China Publishes Detailed Draft Rules On Cross-Border Data Transfers.

26 June, 2017

Implementation blueprint for new data transfer regime begins to take shape

National Standards for Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft), published by the Technical Committee for Standardisation of National Information Security Standards.

Introduction

One key element of the proposed Measures on the Security Assessment of Cross-border Transfer of Personal Information and Important Data (“Proposed Rules”), the two drafts of which are intended to implement the Cyber Security Law’s new regime on cross-border data transfers and are covered in our previous alerts here and here, is the requirement for security assessment of transfers of personal information and important data outside the PRC. On 27 May 2017, the Technical Committee for Standardisation of National Information Security Standards published draft guidelines for the conduct of these security assessments (“Draft”).

The Draft’s main purpose is to set out the detailed factors which businesses need to weigh up when making transfers of personal information and important data outside the PRC. Though not mandatory, the Draft merits detailed consideration by businesses, as it is a clear indication of how the authorities view the Proposed Rules in practice. In this alert, we consider the key aspects of the Draft’s proposed methodology and its practical implications.

The Draft does not apply to all cross-border data transfers; for instance, where the Proposed Rules require an assessment of a data transfer by the regulators instead of the transferor. This may include (subject to further revisions to the Proposed Rules) transfers of personal information of over 500,000 individuals, and certain types of data such as nuclear facilities, biochemistry, national defence munitions, population health, large-scale projects, marine environment or sensitive geographic information and cybersecurity information relating to critical information infrastructure. The regulators may, however, have regard to the principles of the Draft in these situations.

Assessment process

The Draft applies to the self-assessment of any “provision” outside the PRC of personal information and important data in electronic form collected or generated by a network operator in the course of a business conducted in the PRC. The term “provision” includes information dissemination by businesses by any means, including the networked transmission of information by users of their products and services, and covering transfers which are either self- initiated or made by a third party who has access to a network.

Transfers of data within in-house networks are not automatically exempt, though the Draft makes limited exceptions for the provision of lawfully disclosed public information and overseas data routed through the PRC without alteration or processing.

The proposed self-assessment process, which starts with the preparation of a transmission plan containing details of the proposed cross-data transfer, is illustrated in the workflow below.

Please click on the image below to enlarge.

All proposed transfers must first satisfy:

a “legality” test of compliance with law, supranational data transfer treaties, and requirements of the Cyberspace Administration of China and other PRC authorities; and
an “appropriateness” test defined in accordance with the transferor’s legal scope of business, legal obligations, cyberspace sovereignty, national security and the public interest.

If these tests are satisfied, a self-assessment, or in some cases, an assessment by the regulators, must be conducted to determine if the risk of transfer of data outside the PRC is controllable. The transfer is deemed compliant if the assessment is completed, unless the transfer is assessed at a risk level of “high” or “very high”, when it would be deemed too risky to proceed.

The Draft requires compilation of the assessment findings and conclusions into a report, and proposes that these reports have a minimum five-year retention period. Each completed transfer must be re-assessed if the data is transferred to a new party, material changes occur to the purpose of transfer or scope, quantity or type of data transferred, or a major security incident occurs.

Assessment mechanism

The assessment is proposed to be structured in two parts: first, “impact” which is, broadly, an assessment of the data being transferred, and secondly, the likelihood of a security incident, such as a data breach.

Numerical values are assigned to each factor, representing an ascending order of risk. Transfers deemed too risky to proceed would include the following (shown in red in the right margin):

having impact level 5 in a scale of 1 to 5, regardless of the risk of data breach;
having security incident risk assessed at level 2 in a scale of 1 to 3, with impact being assessed at level 4 or above; and
having security incident risk assessed at level 3, with impact being assessed at level 3 or above.

The proposed methodology emphasises the interdependence of Parts I and II, and the relative importance of the different factors.

If risk of security incidents is low, the transfer is only prohibited if data transferred is of the highest impact level. Medium risk of security incidents means that a transfer of “important data” cannot proceed unless the impact level is mitigated by another factor, such as data being de-sensitised. A high risk of security incidents results in the transfer being prohibited for all but the least risky types of data.

Part I: level of impact

If the data transferred largely consists of “sensitive personal information”, level of impact is assessed at level 3 out of a scale of 1 to 5. If the data transferred includes identified categories of “important data”, level of impact is assessed at level 4.

Further adjustment based on the following factors is proposed:

Magnitude – a greater number of data subjects or greater importance of data implies greater risk, e.g: (i) the impact level of transfers of personal information relating cumulatively to over 500,000 individuals in any one year, or of significant data over 1000GB, will be increased by a factor of one; and (ii) the potential value of information relating to a “specified group of individuals” being agglomerated with other data is to be considered.
Scope – transfers must relate directly to business necessity and be set at the minimum frequency and extent required by the relevant business (with impact level increased by a factor of one if these principles are breached).
Data re-engineering – the impact level of a transfer where the information or data has been irretrievably de-sensitised may be reduced by a factor of one.

Please click on the table below to enlarge.

“Sensitive personal information” is proposed to be defined as personal information which, if divulged, illegally provided to anyone or abused, could (amongst others) pose a threat to the safety of persons and property, damage individual reputations, physical or mental health, or lead to unfair discrimination. “Important data” is identified by a set of principles, with specific definitions to be provided by industry regulators (refer to the Appendix for an overview of the proposed “important data” principles).

Part II: risk of security incident

Part II proposes evaluation of factors relating to the transferor and the transferee (including the legal and regulatory environment in which it operates). Each factor requires separate evaluation as low-risk, medium-risk or high-risk.

If a high-risk score is recorded under any single factor, overall risk of Part II is regarded as high. If there is a combination of low- and medium-risk assessments, overall risk of Part II is regarded as medium; if all factors are assessed at low-risk, then overall risk of Part II is regarded as low. For each factor, in general, the greater the extent of security gaps identified, the higher is the risk level deemed to be posed.

Transferor’s factors

Information security factors, such as data transmission protection, boundary protection, access management authorisation and cross- border data transmission logs, with security measures commensurate to the nature, scope and sensitivity of data transferred.
Management factors, including complete management processes and complete crisis response, data transfer audit, complaints handling and safety incident reporting systems, and employing personnel trained in cross-border data transfers, who are able to deal with complaints from data subjects in an independent manner.
Contractual protection from the transferee, including prohibitions against processing, disclosure or re-transfer of the data unless the transferor’s authorisation and (if applicable) the personal information subject’s consent is obtained.

 Transferee’s factors

Information security factors, such as capability of the IT system to achieve automated data security.

Automated security requirements – transferee

 Technical tools
 Monitoring data receipt, storage, use, transmission and destruction
 Uniform back-up and restoration tools
 Anti-cyber attack, data worm and other security tools

Comprehensive systems and controls, and well-structured and competent management and organisation.
The receiving jurisdiction’s level of protection of personal information and the comprehensiveness and effectiveness of remedial recourse in enforcing such protection, a responsibility and monitoring regime in that jurisdiction to investigate security incidents, and the existence of checks and balances on the local regime’s ability to obtain any “important data”.
Due incorporation, licensing and compliance track record, requiring “transparent” background relationships where a transfer of important data is involved.

Issues to consider

Key concepts still undefined

“Sensitive personal information” and “important data” are both potentially high- risk factors which could lead to a proposed cross-border transfer being prohibited. Yet, neither these concepts, nor their relevant aggravating and mitigating factors are precisely defined in the Draft, though some broad principles are proposed. Other associated concepts of the Draft, such as how to evaluate “important data” of different economic value and the meaning of “identified group of individuals” triggering the assessment to consider data agglomeration, are also undefined.

Uncertainty in application of Proposed Rules

Some provisions of the Draft re-visit issues which previously appeared to be resolved in the Proposed Rules. These include consent by personal information subjects to the specific processing arrangements (a concept in the first draft of the Proposed Rules, removed from the 19 May draft), the need to consider impact of data agglomeration of information on a “specified group of individuals”, and data transfers over 1000GB being deemed high-risk.

Clarification of these issues is critical to resolve certain issues with the operation of the Proposed Rules, such as whether transfers of data relating to over 500,000 individuals must be assessed by the regulators (as required by the Proposed Rules) or if self-assessment will suffice as provided in the Draft, and whether transferees will need consent from individual personal information subjects before processing any data received.

Practical difficulties with applying the Draft

As the overall risk rating of a potential transfer could be increased by a finding of “medium” or “low” security in the assessment of any single factor under Part II, transferors would, ideally, seek to achieve a high degree of protection under each of the factors in Part II. This may, however, be difficult in practice and requires comprehensive review of existing data transfer business practices including, potentially, new data processing arrangements.

It is proposed that to constitute a high degree of protection under the Draft, the transferor must have “effective” technical IT security measures which are free of all potential (even low-level) bugs and demonstrate that the use of its IT system poses non-negligible damage in a cyber threat scenario. Similar requirements are proposed for the transferee. Where significant data is being transferred, the extent of diligence needed to conclude that the transferee presents “transparent” background relationships is unclear.

The proposed systems and controls criteria lack specificity and are capable of subjective construction, such as a “strict” operating procedure for cross-border transfers of information and the need to have “complete” systems.



Significant costs for transferors and transferees may be entailed by the proposed requirements for dedicated data transfer compliance personnel and training and to audit the transfer, processing, receipt, storage and destruction of data, as well as the requirements for the transferee’s IT systems to comply with IT security rules in the local jurisdiction and an independent complaints procedure for information and data subjects. Transferors and transferees may need to procure new software and technical tools to comply with the Draft.



Proposed requirements for the jurisdiction receiving the data to have comprehensive mechanisms to protect personal information and investigate security incidents, including enforcement and application in practice as well as limits on the powers of data protection authorities, may result in transfers to some jurisdictions being assessed at medium- risk or high-risk. This could limit the transferor’s choice of data location, as the costs of data processing are often lower in jurisdictions with less developed regimes.

Other practical difficulties include the requirements for all transfers to be conducted to the minimum extent required to perform the relevant business function (it may not be technically feasible to perform precise segmentation of data transfers in all cases), and for de-sensitisation to be carried out in an “effective and reliable” manner, to a “reasonable degree” of irretrievability. Failure to comply with these proposed requirements would result in a higher impact level under Part I, but the requirements themselves may not be technically achievable or sufficiently specifically defined. Tests which capture most undesirable risk elements whilst achieving practical feasibility are needed.

On the requirement to re-assess a completed transfer after a change in its parameters, no look-back period is specified. This could impose significant burdens on businesses if triggered after the Proposed Rules have come into effect for a long period.

Conclusion

The Draft is a call for businesses operating in the PRC to review all operations involving cross-border data transfers, and restructure existing arrangements and renegotiate arrangements with suppliers where appropriate. Compliance with the data transfer regime by the intended effective date, currently 31 December 2018 in the Proposed Rules, requires businesses to prepare now for the final release of the Draft and the Proposed Rules. The compliance requirements proposed in the Draft may entail significant costs for multinationals operating in the PRC, and could even encourage multinationals to review their cross-border data practices in other jurisdictions with a view to considering whether to locate future global or regional data processing activities in the PRC.

Appendix: how to identify “important data”

The Draft proposes, for the first time, how to identify “important data”. First, data is deemed “important” if its breach, loss, abuse, alteration or destruction, or an accumulation, merger and analysis of the data could harm the interests of the State. The “interests of the State” are defined by a broad range of security considerations, including defence, the military, international relations, the public interest, State culture and the rights of citizens, law enforcement or governmental functions, anti-espionage, political infiltration and organised crime, infrastructure, government information systems, economic order, financial security, divulgence of State secrets or State sensitive information, as well as the land, resources, information, ecology and nuclear facilities of the State.

The Draft also proposes specific categories of “important data” in a range of key sectors of the Chinese economy. This initial risk level can be increased or decreased by the impact of other factors, as further detailed below. A transfer of important data could be prohibited under the Draft if its impact is assessed to be high-risk, or its risk of security incidents (as further detailed below) is “medium” or “high”.

The Draft stops short of automatically defining all industry data categories it lists as “important data”. Instead, the Draft asks industry regulators to define or provide criteria for identifying “important data” in their sectors, having regard to the suggested categories in the Draft, the practical circumstances of their industries, and the extent to which “interests of the State” could suffer from loss or misuse.

While the Draft does not conclusively define “important data”, what is worrying is that the categories of “important data” as proposed in the Draft appear extremely broad, and could potentially include all data (other than trivial data) needed to understand or manage a complex business operation in the PRC or which is otherwise deemed sensitive in the PRC. It is likely that a zealous industry regulator would, adopting the Draft as a blueprint, set a very broad industry definition of “important data”. For example, the Draft considers each of the following to be “important data”:

Financial sector: new product plans and related product development records and data; software, source codes, destination codes, encryption codes, technical plans, designs, reports, test results and drawings; sales information and market surveys; sales plans, financial information, analyses and other business information; all account and transaction information, customer identification information and information on individual customers’ credit, preferences, incomes and assets; and credit transactions between businesses or individuals and non-financial institutions (including P2P lending and overdue utility bills).

Statistics (includes both national and provincial level statistics unless otherwise stated): census details; initial national GDP estimates; national industrial production and value add thereto; national financial indicators; business energy consumption and declines in such consumption; provincial fixed asset investment and retail consumption; food and cotton production; factory gate and input prices and their main constituents; real estate sales; agricultural production and product sales; coal consumption; and average, urban and rural per capita incomes and expenditures.

E-commerce: user registration information; transaction records and related consumer preferences or business data; credit ratings and records of transaction counterparties; and payment, financing and logistics information.

Other sectors: value data (such as value of reserves), production, sales, project progress, reserve, environment and safety data in the oil and gas sectors; electronic IT equipment sales, use and operation data in critical sectors and key industries; sales, reserves and plant construction data involving dangerous chemicals; layout plans, capacity and storage details of chemical complexes; topographical and marine maps to scale of 1:50000 and above, and their digitised data; data analysis of geographic information including exploitation, distribution and stocks of energy and mineral reserves; information of patients and informants obtained from adverse drug tests; clinical test data for second- and third- category medical equipment; and certain types of unpublished pollution statistics.

In addition to the sectors specified, the Draft provides that industry regulators may also consider the following as a guide to defining the scope of “important data” within their own industries:

data providing a holistic view of an industry with close ties to national security and the public interest;
data reflecting the business, as a whole, of an industry participant which could pose a systemic risk;
natural, economic or societal conditions which are unchanging or will remain stable for a long period, such as location, topography, mining areas and genetic characteristics;
data such as location, ID numbers, mobile numbers or enterprise codes which could, if combined, result in identifications, associations or linkages;
data relied upon by industry regulators in making major plans, or obtained by industry regulators from industry participants;
data relating to a wide scope, a long period or important regions or periods which could, in combination, affect national security or the public interest if sent outside the PRC; and
information relating to “critical information infrastructure” (a draft of the rules on critical information infrastructure is expected to be released soon).

For further information, please contact:

Jian Fang, Partner, Linklaters

jian.fang@linklaters.com

China Publishes Detailed Draft Rules On Cross-Border Data Transfers.

Employer Sponsorship And Work Permits In Indonesia.

- Stephen Igor Warokka - SSEK,

Labor And Employment Law Updates From Indonesia And The World.

Gross Split Production Sharing Contracts: Commercial Insights From Indonesia’s MEMR Regulation No. 13 Of 2024.

- Fitriana Mahiddin - SSEK, SSEK

UK – Shifts Workers – A New Right To Reasonable Notice.

Hong Kong – Keepwell Deeds: A Workable Solution To PRC’s Foreign Exchange Control?

The Catch And Kill Of Non-Disclosure Agreements? New UK Guidance.

EU – Tightening The European Union’s Powers To Review Foreign Direct Investments.

Malaysia – General Average And Salvage.

- Philip Teoh - Azmi & Associates, Azmi & Associates

Role Of Technology In Legal Service Delivery.

Process Optimisation In Legal Teams: Improving Workflow Efficiency.

CONVENTUS LAW

OTHERS

China Publishes Detailed Draft Rules On Cross-Border Data Transfers.

Register for your monthly Asia legal updates from Conventus Law

Footer

CONVENTUS LAW

OTHERS