On June 13, 2019 Measures for Personal Data Cross-Border Transfer Security Assessments (Draft for Comment) (Measures) were issued by the Cyberspace Administration of China, along with an invitation for submissions to be made as part of a public consultation. The Measures lay down stricter requirements in relation to cross-border transfers of personal data with the intention to better safeguard internet users’ rights, public interests and national security.

The Measures set out a number of general requirements and implementing provisions for aspects of a network operator’s assessment obligation, assessment standards and reporting procedures. They also introduce specific requirements for contracts between personal data transferors and overseas recipients, and protective measures to be adopted by PRC authorities.

Network operator’s assessment obligations

The Measures require that network operators should perform a security assessment and report it to the competent PRC authority if they intend to transfer personal data to overseas parties. In addition, the Measures specify that, where personal data is collected by foreign network operators during business operations, their domestic representative or domestic entities are to perform such assessment obligations.

The PRC Cybersecurity Law introduced the concept of “critical information infrastructure” (CII) in key industrial sectors of China. It requires that CII operators go through a security assessment procedure and report to the relevant competent PRC authorities if they intend to transfer personal data on important data abroad. The Measures seem to extend these requirements to certain non-CII operators. As such, this Measures, if implemented as they stand today, will potentially conflict with the data localisation requirements set out in the Cybersecurity Law.

The assessment standards and reporting procedure

The Measures stipulate that, prior to any cross-border transfer of personal data, network operators should disclose their security assessments to their respective provincial-level cyberspace authorities. Network operators should also disclose to the authorities any contracts with overseas recipients of personal data, as well as analytical reports concerning security risks and safeguards in relation to personal data.

The Measures provide that standards in relation to a security assessment should focus on the following items

  • Whether the terms of the contract can fully protect the legitimate rights and interests of the personal data subject
  • Whether the contract can be effectively implemented
  • Whether the network operator or overseas recipients have any history of internet security incidents.

The contract between personal data transferors and overseas recipients: the specific requirements

Under the Measures the following items should be clearly provided for in the contract between the network operator (as the data transferor) and the overseas recipient

  • The network operator’s obligations
    • perform the notification obligation in relation to data subjects in respect of both the network operator’s and the overseas recipient’s basic information, with such information to include the purpose and type of personal data to be transferred abroad, and the saving period to be applied
    • provide a copy of the contract to the data subjects if required
    • convey data requests made by data subjects (including any compensation claim) to the data recipient. If data subjects cannot receive compensation from the data recipient directly, the network operator should make compensation available to the data subject as the first responsible person.
  • The overseas recipient’s obligations
    • provide channel(s) for data subjects to view their personal information, and to rectify or delete it if required by data subjects
    • use the personal data only for the purpose stipulated in the contract
    • Ensure that signing and performing the contract will not violate the laws of the recipient’s country.

Protective measures adopted by the PRC authorities

The Measures give PRC cyberspace authorities the power to take steps to suspend or cease transfers of personal data to overseas parties if

  • there is a massive leak or abuse of the personal data by network operators or data recipients
  • such network operators or data recipients are not capable of protecting the personal data.

Our observations

Once implemented, the Measures will no doubt have a major impact on the data compliance activities of network operators, which are defined widely to include companies in all industry sectors who use the internet or networks to do business in China. Accordingly network operators who collect personal data should prepare themselves for the assessment and reporting procedures. In addition, network operators may need to revisit their current contracts with data recipients in order to address all the requirements under the Measures.

Although the Measures represent important legislative progress in relation to the data privacy regime in China, they still leave some significant areas to be clarified. For example, key issues such as how to resolve the potential conflict between the Measures and the Cybersecurity Law in relation to the requirements for personal data localisation still needs to be clarified.

Given that the Measures are still in draft form, they may be subject to further modification before they are finalised. As a legal team specialising on PRC data compliance, we will keep monitoring changes in relation to the draft Measures and issue updates if necessary.