29 May, 2017
On 19 May 2017, the Cyberspace Administration of China (the "CAC") released a revised draft of its Security Assessment for Personal Information and Important Data Transmitted Outside of the People's Republic of China Measures (the "Second Draft Export Review Measures").
The draft emerged just over a week after public comments closed on the first draft of the measures, which we discussed in our earlier briefing here (the "First Draft Export Review Measures"). There was a significant volume of industry commentary, and the Second Draft Export Review Measures do, to an extent, relax some of the more stringent requirements stated in the First Draft Export Review Measures and originally due to become law on 1 June, 2017 when China's Cyber Security Law takes effect. However, the revised draft measures as set out in the Second Draft Export Review Measures still leave a significant compliance challenge for multi-national businesses operating in China ("MNCs"). On a less optimistic note, the test for when a data localization requirement will kick in has not really changed under the Second Draft Export Review Measures, except to remove the words "must be stored within China" and replace them with "must undergo a security review pursuant to these Measures" which does not change the fundamental position that without security review approval and clearance, by definition data cannot be exported so has to be (logically) stored in China.
Headline changes are:
Implementation of localisation measures delayed to 31 December, 2018: While the Cyber Security Law will take effect from 1 June, 2017, the data localisation measures applicable to "network operators" will take effect from 31 December, 2018, introducing a grace period that will be important for MNCs to evaluate their data processing and storage arrangements under the new law.
Implied consent will suffice for data subject-initiated exports of personal data: A key question arising under the First Draft Export Review Measures was the standard of data subject consent required in order to allow exports of personal data from mainland China to take place. Would an express form of opt-in consent be required, or would a more relaxed standard of implied consent be acceptable? The Second Draft Export Review Measures confirm the latter, providing that acts initiated by data subjects, such as making international telephone calls, sending emails or instant messages to overseas recipients and making cross-border transactions online would be sufficient to imply consent to export. Understanding the precise scope for implied consent to export personal data from China will be one of the key areas of interest for MNCs evaluating the impact of the Cyber Security Law. While no doubt a welcome piece of news for those assessing the impact of the localisation requirement, the CAC's acceptance of implied consent is yet to be reconciled with the requirement (retained in the Second Draft Export Review Measures) that the export of personal data be "necessary."
No consent required for emergency transfers: The Second Draft Export Review Measures sensibly exempt transfers necessitated by an emergency that endangers the life or property of data subjects.
Material transfers still require official review, but…
No 1,000 GB trigger: The First Draft Data Export Review Measures proposed a number of thresholds which, if triggered, would require network operators to submit to an official data export security review. An export volume of 1,000 GB or more was included amongst the triggers, irrespective of the sensitivity of the information. This has been dropped.
Exports operators of critical information infrastructure not deemed naterial: The First Draft Export Review Measures had effectively deemed any export of personal data or important data by an operator of Critical Information Infrastructure ("CII") to be a material export requiring official review. The Second Draft Data Export Review Measures remove this trigger, meaning that data exports by CII operators are assessed by reference to the same triggers as those by network operators. This is logical and welcome.
The remaining triggers for official review of a data export are whether or not the export involves:
- personal data of more than 500,000 data subjects
- nuclear facilities, bio-chemistry, national defence and military sectors, public health and other such fields, as well as data on large-scale engineering projects, marine environments and sensitive geographical information; or
- system vulnerabilities and security safeguards for key information infrastructure or other such-like cyber security information.
Scope of "Personal Data" expanded to include location and behavioural information: Like the First Draft Export Review Measures, the Second Draft Export Review Measures contain a non-exhaustive definition of "personal data".
The new version clarifies that location data and behavioural data may, alone or in combination with other information, be personal data within the meaning of the export review measures.
Review process timeframe and ability to stop exports: Article 10 of the First Draft Export Review Measures had proposed a 60 working day timeframe for regulatory authorities to provide network operators with feedback on export review assessments. This long-stop period has been replaced with a more general requirement for the authorities to provide feedback in a timely manner. This is not very helpful, as it means MNCs are not able to plan around a defined timeline framework. The version of Article 10 in the Second Draft Export Review Measures includes a materially revised stipulation that reviewing authorities shall direct that an export be stopped if any of the matters listed in Article 9 are identified in relation to an export, namely:
- the export would violate laws, regulations or departmental rules
- data subjects have not consented to the export of personal data the export is likely to prejudice the public or national interest
- the overseas transmission of data would jeopardise the security of national politics, military affairs, society, scientific and technological matters, information, ecology, resources, nuclear facilities and so forth; and
- any other situations where the CAC, the Ministry of Public Security or the Ministry of State Security and so forth determine that the export cannot take place in accordance with law.
The last two are new in the Second Draft Export Review Measures. It is hard to envisage how a transfer overseas of data could harm "ecological" or even "resource" security, but we take this as an implicit reference to information e.g. on ecological damage or abuse of natural resources and so forth which are not at the level of state secrets (noting the previous cases where China determined that the location of natural resources was determined to be state secrets in the hands of certain foreign individuals). There is a still a carve out for state secrets in Article 14 (Article 15 in the First Draft Export Review Measures) which appear to remain regulated under the rules governing state secrets, including criminal penalties in certain cases.
Conclusions
The changes introduced by the Second Draft Export Review Measures make a few sensible technical adjustments and include a temporary reprieve from China's new data localisation measures through to 31 December, 2018.
Given the typical lead times for technology procurement, most MNCs will be forced to make decisions on their processing arrangements long before this date materialises. However, the broad thrust of the First Draft Export Review Measures has not changed nor has the scope encompassed by the key definition of "network operators" got any clearer.
For many MNCs, the main practical benefit of the grace period will be to enable time to gain a better understanding of the standards of export review that the authorities will apply and assess alternative structuring approaches that, for example, the allowance for implied consent to data subject-initiated exports of personal data, may generate, such as requiring data subjects to send an email to the proposed export destination address to confirm their consent.