On April 11, 2017, the Cyberspace Administration of China (the “CAC”) released the draft Measures on Security Assessment relating to Export of Personal Information and Important Data (the “Draft Measures”) for public comment. The comment period ends on May 11, 2017.
On April 11, 2017, the Cyberspace Administration of China (the “CAC”) released the draft Measures on Security Assessment relating to Export of Personal Information and Important Data (the “Draft Measures”) for public comment. The comment period ends on May 11, 2017.
In this article, Samuel Yang and Sophia Han from Anjie Law Firm, our associated firm in China, analyse the regulations under the Draft Measures relating to transfer of Chinese citizen’s personal information and important data outside of mainland China.
Definitions of “Export of Data”, “Personal Information” and “Important Data”
The Draft Measures define “Export of Data” as when “network operators provide overseas institutions, organisations, or individuals with personal information and important data collected and generated within the territory of the People’s Republic of China.” As such, “Export of Data” not only refers to transmitting data outside of the PRC, but also includes authorising an overseas entity or individual to access data, even if such data is still stored in the PRC (i.e. data which can be downloaded or viewed from outside the PRC).
Before the Draft Measures were issued, there were already a number of industry-specific laws and regulations which regulated the export of data from the PRC. However, there was no comprehensive framework for regulating export of data and the understanding of these rules in practice were not consistent. Once these Draft Measures have been passed, we expect to see a more uniform understanding of the concept of “export of data” under PRC law.
The China Cybersecurity Law (the “CSL”) which is set to take effect on June 1, 2017 has already formulated the definition of “Personal Information”. The Draft Measures adopt the same definition of “Personal Information” as the CSL.
The Draft Measures define “Important Data” as data closely related to national security, economic development and societal and public interests. The scope of “Important Data” will be determined according to relevant national standards and guidelines on the identification of important data. These standards and guidelines are expected to be issued by relevant State organs.
Restrictions applicable to a broader scope of entities
Under the CSL, the restrictions on the export of data only apply to the operators of Critical Information Infrastructures ("CII").
The CSL provides that “operators of Critical Information Infrastructures shall store Chinese citizens’ personal information and important data collected or generated in the course of operations within the territory of China. If transfers of data offshore are necessary for operational reasons, a security assessment must be conducted by designated agencies, unless laws and regulations specify otherwise.”
Although the specific measures on CII operators have yet to be issued, CII appears to be defined relatively narrowly as “infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger national security, national welfare or the livelihoods of the people, or the public interest”. Specific reference is made to “key sectors” such as telecommunications, energy, transportation, water conservation, financial services, public service and e-government, etc.
However, the Draft Measures replaces the concept of CII operators with “network operators”. Under the CSL, the term “network operators” is defined as “owners and managers of networks, as well as network service providers”. Although released as an implementing regulation of CSL, the Draft Measures significantly expand the scope of entities to which data export restrictions may apply. As a result, the scope of “network operators” could be expanded significantly to cover every entity that is using a network (including the Internet) to operate or provide services, such as Internet operator, online new media enterprises and all traditional enterprises which are providing services through network such as banks and insurance companies.
Furthermore, the Draft Measures provide that “the work of security assessment of export of personal information and important data collected and generated by other individuals and organizations within the territory of the People’s Republic of China shall be implemented with reference to these Measures.” While these provisions will enhance the protection degree of Chinese citizens’ personal information and important data, enterprises will face onerous procedures and high cost to comply with these new restrictions.
Data subject’s consent is required for export of personal information
The Draft Measures provide that “where personal information is to be transferred offshore, data subjects must be notified of the purpose, scope, content, the recipient of the transfer, as well as the country or region in which the recipient is located, and the consent of the data subjects must be obtained. If the personal information to be transferred concerns a minor, the consent of the guardian must be obtained.”
The “data subject consent” principle as a universal rule for the collection, use and process of personal information has been reflected in the “General Provisions of the Civil Law” and CSL. The Draft Measures further supplement this principle.
It is worth noting that the CSL provides that network operators must not provide citizens’ personal information to others without the data subject’s consent. As an exception to the “data subject consent” rule, the “Anonymisation Clause” allows network operators to provide a third party with personal information after it has been anonymised so that the individual cannot be identified. However, CSL did not specify whether this “Anonymization Clause” also applies to the export of personal information. Unfortunately, the Draft Measures do not mention this either and it remains unclear whether the export of anonymised personal information needs the data subject’s consent.
Regulators for the export of “personal information” and “important data” specified
The Draft Measures provide that “the national cyberspace authority shall be responsible for overall coordination of work in connection with the security assessments of export of data and shall guide competent industry regulators or regulatory authorities in organizing the security assessments of export of data” and “competent industry regulators or regulatory authorities shall be responsible for the work of security assessments of export of data in their respective industries and shall organise to carry out security inspections of cross-border data transfer in their respective industries at regular intervals”.
For some industries their regulators are obvious (such as banking and insurance sectors), while other industries which were supervised by multiple departments of government (such as the Internet sectors) may not have a designated regulator. If no industry regulator can be identified, the security assessment can be organized by the CAC in accordance with the Draft Measures.
Security assessment needed for the export of data
The Draft Measures divide security assessment requirements into two categories. The first category is the network operator’s self-assessment. The Draft Measures provide that all network operators are required to organise their own security assessment for export of data at least once per year and are responsible for the results of such self-assessment. The security assessment should focus on the following aspects of export of data:
1) Necessity of export of data;
2) Amount, scope, type, level of sensitivity of personal information involved, and whether data subjects have consented to such export of data;
3) Amount, scope, type, level of sensitivity of important data involved;
4) Data recipients’ data security measures, capabilities, and their level of protection, as well as the cybersecurity environment of the countries or regions in which the recipients are located;
5) Risks of data being leaked, damaged, tampered with, or misused arising from export or subsequent transfer of the data;
6) Risks posed by export of data (including the aggregation of data transferred to offshore locations) to China’s national security, societal and public interests, and Chinese citizens’ rights and interests; and
7) Other important matters required to be assessed.
The Draft Measures also provide a second category of security assessment, conducted by an industry regulator, for the following exports of data:
1) transfer (individually or accumulatively) of personal information of over 500,000 Chinese citizens;
2) transfer exceeding 1,000 gigabytes;
3) transfer involving data regarding “nuclear facilities, chemical biology, national defense or military, population and health care, etc.,” and data related to “large-scale engineering activities, marine environment, and sensitive geographic information”;
4) transfer involving data related to cybersecurity information of China’s CII operators, such as their system vulnerabilities or security measures;
5) transfer involving the provision of personal information and important data to overseas recipients by operators of CII; and
6) other transfers that may potentially affect China’s national security and public interests.
In addition, the Draft Measures further provide that “if there is a change in circumstances, for example, a different data recipient, or a significant change in the purpose, scope, amount, or type of data transferred offshore, or if there is a material security incident involving the data recipient or the data to be transferred, the security assessment must be conducted again promptly.”
Prohibited Export
The Draft Measures prohibit the export of data in any of the following circumstances:
1) the data subject has not consented to the export of personal information, or if such export may cause harm to the data subject’s rights and interests;
2) the export poses risks to China’s national security or public interests; or
3) other circumstances in which the Chinese government determines that the data concerned is prohibited from being transferred offshore.
Our Observations
In recent years, the Chinese government has placed great importance on the protection of personal information and cybersecurity, which have risen to the height of national strategy. The stringent restrictions on the export of personal information and important data have demonstrated their tremendous significance. Once the Draft Measures come into effect, such rules will exert a far-reaching influence on the internet and data industry of China and even the society as a whole. We think that companies should start to establish internal management systems, formulate new policies, and create new procedures for the purpose of the security assessment. Moreover, we recommend that companies should take good care of the assessment reports produced by the technical, legal and other relevant departments of the company. These measures are not only required to satisfy the needs of good data management, but also to be prepared for inspections by the government.
We will monitor developments in this area and provide further guidance accordingly.
