China Drafts Legislative Rules Regarding Cross-border Data Transfers

by Morgan Lewis

Morgan Lewis

The draft legislation provides further guidance on the regulations provided in the recent cybersecurity law, including definitions and details on the security assessments required for cross-border data transfers.

China’s recently enacted Cybersecurity Law (CL), effective June 1, 2017, requires that personal information and important data collected and produced by critical information infrastructure (CII) operators in China be stored in China. The CL also requires that security assessments be performed before personal information and important data are provided to any entity or individual outside of China (Cross-border Data Transfer).[1] Along with the CL, China has published other draft legislation addressing the requirements for local storage and Cross-border Data Transfer and soliciting public comments. The new draft implementing rules include

  • Measures for the Security Assessment of Cross-border Transfer of Personal Information and Important Data (Consultation Draft) (the Assessment Measures);[2]
  • Assessment Guidelines for Security Assessment of Cross-border Data Transfer (Consultation Draft) (the Assessment Guidelines);[3] and
  • Regulation for the Security Protection of the Critical Information Infrastructure (Consultation Draft) (the CII Regulation).[4]

These drafts provide definitions and the scope of key concepts under the CL as well as more details regarding the security assessment required for Cross-border Data Transfer. Multinational corporations collecting and transferring data from China should consult this draft legislation and understand the legislative trends in order to prepare for the specific steps that must be taken regarding the storage and transfer of data once the legislation comes into effect. In this LawFlash we set out the highlights of this draft legislation and compare them to the CL.

Who Is Subject to Local Storage and Security Assessment Requirements

While the CL only applies the local storage and security assessment requirements for the Cross-border Data Transfer of “personal information” and “important data” to CII operators, the current draft of the Assessment Measures states that all “network operators” are generally obliged to conduct a security review of Cross-border Data Transfers if the data contains “personal information” or “important data”; it also says that such data must be stored inside China.[5] The draft Assessment Guidelines follow the Assessment Measures and provide the security assessment process to be used for all “network operators.”

However, in May 2017, during an official press briefing on the implementation of the CL, the chief of the Network Security Coordination Office of the CAC clearly stated that the local storage and security assessment requirements for Cross-border Data Transfer apply only to CII operators, so this will remain uncertain until the Assessment Measures have been finalized and published.

Definition of CII

The CL defines CII as “infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger national security, national welfare or the livelihoods of the people, or the public interest.” The CL also provides examples of CII, including network operators in the areas of public communications, information services, energy, transportation, water utilities, finance, public services, and e-government, but leaves the specific definition of CII to the regulations to be made by the State Council.[6]

The CII Regulation defines the scope of CII by listing operators in certain industries, including

  • government agencies and entities in the energy, finance, transportation, water conservation, healthcare, education, social insurance, environmental protection, and public utilities sector;
  • information networks, such as telecommunication networks, broadcast television networks, and the internet, and entities providing cloud computing, big data, and other large-scale public information network services;
  • research and manufacturing entities in sectors such as science and technology for national defense, large equipment manufacturing, chemical industry, and food and drug sectors; and
  • press units such as broadcasting stations, television stations, and news agencies.

We note that multinational companies in the manufacturing, IT, food, healthcare, and medical sectors can be included in such a broad definition if regulators decide that any data leakage or malfunction of its information system may affect national security, national welfare, or the people’s livelihood and public interest.[7]

Definition of “network operator”

The CL’s definition of “network operator” is much broader compared to its definition for CII operators. Network operators include “owners and administrators of networks as well as network service providers.”[8] Multinational corporations that use certain networks in China to transmit data offshore, including through the internet and email, could potentially be deemed “network operators.”

Personal Information and Important Data

The local storage and security assessment requirements for Cross-border Data Transfer under the CL protect “personal information” and “important data.” The ongoing legislative efforts further define “personal information” and “important data” and provide detailed protective measures.

Definition of “personal information”

The CL’s definition of “personal information” includes the name, date of birth, ID number, personal biological identification information, address, and telephone number of a natural person, but is not limited to the foregoing.[9] The Assessment Guidelines specifically add accounts and passwords, financial status, location, and behavioral information to the CL’s definition.[10] Considering that the CL’s definition is not limited to the listed types of personal information, the Assessment Guidelines’ definition remains consistent with the CL, so it is possible that regulators may treat location and behavioral information as “personal information” in the future.

Consent required for the cross-border transfer of personal information and exceptions

The Assessment Measures require that a network operator inform the owners of personal information about the purpose, scope, content, recipient, and recipient’s country related to the cross-border transfer of the information, and the network operators must obtain the owners’ consent for the cross-border information transfer to take place.[11]

The Assessment Guidelines do provide an exception to the principle of obtaining consent: where there is an emergency threatening a citizen’s life or the security of their property, consent need not be obtained.[12]

Notably, the CL provides an exception for personal information that has been irreversibly processed so as to prevent a specific person from being identified. The CL allows such processed information to be disclosed to others without receiving the owner’s consent.[13] Comments suggest that this exception was designed for the convenience of developing big-data and cloud businesses in China.

Businesses have also requested that inferred consent be recognized under certain circumstances in the Assessment Measures, including where international phone calls are made, emails and instant messages are sent to individuals or organizations overseas, and cross-border e-commerce transactions and other activities are initiated by data subjects. It is uncertain whether such an exception may be included in the Assessment Measures.

Definition of “important data”

The CL does not define “important data.” The Assessment Measures define “important data” as data closely related to national security, economic development, and public interest.[14] The Assessment Guidelines provide a more specific definition of “important data”:

[D]ata (including original and derived data) collected by the Chinese government, enterprises, and individuals within the territory of China, which does not involve state secrets, but which is closely related to national security, economic development, or the public interest, and when disclosed without authorization, lost, used abusively, tampered with or destroyed, or after aggregation, or integration and analysis, may cause serious consequences related to national security, national economic and financial security, social public interests and the legitimate rights and interests of individuals.[15]

The Assessment Guidelines provide comprehensive examples of important data in 27 industries and sectors, as well as a catchall category for any other data in any other area that may affect the peace, prosperity, or social welfare of China. The Assessment Guidelines also specify the industry regulators for these 27 industries and provide that the definitions, scope, and identifying criteria of important data in these key industries may be further specified by the competent industry regulators.[16]

For example, under the “Demographic Health” category, the Assessment Guidelines list eight types of important data, including

  • personal information of patients and their families obtained in the administration of certain public health services (such as monitoring side effects of drug and birth control devices, public health emergencies, epidemic situations etc.);
  • electronic medical history;
  • health records and other diagnostic and heath data retained by medical institutions and health management service institutions;
  • personal information of human organ donors and recipients and applicants of human organ transplants obtained through human organ transplant medical services;
  • personal information of sperm and egg donors and users of and applicants for human assisted reproductive technology services;
  • personal information obtained through family planning services;
  • personal and family genetic information; and
  • life registration information.[17]

Security Assessment

According to the Assessment Measures and Assessment Guidelines, industry regulators, instead of the CAC, will be responsible for the security assessment of the Cross-border Data Transfer. The CAC will lead and coordinate the efforts of the security assessment.[18]

Per the Assessment Measures and Assessment Guidelines, the security assessment can be conducted by network operators themselves, subject to industry regulators’ periodic examinations. However, security assessments should be conducted by industry regulators for the following transfers:

  • Data containing personal information of more than 500,000 Chinese citizens
  • Data volume of more than 1,000 gigabytes to be transmitted abroad
  • Data regarding “nuclear facilities, chemical biology, national defense or military, population and health care, etc.”
  • Data related to “large-scale engineering activities, marine environment, and sensitive geographic information”
  • Data related to the cybersecurity information of China’s CII operators, such as their system vulnerabilities or security measures
  • When a CII operator provides personal information and important data abroad
  • Other transfers that may potentially affect China’s national security and public interests[19]

The Assessment Measures also provide the following circumstances where data cannot be transferred abroad:

  • The cross-border transfer fails to be approved by the owner of personal information or such transfer may jeopardize personal interests.
  • The cross-border transfer causes security risks to the nation’s politics, economy, technology, and/or defense that may affect national security and jeopardize social and public interests.
  • The state cyberspace administration, public security authority, or another relevant authority determines that the data is forbidden to be transmitted abroad.[20]

The Assessment Guidelines provide more details about the procedures used for both self-assessment and assessment by industry regulators, including the assessment process, key assessment factors, and an assessment methodology. Factors that network operators must take into account include the type and degree of sensitivity of the information; the volume and scope of the information; whether or not the information has been desensitized; the possible effects of its transfer; its effect on state security and the public interest; safety precautions taken by the sender; safety capabilities of the recipient; and the local legal climate of the recipient.


Although the Assessment Measures, Assessment Guidelines, and CII Regulation have not yet been formally promulgated, they provide detailed practical guidance regarding what businesses are categorized as CII operators, the types of data subject to local storage and security assessment requirements for Cross-border Data Transfer, and the manner in which the security self-assessments and security assessments by regulators will be conducted. However, there will still be uncertainty regarding the issues discussed above until these draft regulations are finalized. Companies in China should remain alert and aware of legislative developments and be prepared to take the necessary steps for compliance with the new rules.

[1] Art. 37, CL.

[2] Draft circulated by the Cyberspace Administration of China (CAC) on April 11, 2017.

[3] Draft circulated by the National Information Security Standardization Technical Committee on May 27, 2017. Notably, the Assessment Guidelines are classified in GB/T, indicating that the Assessment Guidelines are advisory standards to be voluntarily adopted by enterprises after their promulgation; nevertheless, they reflect the standards that are likely to be adopted by regulators for security assessments in the future.

[4] Draft circulated by the CAC on July 10, 2017.

[5] Art. 2, Assessment Measures.

[6] Art. 31, CL.

[7] Art. 18, CII Regulation.

[8] Art. 76, CL.

[9] Art. 76, CL and Art. 17, Assessment Measures.

[10] Section 3.3, Assessment Guidelines.

[11] Art. 4, Assessment Measures.

[12] Section 5.1, Assessment Guidelines.

[13] Art. 42, CL.

[14] Art. 17, Assessment Measures.

[15] Ex. A, Assessment Guidelines.

[16] Ex. A, Assessment Guidelines.

[17] Art. 18, Exhibit A, Assessment Guidelines.

[18] Arts. 5–6, Assessment Measures.

[19] Art. 9, Assessment Measures.

[20] Art. 11, Assessment Measures.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis

Morgan Lewis on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.