.jpg)
10 May, 2017
The Cyberspace Administration of China (“CAC”) released, on 11 April 2017, draft rules (“Draft”) on the transfer of personal information and important data out of China (with a consultation period of one month). Article 37 of the Cyber Security Law, which will come into effect this June, contains a data onshoring principle which requires operators of critical information infrastructure (“CII”) to store in mainland China all personal information and important data collected or generated in the course of their operational activities. The proposed procedures in the Draft enable (subject to exceptions) transfers of personal information and important data out of China for business purposes provided that a security review is conducted in accordance with the relevant provisions of the Draft. Whilst Article 37 applies only to operators of CII, the Draft proposes that it should apply to all network operators (which includes network owners, network administrators and online service providers in China).
This chart outlines the proposed procedures all network operators must adhere to when seeking to transfer or provide personal information and important data to any person or entity outside mainland China.
|
Proposed new regime for transfers of personal information and important data out of China |
Existing rules on transfers of information and data out of China |
||
|
Core principles of the proposed new regime
|
|
||
|
Before transferring/providing data Evaluation by operator. Issues to be considered for the proposed transfer include:
|
On an annual basis The network operator must evaluate all transfers of data out of China at least once a year, reporting the results to the industry regulator. |
Post-transfer evaluation The network operator must re-evaluate transfers of data out of China where:
|
|
Role of industry regulator
The network operator must apply to the industry regulator for evaluation of a proposed transfer if:
- If data on more than 500,000 individuals or more than 1000GB, or major engineering, marine environment, sensitive geographical etc. data will be transferred; the data concerns sectors such as nuclear facilities, chemical biology, defence/munitions and public health;
- the data will be transferred by a CII operator or relates to the security of CII; or
- the industry regulator/CAC considers a review to be necessary on grounds of national security or public interest.
If there is no specific industry regulator, the evaluation is to be conducted by CAC instead.
It will be prudent for network operators to check with industry regulators on any uncertainties when evaluating the security of any proposed data transfers, given that the network operators are responsible for all evaluations they conduct, and the industry regulators will periodically review data transfers for security issues.
Overall assessment
The Draft is a framework that illustrates the broad principles of a proposed regime for transfers out of China, and is a potential starting point for network operators to plan and assess compliance with the data onshoring regime in the Cyber Security Law. However, it also suggests that further rules need to be prepared on the application procedures and documents to be submitted to the authorities for an evaluation and the factors the authorities will consider in evaluating proposed data transfers, as well as key provisions that serve to define the Draft’s scope such as “important data” and the types of information which the authorities will seek to ban transfers out of the PRC.
See below for an explanation of key terms used in this alert.
Definition of key terms
|
Personal information |
The Draft repeats the definition of the Cyber Security Law, which is “information recorded in electronic or any other form which can be used alone or in combination with other information to identify a natural person, including but not limited to the name, date of birth, ID number, personal biological identification information, address and telephone number of the natural person”. Article 42 of the Cyber Security Law also contains a principle that if personal information has been processed to prevent specific persons from being identified and the information so processed cannot be reconstituted, the network operator is not required to obtain the Data Subject’s consent to provide the information to a third party. When read together with the Draft, arguably, the provision out of China of personal information processed in this form should not require the Data Subject’s consent (though the point has yet to be tested). |
|
Important data |
Data closely connected with national security, economic development or the public interest. What exactly constitutes important data is to be determined in accordance with national standards and important data identification guidelines. This is a key concept for how the Draft is intended to work. The definition suggests that further rules are in the pipeline. |
|
Critical information infrastructure |
The Cyber Security Law mentions further rules will be issued by the State Council defining its scope. No further clarification is provided in the Draft. Guidelines for identifying cyber infrastructure as CII (having regard to its role in supporting critical business activities, user numbers and the potential impact of a breakdown) have been published by the Office of the Central Leading Group for Cyberspace Affairs. That said, the distinction between network operators and CII has become less important given the Draft extends the data onshoring requirement to all network operators, save in relation to the requirement to submit proposed data transfers out of China to the industry regulator or CAC for review. |
Reference
Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Draft) 《个人信息和重要数据出境安全评估办法(征求意见稿)》, CAC, 11 April 2017
For further information, please contact:
Jian Fang, Partner, Linklaters
jian.fang@linklaters.com
