China Cross-Border Data Transfer Assessment Measures Released For Public Comment.

 

19 April, 2017

 

I. Background

 

The Cyberspace Administration of China (“CAC”) released a draft of the Measures on Security Assessment of the Cross-Border Transfer of Personal Information and Important Data (the “Draft”) on April 11, 2017 allowing for one month of public comments to be offered. 

 

Security assessments on the cross-border transfer of personal information and important data was first introduced into law by the Cybersecurity Law (the “CSL”), issued in November last year and to become effective on June 1, 2017. The CSL grants the national cyberspace administration the authority to develop security assessment measures in conjunction with other regulatory authorities.  Together with the National Security Law, such provisions in the CSL serve as the legal basis for the Draft.

 

II. What Data must be Localized?

 

The Draft extends the requirements for data localization and security assessments on critical information infrastructure operators (“CIIO”) provided under the CSL to all “network operators”, and requires personal information and important data collected and produced by network operators in the course of their operations within China to be stored within the territory of China.  Where it is indeed necessary to provide such information and data to overseas parties due to business needs, security assessments must be conducted. (Article 2)

 

The Draft adopts a definition of “personal information” which is similar to the definition in the CSL.  For “important data”, which is left undefined under the CSL, the Draft provides a broad and ambiguous definition, as “data closely related to national security, economic development and public interests”, and leaves its specific scope to be further stipulated under relevant national standards and identification guides to be formulated. (Article 17) 

 

III. How to Carry Out Assessments? 

 

The Draft regulates cross-border transfers by way of both so-called self-assessments and assessments by authorities.  In brief, network operators are required to carry out self-assessments for all cross-border transfers of data (Article 7), while for cross-border transfers of data satisfying certain tests, network operators must submit to their industrial regulatory authority or the national cyberspace authority for assessments (Article 9). 

 

Such criteria include, for example, the transfer involving or cumulatively involving personal information of more than 500,000 individuals, or having a data volume of more than 1000GB, or the data to be exported includes data in relation to the areas of nuclear facilities, chemistry and biology, national defense and military, health of the population, and data of mega project activities, ocean environment, sensitive geographical information, and again leaves a catch-all provision providing “other situations which may affect national security and societal public interests, and the industrial administration authority or regulatory authority considers the export data should be subject to the security assessment”. (Article 9)

 

Network operators shall conduct security assessments of data exports at least once a year and where significant changes occurs to certain aspects of the data exported, re-assessments are required to be carried out. (Article 12)

 

IV. What is to be Assessed?

 

The assessment of data exports are to be focused on the following aspects: 

 

• necessity of the data export; 
• the amount, scope, type, sensitivity of personal information and important data and individuals’ consent in case of personal information; 
• security conditions of the recipient and the receiving country; 
• possibility of the data being divulged, damaged, tampered with or misused; 
• risks for national security, public interest and individual’s legitimate interests; and 
• other important aspects that need to be evaluated. (Article 8)  

 

Data should not be exported if:

 

• the concerned individual has not consented to the export or his/her interests are jeopardized;
• national security or public interests may be endangered, or 
• circumstances prohibited by the competent authorities in their discretion. (Article 11)

 

V. Observations

 

Compared to the CSL, the Draft expands the scope of entities subject to data localization and security assessment obligations, and imposes a wide assessment (either self-assessment or government assessment) obligation on network operators, while specific and detailed standards, procedures, requirements are still to come.  Once issued and implemented, the Draft may have extensive impact on the operation and IT structure of companies with cross-border operations in such a fast-developing digitalized world. We will continue to monitor how the Draft will be coordinated with the existing legal system, e.g., regulations on domestic storage or restrictions on cross-border transfer in existing laws and regulations, and how the cooperation between the cyberspace authorities and industrial regulatory authorities is handled.