[co-author: Sherry Zhao]
The Cyber Security Law was adopted in November 2016 and will become effective on June 1, 2017. The Cyber Security Law creates a new concept of Critical Information Infrastructure (“CII”). The operators of CII are subject to the obligation of data localization under Article 37 of the law. It requires that any personal information and important data collected or generated during the operation of CII operators within the territory of the People’s Republic of China (“PRC”) must be stored within the territory. Where such data must be provided abroad for business purposes, a security assessment must be conducted.
Against this backdrop, the Cyberspace Administration of China (“CAC”) released the draft Measures for Security Assessment on Export of Personal Information and Important Data (“Draft Measures”) for public comment on April 11, 2017. The period of solicitation for public comment will end on May 11, 2017.
The purposes of the Draft Measures are: 1.) to detail the restrictions on cross-border transfer of data set forth in Article 37 of the Cyber Security Law mentioned above; 2.) to provide guidance for security assessments of data export; and 3.) to clarify the circumstances under which data may not be exported. The following is a summary for the Draft Measures.
Scope of the Draft Measures
As supporting rules for the Cyber Security Law, the Draft Measures follow the restrictions on data export provided in the law. However, the scope of the application of the security assessment requirement stated in the Draft Measures is broader than the scope of Article 37 of the Cyber Security Law.
1. The Draft Measures extend the requirement for security assessments from CII operators’ data export to all network operators’ data export
Article 2 of the Draft Measures states that all network operators must store the personal information and important data within the territory of the PRC during their operation within the territory of the PRC. This means the requirement will apply to all network operators rather than solely to CII operators stipulated in the Cyber Security Law. All network operators must submit to a security assessment before exporting the relevant data.
2. Non-network operators may also be required to submit to a security assessment of data export
In addition, non-network operators may also be required to adopt security assessments of data export under Article 16 of the Draft Measures. That Article requires that any individuals or entities that collect data in China will also be subject to the Draft Measures even if they do not operate in the PRC.
For example, certain foreign shopping sites with servers located outside China do not operate in the PRC, but can be accessed by the people within the territory of the PRC. Those sites may collect data from users in China and therefore may, under the Draft Measures, be required to submit to security assessments.
Many commentators argue that the scope of data localization as proposed in the Draft Measures is much wider than is contemplated under the Cyber Security Law. The purpose of Article 37 of the Cyber Security Law is to ensure the network and core information technology, critical infrastructures and information systems and data in key areas all be “secure and controllable”, which is required under Article 25 of the National Security Law.
The Draft Measures broaden the scope of the security assessment requirement from CII operators’ data export to all network operators’ data export. Non-network operators may also be required to adopt security assessment on data export. Such broad scope is beyond the express intent of the Cyber Security Law and the National Security Law and could have an adverse effect on the development of many internet companies, especially multinationals, and on China’s international trade and economy.
Definition of Important Data and Data Export
While the definitions of “personal information” and “network operators” remain the same as set forth in the Cyber security Law, the Draft Measures give additional definitions of important data and data export.
“Important data” is defined as data that is closely related to national security, economic development and social public interests, with the specific scope of those terms to be determined in accordance with national standards and relevant guidelines.
And the concept of “data export” refers to providing personal information and important data generated or collected by network operators during their operation within the territory of the PRC to overseas institutions, organizations, and individuals.
Types of Security Assessment
The Draft Measures divide the security assessment into two types: 1. ) self-assessment; and 2.) assessment conducted by the competent authority, which can be interpreted as mandatory assessment.
In general, each network operator must conduct a self-assessment before transmitting important data or personal information abroad, and will remain responsible for the result of its assessment.
Such self-assessment must be conducted at least once a year based on the business development and network operation. Network operators must conduct a reassessment when there is a material change in the data recipient, or the purpose, scope, amount, type of data export, or serious security incident occur in data recipient or data export.
2. Mandatory Assessment
A security assessment must be submitted to and conducted by the competent authority under the following circumstances:
1) The outbound data transfer involves the personal information of over 500,000 individuals;
2) The data size is over 1,000 GB;
3) The transfer involves data relates to nuclear facilities, chemistry and biology, national defense and the military, population health, megaprojects, the marine environment, or sensitive geographic information;
4) The transfer involves data relating to information about the cybersecurity of key information infrastructure, such as system vulnerabilities and security protection;
5) The outbound transfer of personal information and critical data is conducted by an operator of key information infrastructure; or
6) The outbound data transfer may affect the national security or the public interest.
Many commentators think the triggering points mentioned above are too low—so low that a large portion of data transfers will be subject to review. They believe this will significantly add to the compliance costs for relevant companies, and increase the review burden of relevant departments.
Contents of Security Assessment
Under the Draft Measures, a security assessment would focus on the following factors:
1. The necessity of the outbound transfer;
2. The quantity, scope, type, and sensitivity of the personal information and important data to be exported;
3. The security measures and capabilities of the data recipient, as well as the cybersecurity environment of the nation where the data recipient is resident;
4. The risk of leakage, damage or abuse of the data after the outbound transfer; and
5. Possible risks to the national security, public interests and individual’s legal rights that are involved in the data export and data aggregation.
Restrictions on Data Export
The Draft Measures prohibit the export of data in the following three circumstances:
1. Transfer Without Consent
As contemplated in the Draft Measures, informed consent of data subjects is required before personal information can be transmitted out of China. The purpose, scope, content of the export, as well as the recipient and the country or region where it is located must be provided to the subject of personal information before the export. Meanwhile, the consent of the subject (or the guardian of a child) must be obtained as well.
In certain circumstances, personal information may be restricted from being transferred even with informed consent, if doing so would infringe upon an individual’s interests.
2. Risk Exposure
Data cannot be exported if doing so would expose the country to political, economic, scientific, or defense risks, adversely impact national security, or damage public interests.
3. Discretionary Refusal to Export
The Draft Measures give the CAC, public security agencies, national security agencies, and other agencies discretion to refuse the export of data.
As supporting rules for the Cyber Security Law, the Draft Measures detail and extend the restrictions on international data transfer. But the scope of data localization as proposed in the Draft Measures is much wider than is contemplated under the Cyber Security Law. Since the Draft Measures extend the requirement for security assessments from CII operators’ data export to all network operators’ data export, non-network operators may also be required to adopt security assessment on data export. In addition, certain restrictions are added for the export of data, such as prior consent from the data subjects and stricter supervision from relevant regulators.
The Draft Measures now contain the definition of “important data”. However, this definition is very general and broad, leaving regulators with significant amount of discretion, and network operator with uncertainties.
We recommend that multinational companies pay close attention to the process of the Draft Measures, and establish or adjust compliance management in a timely manner based on legal provisions and professional advice, in order to avoid potential legal risks once the Draft Measures are finalized.