We have just received a revised draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (Measures). Here we outline the changes made to the draft Measures first issued on 11 April 2017 for public comment (see our previous briefing and blog post here). The revised draft is likely to be the final version of the Measures. The Measures are to take effect on the same day as China’s Cyber Security Law (Cyber Security Law) on 1 June 2017.
Key Amendments to the Measures
Below are the key amendments to the first draft that businesses should note:
1. Narrowed Scope of Data Localisation Requirements
Under the Cyber Security Law, data localisation requirements are applicable solely to operators of critical information infrastructure (CII). The first draft of the Measures significantly expanded the scope of the data localisation requirements so as to cover all network operators, raising concerns among businesses.
In the revised draft of the Measures, the specific reference to data localisation requirements has been removed. This may suggest that data localisation requirements would apply only to CII operators (which is in line with provisions of the Cyber Security Law). However, under the Measures, network operators are still required to conduct security assessments prior to cross-border data transfers.
2. Exceptions to Providing Notice and Obtaining Consent from Data Subjects
The revised draft retains the provisions in the first draft which required network operators to provide notice and to obtain consent from data subjects prior to cross-border data transfers. However, in case of any emergencies which could endanger the security of lives and properties of Chinese citizens, these requirements will not apply.
Importantly, if data subjects proactively furnish personal data through international phone calls, international emails, international real-time communications and cross-border transactions via the Internet (and via other proactive conduct), the consent of such data subjects shall be deemed to have been obtained. This may significantly ease the burden of network operators to obtain consent from data subjects where personal data are furnished by data subjects proactively.
3. Annual Assessment and Re-Assessment
Under the revised draft, network operators are no longer required to conduct a security assessment at least once a year. However, network operators are still required to conduct re-assessments where there are substantial changes to a cross-border data transfer or material security incidents.
4. Narrowed Criteria for Application of Government Assessment
The revised draft narrows the criteria for the application of government assessment. In the first draft, a network operator cumulatively transferring personal data of more than 500,000 individuals would be subject to government assessments. In the revised draft, only a network operator transferring personal data of more than 500,000 individuals at one time would be subject to government assessments. In addition, a network operator transferring personal data of more than 1000GB is no longer subject to government assessments.
Importantly, the reference to “provision of personal information or important data to overseas recipients by CII operators” has been removed from the criteria in the previous draft. This means that government assessments are no longer required for those CII operators which provide personal data or important data to overseas recipients. This change would significantly ease the burden and reduce the compliance costs of CII operators. However, network operators (including CII operators) that are not subject to government assessments are still required to self-organise security assessments for cross-border data transfers.
5. No Specific Timeline for Government Assessments
The first draft provided for sixty working days for a government assessment. However, this statutory timeline has been removed in the revised draft. This may suggest that government assessments would be conducted on a case-by-case basis and could be time-consuming.
6. Broadened Scope of Prohibited Cross-Border Data Transfer
In addition to the circumstances mentioned in the first draft under which cross-border data transfers are prohibited, the revised draft provides that any cross-border data transfers that endanger the security of homeland, military, culture, information, ecological environment, resources and nuclear facilities are prohibited. Moreover, the revised draft includes a catch-all provision to ensure that any cross-border data transfer violating State law, administrative regulations and departmental rules will be banned. If expansively interpreted by the government, these amendments could significantly broaden the scope of prohibited cross-border data transfers.
7. Broadened Scope of Personal Data
In addition to the types of personal data listed in the Cyber Security Law, the revised draft of the Measures provides that any account number and password, status of personal properties, information of location and behaviors shall be considered to be personal data.
8. Implementation Date of the Measures
The effective date of the Measures is envisaged to be 1 June 2017. However, the revised draft specifically notes that “the cross-border transfers of personal data of network operators shall comply with the Measures as of 31 December 2018”. It remains unclear as to how the Measures will be implemented after 1 June 2017 (especially before 31 December 2018).
The revised draft of the Measures is another step towards implementing the Cyber Security Law. Although the reference to data localisation requirements have been removed in the revised draft, network operators are still required to conduct security assessments prior to cross-border data transfers, and prove the necessity of cross-border data transfers in security assessments.
While some amendments provide clarity on the previous draft and could ease the burden of network operators including operators of CII (e.g. points 1-4 above), some amendments still lack clarity and could be broadly interpreted by Chinese authorities (e.g. points 5-7 above).
In addition, it remain unclear whether the Measures will be strictly implemented after 1 June 2017, or whether they will not be implemented until 31 December 2018. This point is important as network operators must be fully compliant with the Measures once they are implemented. We will continue to monitor developments and provide updates when the final version is released.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.