.jpg)
6 June, 2017
The National Information Security Standardization Technical Committee (“TC 260”) released a draft of the Information Security Technology-Guidelines for Cross-Border Data Transfer Security Assessment (the “Guidelines”) on May 27, 2017 allowing for one month of public comments to be offered.
I. Background
The Cyberspace Administration of China (“CAC”) has released a draft of the Measures for Security Assessment of the Cross-Border Transfer of Personal Information and Important Data (the “Assessment Measures”) on April 11. As an important ancillary implementation regulation of the Cybersecurity Law (“CSL”), the Assessment Measures establish the basic framework for security assessment for data exports. According to the Assessment Measures, where the network operators provide personal information and important data collected and generated in the course of operations within the territory of China to overseas parties, security assessments shall be carried out. Security assessments for data exports include both self-assessments and assessments by authorities. On the basis of the Assessment Measures, the Guidelines specifies the requirements for the assessment process, the focus of assessment, assessment methods and the scope and types of “important data” in different sectors and industries.
II. Application
The Guidelines apply to security assessments carried out by network operators. It also applies to the competent industry regulators or regulatory authorities in their guidance and supervision of the security assessments carried out by network operators. The CAC and the competent industry regulators or regulatory authorities may make reference to the Guidelines in the security assessments of data exports carried out within their respective authorities.
III. Security Assessment Process
In accordance with the Guidelines, the security assessment process includes the following steps: initiating self-assessments, formulating data export plans, assessments of the lawfulness, appropriateness and controllability of the data export plans, generating assessment reports, and checks and revisions, etc.
Network operators shall formulate data export plans if their products and services involve the export of data. The data export plans shall include without limitation (1) the destination, scope, type and scale of the data export; (2) the information systems involved; (3) the transit country or region (if any); (4) the basic situation of the receiving party and the country or region where it is located; and (5) security control measures. Network operators shall assess whether the data export plan is lawful, appropriate and controllable by referring to the assessment methods set out in Appendix B of the Guidelines, and formulating assessment reports. Personal information and important data shall not be provided overseas if the result of the security assessment is high or extremely high. The assessment report shall be kept for at least five years. If the data export plan does not satisfy the requirements of lawfulness, appropriateness or controllability, network operators may revise the data export plan or take relevant measures to reduce the risk for data exports (such as desensitization of the data), and initiate another self-assessment.
IV. Focus of Assessment
The self-assessment for data export mainly focuses on two issues, the lawfulness and appropriateness of the export and the controllability of the export.
When assessing the lawfulness and appropriateness of the data export, factors shall be taken into account include whether consent has been obtained from those people whose personal information is to be exported, whether the data export complies with provisions under relevant treaties executed between the Chinese government and other countries or regions, and whether the data export is necessary for performing the ordinary business activities or the contractual obligations of the network operators, and whether the data export is required for judicial assistance.
When assessing the risk controllability of data export plans, features of the exported data and possibility of security incidents during the data export shall be taken into account comprehensively. Features of the exported data include the volume, scope, type, sensitivity and technical process of the personal information or important data. Factors such as (1) technical and management abilities of the exporter in relation to the data export; (2) security protection abilities and measures of the recipient; and (3) the political and legal environment of the jurisdiction of the recipient shall be taken into account when assessing the possibility of security incidents during the data export.
V. Assessment Methods
The Guideline provides methods and standards for assessments, which are based on the levels of impact on personal rights and interests caused by the export of the personal information, the impact on national security and social public interests caused by the export of important data and the degree of possibility of security incidents. On the basis of a comprehensive judgement of the abovementioned factors, the overall security risks of data export activities are classified into four levels, namely extremely high, high, middle and low. After the assessment, if the security risk of the data export is extremely high or high, the relevant personal information or important data shall not be exported.
VI. Identification of Important Data
The Guidelines defines important data in 28 industries and sectors, such as resources and energy, telecommunications and electronic manufacturing industry, and the definition, scope or identifying criteria for important data in these key industries may be further specified by the competent industry regulators or regulatory authorities. The provisions regarding important data under the Guidelines reflect restrictions on data exports in existing laws and regulations (such as demographic health information, personal financial information, credit information, map information), and adds new types of data restricted from being exported, such as registration information of e-commerce platforms and transaction records of e-commerce.
VII. Observations
As an important ancillary document to the CSL, the Guidelines put forward detailed recommendations on the assessment process, assessment methods and points of the data exports security assessment. Although the Guidelines do not have mandatory legal force, they may be adopted and referred to in data export activities by network operators in various industries since existing laws and regulations fail to provide detailed guidance. In data export assessments, enterprises need to comprehensively take into account factors such as the consent of the individuals whose personal data is being exported, the necessity for data export, the security protection measures of the data exporters and of the data recipient, and the political and legal environment of the receiving country or region. These comprehensive and detailed assessment requirements bring new challenges for enterprises’ data export activities. Once assessments determine data export is not allowed, the company may need to consider adjusting its data export practices, improving security protection measures of the data exporter and the data recipient, and taking technical measures such as desensitization to meet compliance requirements. As the Guidelines are still open for public comments, we will continue to monitor its subsequent developments and implementation.
