026 — penalty ceiling 4× higher. Cybersecurity Law's first revision took effect Jan 1, 2026, achieving coordinated integration with DSL + PIPL. Penalty ceiling raised from RMB 500K ($70K) to RMB 2M ($280K) for violations causing serious consequences like large-scale data leaks. Per Klealegal — China Data Laws 2026 Key Changes.
  • Cross-Border Certification Measures finalized — effective Jan 1, 2026. The CAC + SAMR jointly issued cross-border personal-information transfer certification measures on October 14, 2025; effective January 1, 2026. Provides the third compliance pathway alongside Security Assessment + Standard Contractual Clauses. Per China Briefing — Cross-Border Data Transfer Certification.
  • National standard GB/T 46068-2025 effective March 1, 2026. Provides the technical certification criteria for the new cross-border-transfer certification pathway. Per Chambers — Data Protection & Privacy 2026 — China.
  • CIIO obligations: PI + important data must stay on mainland-China servers. Critical Information Infrastructure Operators (CIIOs) must store all personal information + important data collected/generated during operations on servers physically located in mainland China. Transfers abroad require CAC security assessment. Per Recording Law — China Data Privacy Laws 2026 Guide.
  • Security Assessment threshold: 1M PI subjects or 10K sensitive PI subjects per year. Mandatory CAC security assessment for any organization transferring personal information of more than 1M individuals, or sensitive personal information of more than 10K individuals, abroad within a single year. Per California Lawyers Association — Cross-Border Data Transfer in China.
  • PIPL has extraterritorial scope. PIPL applies to overseas processing activities targeting individuals in China (products/services or analytics about Chinese individuals). Per DLA Piper — Data Protection Laws of the World: China.

Connections 8

Outbound 3
scoped_to3
S3Object StorageSovereign Storage
Inbound 5
solves5
Aliyun OSSTencent COSHuawei OBSCubbit DS3East Data West Computing

Resources 2

SpecHigh
www.newamerica.org/insights/translation-cybersecurity-law-pe...

Cyberspace Administration of China official text of the Cybersecurity Law (2017) — the foundational PRC law that created the data-localization framework.

BlogHigh
www.dlapiper.com/en/insights/publications/2024/01/chinas-rev...

Analyst summary of CAC's revised cross-border transfer rules — practical guide for what an "important data" classification requires of an export workflow.

Featured in

2026-06-16 The Whole Stack Went Open — Weights, Storage, and Sovereignty In the same quarter that a 1.6-trillion-parameter open-weights model landed on top of last year's closed frontier — and Anthropic's Claude Fable 5 promptly sprinted ahead again — the storage layer underneath it went open too: DeepSeek open-sourced its file system, Europe stood up sovereign S3, and the post-MinIO self-hosted stack matured. The frontier and the floor are pulling apart, and the pattern underneath all of it is the oldest pain point this index maps: vendor lock-in. 2026-05-10 The POSIX Gap is Closing: How S3 Quietly Became a File System The May 7 post was about why storage suddenly matters again for AI workloads. This one is about how the access model itself evolved. After a decade of failed FUSE clients trying to bolt POSIX semantics onto S3, the storage service finally absorbed the operations the filesystem world expected — and a string of 2020-2026 changes (strong consistency, Express One Zone, directory buckets, S3 Tables, GPUDirect Storage) made S3 Files possible. Plus the parallel story in China: Aliyun CPFS+OSS, Huawei OBS+MindSpore, the same shape drawn three different ways. 2026-05-08 When the Index Gained 13 Nodes: A Field Guide to the May 2026 Wave On May 7 the index added 13 new nodes — five technologies, six pain points, one architecture, one standard. Each answers a specific question engineers building on object storage are asking right now: what is China's S3 stack, why are GPUs starving, what replaced MinIO, what are the three data gravity wells, and a few more. This post walks through them by question rather than by node type, because that's how the questions actually arrive in production. 2026-05-07 When DeepSeek Made Storage Strategic: The China Direction Reshaping the S3 Ecosystem DeepSeek's $5.6M training run didn't just reset model architecture. It made object storage performance-critical, made silicon export controls a storage decision, and pushed Aliyun OSS, Tencent COS, and Huawei OBS from regional curiosities into the global S3 vocabulary. This index added 13 nodes to track what changed.