China publishes draft measures regulating cross-border transfer of data

China

The Cyberspace Administration of China ("CAC") published the Draft Assessment Measures for Transferring Personal Data and Important Data to Overseas Countries (the "Draft") on 11 April 2017 to solicit public opinions. While the Draft is stated to be formulated in accordance with the PRC Cybersecurity Law (the "Cybersecurity Law"), it expands the scope of the Cybersecurity Law and provides new requirements and procedures concerning the cross-border transfer of Personal Data and Important Data.

According to the Draft, "Personal Data" refers to any information that can identify an individual, either independently or when combined with other information. Personal Data can be recorded in electronic or other forms, and includes an individual's name, date of birth, ID number, address, telephone number and personal biometric data. This definition is generally consistent with the definitions provided in the various existing regulations and administrative rules governing personal data protection. "Important Data" refers to data that is closely related to national security, economic development and social public interests. The Draft states that the scope of Important Data will be specified in the relevant standards and guidance but it does not clarify the standards and guidance. We expect that more detailed rules will be provided in this area in the future.

The majority of regulatory requirements under the Draft apply to "Network Operators", which are defined as the owners or administrators of networks or online service providers. As a general principle, if Personal Data and Important Data has been collected or generated within the territory of China, Network Operators are required to store the Personal Data or Important Data within the territory of China. If a business requires the transfer of any such data to overseas countries, the relevant Network Operator is required to conduct security assessments in accordance with the Draft.

A security assessment includes consideration of the following issues:

  • the necessity of transferring the Personal Data or Important Data to overseas countries;
  • the amount, scope, type and sensitivity of the Personal Data or Important Data concerned and in particular in relation to Personal Data, the Network Operator must consider whether the data subjects' consent has been obtained;
  • the security protection measures taken by the data recipient, the data recipient's capability of securing data and the cybersecurity environment in the country or area where the data recipient is located;
  • the risks of data being leaked, damaged, infringed or misused if the data is transferred to overseas countries; and
  • the risks that the transfer or integration of data to overseas countries might have to national security, social public benefit or the legal interests of individuals.

The Network Operator that conducts the security assessment is responsible for the results of the assessment.

In certain circumstances, a self-conducted assessment will not be sufficient and the Network Operator will also be required to apply to the relevant business supervisory authorities for a security assessment organised by the authorities. If a relevant business supervisory authority cannot be clearly identified, the Network Operator could apply to the CAC or a local branch of the CAC. The circumstances in which a security assessment organised by the authorities would be required include, without limitation:

  • if the Personal Data of more than 500,000 individuals is involved;
  • if more than 1000GB data is involved;
  • if the data includes nuclear facilities, chemicobiology, national defense and the military, population health data or includes data relevant to large scale engineering activities, the ocean environment or sensitive geographic information;
  • if the data concerned includes system vulnerability, security protection and other types of cybersecurity information of critical information infrastructure; or
  • if it will be a critical information infrastructure operator that transfers Personal Data or Important Data to overseas countries.

Although the Draft requires that a security assessment organised by the authorities should be completed within 60 working days, the Draft does not provide further clarification of the detailed requirements or procedures concerning how such assessments should be conducted. The Draft does however clarify the following circumstances in which no Personal Data or Important Data is allowed to be transferred to overseas countries:

  • if the transfer is not consented to by the data subject or might infringe the personal interests of the data subject;
  • if the transfer could be a risk to national politics, the economy, technology, defense or national security or cause damage to social public interests; or
  • if the transfer would otherwise be prohibited by the relevant government authorities.

Article 37 of the Cybersecurity Law outlines the requirements for data location and the cross-border transfer of Personal Data and Important Data. These requirements apply only to operators of critical information infrastructure. The Draft expands the scope of such requirements to cover all Network Operators. According to the Draft, the cross-border transfer of Personal Data and Important Data that is collected or generated by individuals or organisations other than Network Operators, will also be subject to security assessments as outlined above. If this requirement of the Draft remains in the final version, it could become very difficult to be exempt from the security assessment regime.

Additionally, the Draft states that before any Personal Data is transferred to overseas countries, the relevant data subjects must be informed of the purpose, scope, content and receipt of the transfer, as well as the country or area where the recipient is located. The data subjects' consent must be obtained. No exemption is provided to the requirement for consent. In contrast, such exemptions exist under the Cybersecurity Law, for example under Article 42 which provides that the consent of data subjects is not required if the Personal Data is processed so that individuals could not be identified from the data. If the final version of the Draft also contains the consent requirement, there could be inconsistencies with the Cybersecurity Law on this requirement.

The Draft also includes a special provision concerning treaties and conventions. The Draft states that that the relevant requirements of any treaties or conventions to which China is a party that concern the cross-border transfer of data will apply.

The public will have until 11 May 2017 to submit comments on the Draft. As data protection is a critical aspect of cybersecurity, it is possible that the final version of the Draft will be published near to the effective date of the Cybersecurity Law in June 2017.