The Cyberspace Administration of China (CAC) has issued new draft Measures for Security Assessment of Cross-border Transfer of Personal Data (个人信息出境安全评估办法) - the crucial implementing regulation for the incoming data localisation requirements under China’s Cyber Security Law.

All personal data transfers will require the CAC’s approval

The one solace for international companies in the previous draft of the Measures, amid all the uncertainties and potential concerns about the impact of the Cyber Security Law on their business and systems in China, was that it appeared that most businesses would not require prior regulator approval to transfer personal data out of China. In the previous drafts of the Measure, this approval requirement would have only applied to operators of critical information infrastructure (albeit the exact parameters of critical information infrastructure remain largely unclear at this time[1]) except for certain high volume transfers. The previous drafts instead provided for a self-assessment process. Under the new draft, all owners and managers of networks, as well as network service providers (network operators), will need to:

  • Submit an application with supporting materials to the provincial branch of the CAC[2] for security assessment before transferring any personal data out of China, to obtain approval for the transfer.

  • Obtain separate approval for each transfer of personal data to a different recipient.

  • Re-submit the application at least every two years (Articles 3 and 4).

Network operators that continuously or repeatedly transfer personal data to the same recipient will not be required to obtain multiple separate approvals. The new draft Measure provides that the security assessment by the provincial branch of CAC should be completed within 15 working days, but states that this period may be extended “under complicated circumstances”.

The application to the provincial CAC should include a report explaining:

  • The business of both the network operator and the transferee, and their network security capabilities.

  • The nature of the cross-border data transfer, including the “duration, the number of data subjects involved, the amount of personal data” and whether there will be any onward transfer by the recipient to any third party.

  • The risks involved in the transfer and the measures to be taken to secure the personal data and the legitimate rights and interests of the data subject. (Article 17.)

The focus of the CAC’s security assessment will be national security, damage to public interests and the legitimate rights and interests of the data subject, especially in the security of their personal data (Article 6). Nevertheless, the authority will retain significant discretion over whether to approve or deny the transfer.

Other significant changes

The draft also includes a number of other significant changes:

  • Previous drafts applied the same process of security assessments and filings to transfers of so-called ‘important data’, i.e. data related to national security, economic development and societal and public interests. The new draft does not deal with transfers of important data at all, and is limited solely to transfers of personal data. A general obligation to obtain approval from a sectoral regulator for cross-border transfers of important data has, however, been included in CAC’s draft Measures for Data Security Management issued on 28 May 2019.

  • Under the Cyber Security Law, it is necessary to obtain the informed consent of data subjects to transfer or disclose any of their personal data to a third party (whether within or outside of China). Previous drafts of the Security Assessment Measures similarly laid down an explicit requirement to obtain prior informed consent to any cross-border data transfer. However, in the new draft, the explicit requirement for consent is limited to transfers of sensitive personal data[3] only (Article 16). Other data subjects are to have a right to object to continued transfers of their personal data out of China. Network operators must also inform all data subjects in advance “by e-mail, instant messaging, letter, fax or other means” of the purpose of the transfer, what data is being transferred, the name of the recipient and the destination country, among other things.

  • In the previous draft, the security self-assessment was to be carried out by a working group comprising legal, security, technology and management personnel. Self-assessment reports and transmission logs were to be kept for a minimum of two years. The new draft does not mandate who should be involved in preparing the application to the provincial CAC, but requires a record of the data transfer to be kept available for inspection for five years (Article 8).

  • The draft provides for annual reporting of cross border data transfers to the provincial CAC by 31 December each year (Article 9). No further details are given, and this will presumably be clarified in a supplementary notice.

  • The CAC can require network operators to cease cross-border data transfers following (i) a large-scale data leakage and data abuse, or (ii) if it believes the legitimate rights and interests of the data subject cannot be effectively safeguarded. (Article 11.)

Model clauses?

Articles 13 to 16 of the new draft regulate the terms of a contract to be put in place between the transferring network operator and the recipient. It also appears that the contract will need to grant enforceable rights to the individual data subject to claim compensation for a violation of his or her rights. These provisions in the new draft are entirely new.

The contract should:

  • Be legally binding.

  • Provide that the individual data subject is the beneficiary of the terms of the contract which relate to personal data.

  • Grant the data subject rights to claim compensation from the network operator or the recipient (or both) for a breach of his or her legitimate rights and interests.

  • Be terminated if a change in law in the destination country renders the proper performance of the contract “difficult”.

  • Specify that the network operator is obligated to:

    • provide the required information about the data transfer to the data subject;

    • provide a copy of the contract to the data subject on request; and

    • forward claims (including claims for compensation) to the recipient, and to compensate the data subject in lieu of the recipient if the data subject is unable to claim compensation from the recipient.

  • Specify that the recipient is obligated to:

    • comply with the data subject’s exercise of his or her individual rights (e.g. rights of access, correction and deletion);

    • comply with the purpose limitations and maximum data retention periods stipulated in the contract; and

    • warrant the compliance of the contract with local law in the destination country; and

    • destroy personal data on request by the network operator.

Part of the CAC’s security assessment will include whether the terms of the contract are adequate to protect the rights of the data subject (Article 6(2)).

Comparison of main provisions

The table below sets out a comparison of the main provisions of the previous and new draft.

Provision

Previous draft

Current draft

Security assessment

· Network operators have to conduct an internal security assessment.

· Network operators have to obtain approval from their sectoral regulator if the cross-border data transfer involves: (a) personal data of over 500,000 data subjects; (b) exceeds 1,000 GB; (c) relates to information in certain restricted fields such as nuclear facilities, chemical biology, national defence and population health; (d) relates to network security information such as system vulnerabilities and the security of key information infrastructure; (e) they are an operator of critical information infrastructure; or (f) national security and public interests are affected in another way.

· Security assessment to be carried out by a working group comprising, legal, security, technology and management personnel.

· The security assessment should evaluate, among other things: (a) the necessity of the transfer; (b) the type, quantity and sensitivity of the data transferred; (c) whether important data is involved; (d) the recipient’s security measures and capabilities; (e) the legal environment of the destination country; and (f) the risks in relation to national security and public interests.

· All network operators need to obtain approval from their provincial CAC for any cross-border transfer of personal data.

· Separate security assessments need to be conducted for each transfer to a different recipient.

· Only one security assessment needed if multiple transfers are made to the same recipient.

· No requirement for security assessment to be carried out by specific personnel in the network operator.

· The report submitted to the provincial CAC should explain: (a) the business of the network operator and the recipient, including their network security capabilities; (b) the nature of the cross-border transfer, including the duration, the number of data subjects involved, the amount of personal data transferred, and if there will be any onward transfers to third parties; and (c) the risks involved in the cross-border transfer and measures to be taken to protect the personal data and data subjects’ rights.

Reassessment

· Security assessment needs to be repeated annually or when (a) there is a change in data recipient; (b) there are significant changes in the nature of the transfer (e.g. purpose, scope and quantity); or (c) if there is a significant security incident.

· New application for approval every two years or when the purpose, type, or retention duration of personal data has changed.

Review process

· The sectoral regulator is to complete its review of the security assessment within 60 working days.

· The application is to provincial CAC as oppose to the network operator’s own sectoral regulator.

· The relevant provincial CAC is to complete its review of the security assessment within 15 working days, but extension is possible “under complicated circumstances”.

· If the network operator objects to the review results it can lodge a complaint with the national CAC.

Record-keeping

· No express requirements.

· Network operators need to keep a record of any cross-border transfer for five years.

· The record must include: (a) date and time of transfer; (b) identity of recipient; and (c) type, quantity and sensitivity of the personal data transferred.

Reporting

· No express requirement.

· Network operators need to report on cross-border transfers to their provincial CAC annually (by 31 December).

· Significant data security incidents also need to be promptly reported to the provincial CAC.

Inspections

· The sectoral regulator will “regularly” organise security checks.

· No change.

· Network operators can be required to promptly rectify any breach of the rights of data subjects or a security incident.

Prohibition on cross-border data transfers

· Cross-border data transfer is prohibited: (a) if the data subjects have not consented or if the transfer may infringe their rights; (b) if the transfer affects national security or public interests; or (c) under any other circumstances identified by the relevant authorities.

· The provincial CAC can require network operators to suspend or terminate cross-border transfers if: (a) there is a large-scale data breach; (b) data subjects are not able to safeguard their rights; and (c) network operators or the recipient of the transfer are not able to protect the personal data.

Important data

· Transfers of important data regulated in essentially the same way, and regulatory approval may need to be obtained (see “Security Assessment” section above).

· The Measures apply only to transfers of personal data.

Consent

· Consent of data subjects needed for any cross-border transfer of personal data.

· Data subjects need to provide consent in relation to any cross-border data transfer of their sensitive personal data.

Direct rights of compensation

· N/a

· Data subjects have a contractual right to claim compensation from the network operator and / or the recipient for a breach of their individual rights.

Is the data localisation requirement about to be brought into effect?

The previous draft of the Security Assessment Measures was penciled in to come into effect on 31 December 2018. It did not. The general expectation was that the delay owed to the ongoing US-China trade talks, which appear to have run their course for the time being.

The new draft is open for comment until 13 July.

The CAC also recently released draft Cyberspace Security Review Measures to introduce a national review mechanism to require data operators to assess potential security risks when purchasing any network products or services (21 May 2019). (This will replace trial Measures released in 2017.)

The Ministry of Industry and Information Technology separately announced on 30 May that it is to begin investigations into regulated basic telecommunications providers and a non-exhaustive basket of the internet service providers[4] it regulates to ensure compliance with network security rules. Companies will be required to self-report compliance by 15 July. The same announcement also requires network operators to file a self-classification and system grading report by 10 July through a dedicated website link. This appears to be connected with the multi-level security certification system being formulated by the Ministry of Public Security under regulations that are yet to come into force.

All of this indicates that it is reasonable to expect that the Government now intends to bring the data localisation requirements under the Security Assessment Measures into force soon.

A translation of the draft Security Assessment Measures is available on request.

[1] The Cyber Security Law refers to critical information infrastructure as “public communication and information services, power, traffic, water resources, finance, public service, e-government, and other critical information infrastructure which, if destroyed, suffering a loss of function or subject to leakage of data, may seriously endanger national security, national welfare, the people’s livelihood, or the public interest”. A draft Critical Information Infrastructure Regulation issued in June 2018, however, deems “information networks such as telecom networks, broadcasting and TV networks and the Internet, and those providing cloud computing, big data and other large public information network services” to be critical information infrastructure if a data breach (among other things) affecting those systems could seriously impair national security, the national economy, people’s livelihood and public welfare. The determination of critical information infrastructure therefore involves a matrixing of the position of the relevant industry and the amount and importance of the system concerned, and the data stored within it.

[2] The CAC website lists 32 provincial (including the four directly-administered municipalities of Beijing, Shanghai, Tianjin and Chongqing) CAC offices (http://www.cac.gov.cn/df1.htm). A few of these CAC offices have recently adopted “network safety implementation plans” (网络安全工作责任制实施细则) setting out the responsibilities of local departments and network operators.

[3] In the draft, Sensitive personal data refers to such personal data that may do harm to, among other things, the personal and property safety, the reputation, and the physical and mental health of the data subject once it is leaked, stolen, falsified or illegally used.

[4] Namely: IP bearer networks, support networks, Internet data centres, public cloud service platforms, Internet Content distribution networks, domain name service systems, industrial internet platforms, enterprise portals, instant messaging systems, network transaction systems, email systems [i.e. providers of, as opposed to users of], software application stores, mobile application and background systems, public wireless local area networks and public video monitoring platforms.