web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance forum / Legal to host D365 out...
Finance forum

Legal to host D365 outside of mainland China?

(0) ShareShare
ReportReport
Posted on by Krister Lann

Hi,

We have today a Microsoft Dynamics 365 for finance and operations up and running for some of our companies. This solution is cloud hosted by Microsoft in northern Europe.

We are now about to set up a subsidiary in Shanghai China. My question is, is it legal to host this Chinese company data in Europe or do we need to host in mainland China? 

Categories:
I have the same question (0)
  • nmaenpaa Profile Picture
    nmaenpaa 101,166 Moderator on at

    I'm not sure how many experts of Chinese law are reading this forum. That question is not specific to D365FO, instead it's specific to data protection laws of China.

    By googling "Chinese law data residency" you will find some information. But I would try to get a confirmed answer from someone who truly nows the legal matters in this area.

    It might also depend on whether you store personal (customer) data or not in the system.

  • Community Member Profile Picture
    Community Member on at

    Hi Krister,

    Hosting doesn't have anything to do with the organization. The real question is that the organization is letting you preserve data outside China? If yes, then its not going to be a problem for you. You must consult someone so that you are not violating any data rights.

  • The F Profile Picture
    The F 20 on at

    Hi guys.

    I know this question is super old, but just in case someone stumbles over this:

    This is the official text of the Chinese cybersecurity law: www.gov.cn/.../content_5129723.htm (in Chinese of course). If the link expires, copy and paste this text into web search: 中华人民共和国网络安全法.

    The interesting paragraph is in section 3, paragraph 37. It says (this is not an official translation): "Personal information and important data collected and generated by operators of critical information infrastructure during operations within the territory of the People's Republic of China shall be stored within the territory."

    The cybersecurity law mostly speaks of personal information (with regards to this, to make it simple, it's very similar to the GDPR of the EU) and providing network services to Chinese citizens (VPNs, web content etc.).

    The key issue with the cybersecurity law however is the term "important data" in paragraph 37, which can basically mean anything. It's not defined in further detail anywhere. It's common to have very broad and openly phrased paragraphs over here (you can figure the why out for yourself), and I've never seen this paragraph applied ever.

  • Martin Dráb Profile Picture
    Martin Dráb 239,040 Most Valuable Professional on at

    As I understand (and I remember dicussions inside Microsoft where people had the same understanding), hosting F&O outside China isn't allowed. To be able to offer Azure-based services there, Microsoft built a special sovereign cloud in China. Refer to Dynamics 365 Finance and Dynamics 365 Supply Chain Management - operated by 21Vianet in China for more information.

  • The F Profile Picture
    The F 20 on at

    I've heard that quite often, and I've challenged everyone who said that to show me any official document saying that hosting an ERP outside of China wasn't allowed. So far, no one was able to produce such a document. Local law firms and local ERP providers tend to continue to spread this information (again, you can figure out the why for yourself). As you mentioned you know people in Microsoft who discussed this and came to that conclusion, I'd be very grateful if you could ask those people what their decision was based on. I'm sure it would help out everyone who comes about this thread to get some definitive anwers.

    As for FO hosted on 21Vianet, I'm aware of that of course. There are a lot of formalities around setting up cloud stuff in China and it takes a lot of time, and setting up an FO environment is even more daunting, due to the limitations as pointed out in that article. From release of FO in the China cloud until today, I only know one company first hand who implemented FO in the China cloud (successfully) and have heard of two others. I of course don't know every company in China, so this os only my viewpoint. I encourage everyone to thoroughly read the article linked by Martin Drab and do their own research.

  • Martin Dráb Profile Picture
    Martin Dráb 239,040 Most Valuable Professional on at

    Well, I guess that Microsoft has a reason why they invested a huge amount of money to the sovereign cloud. They wouldn't bother if their lawyers thought that it's not needed.

    I'm not laywer, but I don't see how we could argue that F&O doesn't store any personal information (which, according to your information, "shall be stored within the territory").

  • Suggested answer
    The F Profile Picture
    The F 20 on at

    Let's not speculate. Yes, Microsoft is investing huge amounts of money into the sovereign coud, first and foremost for economic reasons, like every other foreign company investing in China.

    Meanwhile, I've dug up another official Microsoft link about data sovereignty and China:

    docs.microsoft.com/.../overview-sovereignty-and-regulations

    Which is part of the Azure China checklist, also a must read in my opinion for companies thinking about deployment in China:

    docs.microsoft.com/.../overview-checklist

    Note that the first article states "In particular, an operator of CII is subject to the data sovereignty requirement. (...) As of July 2020, Azure China isn't formally categorized as "CII"." (CII = critical information infrastructure).

    With regards to the personal information (PII), yes, the cybersecurity law (CSL) states it must be stored domestically in China, but as I also mentioned, with PII, the CSL does get more specific on the regulations for PII. Similar to the GDPR, users can opt-in to storage outside of the PRC if they have been informed about purpose, duration and scope of PII storage outside of the PRC.

  • Yohann Rolland Axcible Profile Picture
    Yohann Rolland Axcible 3,111 on at

    Hello all,

    Raising this topic again :)

    Still not clear for me.

    Let's consider a project with core model build in EMEA and roll out accross 10 countries including China.

    I've heard different sounds on that.

    1/ Some would say production instance have to be located in China DataCenter (with Viannet21) no matter what -> so duplicate instance and intercompany issues to deal with (and others..)

    2/ Others have told me they've deployed China without this issue. You just need to duplicate production instance in local Datacenter. So having like a T1 or T2 located in China DataCenter (Viannet21) is enough and you process a Power Automate to replicate production instance in here. And for sure production will be in EMEA.

    Thoughs ? Feedback ?

    Many thanks

  • Suggested answer
    The F Profile Picture
    The F 20 on at

    You do global single instance in EMEA and connect to it from China via public internet. In most Chinese locations where foreign enterprises have subsidiaries, internet is good enough to access D365 from China (a little slower than you are used to from Europe, but definitely usable). If your users find it too slow, you can do MPLS or something similar. If you have mission critical data that must be instantly accessible in China without latency, then you can replicate that data to (for example) Azure Data Lake in China, but you don't need to replicate the whole ERP.

  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 303,730 Super User 2026 Season 1 on at

    Hi Yohann,

    Not completely sure, but I understood in the past that the data needs to be created and stored in China. A copy in another region was, I thought not an issue. However, you should get the answer from a person who is knowledgeable with the Chinese data regulations.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

November Spotlight Star - Khushbu Rajvi

Congratulations to a top community star!

Forum Structure Changes Coming on 11/8!

In our never-ending quest to help the Dynamics 365 Community members get answers faster …

Dynamics 365 Community Platform update – Oct 28

Welcome to the next edition of the Community Platform Update. This is a status …

Leaderboard > Finance

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans