Norton Rose Fulbright - Data Protection Report blog

The Cyberspace Administration of China (CAC) issued draft measures for implementing the data localisation provisions under the Cybersecurity Law of China (Cybersecurity Law) and the National Security Law of China on 11 April 2017. The draft regulations are open for public comment until 11 May 2017.

The key feature of the draft “Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data Overseas” (Measures) is the expansion of the scope of the data localisation requirements in the Cybersecurity Law, which will come into effect on 1 June 2017. See our previous blog post on the Cybersecurity Law.

The key aspects of the Measures are as follows:

  1. Expanded scope of data localisation requirements – The Cybersecurity Law requires that personal data and important data generated or collected in China (China Data) by the operators of Critical Information Infrastructure (CII) must be stored in China and transfer of such data abroad is allowed only if (i) there is a business need; and (ii) “security assessment” (see below) is passed according to the rules issued by CAC and other relevant governmental agencies. However, the Measures provide that all network operators (not only CII operators) will be required to store China Data within China. “Network operators” are very broadly defined as “owners, managers and network service providers of network” which mean that the definition could encompass almost any company collecting information in China via a network. Further, non-network operators are also recommended to carry out security assessments of cross-border data transfers by reference to the Measures.
  2. How to conduct a “security assessment”?
    1. Self-assessment – The Measures set out a list of non-exhaustive factors to be considered when a conducting a security assessment of a cross-border data transfer (e.g. the amount, scope, type, and degree of sensitivity of the personal data and/or important data, and the risk of leakage and abuse of data after the cross-border data transfer or subsequent re-transfer). Network operators must prove and satisfy itself the necessity of a cross-border data transfer before transferring data out of China.
    2. Regulator assessment – The security assessment is a self-assessment exercise unless the cross-border data transfer falls within certain circumstances (e.g.  the number of users exceeds 500,000, the amount of data exceeds 1,000GB, or the data contains cybersecurity information, such as system vulnerabilities or security measures relating to CII). Under these circumstances, the security assessment must be conducted by the “relevant authority” – like a combination of CAC, and industry regulators.
    3. Annual assessment and re-assessment – After the initial self-assessment or regulator assessment prior to the cross-border data transfer, network operators must subsequently, at least once a year or if circumstances change, re-assess the transfer and report the results to their respective authorities.
  3. Consent to transfer required – The Measures set out 3 circumstances where data cannot be transferred out of China, which are: (i) if the data subject has not consented to the transfer, or if such transfer may bring harm to personal rights; (ii) when the cross-border data transfer poses risks to the security of State politics or national defence and may harm public interests; or (iii) other circumstances in which CAC, public security departments or national security departments determine that the data is prohibited from being transferred outside China.
  4. “Cross-border data transfer” defined – A cross-border data transfer is defined under the Measures as “the provision of personal information and important data collected and generated within the territory of China to overseas institutions, organisations or individuals by network operators”. If interpreted broadly, this may include not just transfer, but also remote access to personal data in China from abroad. The Measures have also very generally defined “important data” as “data closely related to national security, economic development, and social and public interests”, but have left the interpretation of the scope open to national standards and guidelines which are yet to be issued.
  5. Who are the regulatory authorities? – CAC will be the main regulatory authority on security assessments and will be responsible for the overall coordination of the security assessments of cross-border data transfers. CAC may also issue instructions to industry regulators in this respect. Industry regulators such as the Ministry of Industry and Information Technology, the China Banking Regulatory Commission, the China Securities Regulatory Commission, and the China Insurance Regulatory Commission will be responsible for the security assessments for their respective sectors.

Our Take

The Measures, if adopted in their current form, would impose additional compliance efforts and costs on network operators in China which have operational needs for cross-border data transfers. As such, a business (in particular, a multinational business) in China should carefully assess whether it falls within the definition of “network operator” under the Cybersecurity Law.

If a company is likely to be regarded as “network operator”, then it should:

  1. review the data collected and generated in its operations in China and its existing (and future) cross-border data flows;
  2. formulate internal cross-border data transfer policies and security assessment procedures;
  3. carefully study the requirements proposed by the Measures and assess whether there is a need to change its existing cross-border data transfer policies and security assessment procedures (if any) to ensure compliance with the Measures; and
  4. if the Measures are adopted, proactively communicate with the competent industry regulators (or, if such regulators cannot be identified, CAC) prior to cross-border data transfers taking effect in order to confirm whether self-assessments or regulator assessments would be required, and in any event maintain good communications with the relevant authorities during the entire security assessment process.

Further information about the Measures can be found in our client alert.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.