On 11 April 2017 the Cyberspace Administration of China (CAC) released the "Measures on the security assessment of cross-border transfer of personal information and important data (Draft for comments)" (the Measures) for public comments. The Measures are at first to be understood as the complement of the data localization provision of the Cybersecurity Law (CSL) laid in Article 37 for Critical Information Infrastructure (CII), which stated that "a security assessment shall be conducted in accordance with the measures formulated by the CAC in concert with relevant departments under the State Council". However, the Measures do not solely focus on the data localization obligations and the requirements to undergo a security assessment for CII to proceed with cross-border transfer of personal information and important data. The Measures further expand the scope of obligations to the whole spectrum of Network Operators while further creating new obligations supplementing the data localization requirement, leading to a widespread implementation of data localization for personal information and important data along with the modernization of the cross-border transfer of personal information and important data legal framework.
Pushing data localization forward
The first element to be noted is that the Measures further detail and greatly expand the scope of data localization which was meant by the CSL to solely cover personal information and important information collected and processed in Mainland China by CII.
While the concept of personal information was directly defined in Article 76.5 of the CSL, the principle of "important data" was not, leading to different interpretations of the scope of the data considered as important data and required to be localized. The Article 17 of the Measures goes forward defining important data as "data in relation with national security, economic development, as well data closely related to the interest of the society as defined by relevant national standards and the guidelines on the identification of important data". While concise, this definition is meant to be further supplemented by national standards and the mentioned guidelines that are yet to be made public, most likely once the Measures are finalized.
The major shift concerning the scope of the data localization is to be noticed on the subject of the data localization obligation. While the CSL was only targeting at CII in Article 37, the scope of the Measures goes far beyond the CII as stated in Article 2 "The personal information and important data should be stored domestically if they are collected or created by Network Operators during their operation within the People's Republic of China" The effect of the Measures is that Network Operators without regard to their status as CII will then have to abide by the obligations of data localization and the different processes set by the Measures to ensure the legality of their cross-border transfer of personal information and important data. By including all Network Operators, the Measures do provide for a modernization of Mainland China cross-border transfer of personal information and important data legal framework.
Setting new obligations
As such the Measures create a new data localization obligation on Network Operators not categorized as CII to store domestically personal information and important data collected or created within Mainland China. But they create as well various corollary obligations on Network Operators transferring personal information or important data overseas that refine and supplement the data localization obligation.
One of the key corollary obligations from the Measures is to further emphasize on the collection of the consent from the owner of the personal information and to further detail the requested consent. To the purposes, means and scope of the collection and the use of the personal information are necessary to disclose to the owner of the personal information, prior to collecting and using their personal information, to form a valid consent as stated in Article 41 of the CSL. Article 4 of the Measures reinforces the requirements of the CSL with more information required to be disclosed to the owner of the personal information are as follows:
- the purpose of the cross-border transfer
- its scope
- its content
- the country or address of the Network Operator transferring the personal information
- the country or address of the party receiving the personal information
Furthermore, the Measures specifically cover cases where the owner of the personal information is a minor in the second sentence of Article 4, then requiring the Network Operators to ensure that the consent from the guardian of the minor has been obtained.
"the Measures further expand the scope of obligations to the whole spectrum of Network Operators"
In addition to the obligation to further inform owner of the personal information to obtain his informed consent, the Measures, also create a new filling obligation that would befall on Network Operators where they meet one of the criteria set by Article 9 of the Measures concerning the transfer or storage of personal information abroad:
- the personal information stored or accumulated include more than 500,000 persons
- the data are in relation with nuclear facilities, biochemistry, the defense industry, population health-data, large-scale engineering activities, oceanic environment, sensitive geographic information, etc.
- the data are in relation with CII vulnerabilities, security and other cybersecurity information
- the Network Operators providing the personal information or important information cross-border transfer is a CII
- the transfer could impact national security and public social interests, or other factors that industry supervisors and regulators should consider
If Network Operators fall within one of those categories, they shall report to the relevant industry supervisor or regulator, or the CAC if it is not possible to assess which governmental body to contact, to proceed with the security assessment.
The structure of the security assessment
The core feature of the Measures is without any doubt the obligation to undergo a security assessment for Network Operators sending personal information and important data overseas.
The Measures further address the security assessment in its form, timeline and requirement. First of all, the Measures clearly state in Article 7 that the security assessment must be made prior to the cross-border transfer of personal information or important data. As such the security assessment must be placed early in the transfer timeline. Article 7 also further develops on the means of delivery of the security assessment by clarifying that the actor providing the security assessment is the Network Operator itself, except when the Network Operators meet on of the criteria set by Article 9. If it does, then the security assessment will have to be organized by the relevant industry supervisor or regulator, or ultimately the CAC if it is not possible to assess the correct governmental body to contact. Where the security assessment is self-undertaken by the Network Operators, it will have to follow the criteria set by Article 8 of the Measures along with potential further requirements for their industry set by the industry supervisors or the regulators in accordance with Article 6 and Article 8.7. It is to be noted that while it was expected from the CSL that the security assessment was to be made by a third party, the transfer of the assessment to the Network Operators itself in most cases will provide more flexibility to the Network Operators through a self-assessment of which liability will be borne by the Network Operators according to Article 7. As such it is not further detailed that the security assessment can be provided by a third party on behalf of the Network Operators, but this point may be covered by further amendments to the Measures.
Furthermore, it must be acknowledged that the security assessment necessary for the cross-border transfer is not a definitive assessment. Article 12 of the Measures provides that the process must be repeated on an annual basis and should be reiterated each time when a substantial modification of the data transfer is made in accordance with the criteria given in the second paragraph or Article 12.
"the Measures further detail and greatly expand the scope of data localization"
While the Measures are a greatly expected addition to the CSL to further interpret its provisions on data localization, the current draft goes far beyond the expected scope. By extending the range of covered Network Operators and clarifying the rules concerning the collection, storage and transfer of personal information and important information overseas, the Measures act as a modernization of Chinese provisions on cross-border transfer of personal information and important data. Such modernization is also supported by the note made by Article 15 which states that if China and the country/region of the receiving party have a treaty on the exchange of personal information and important data, such treaty would overrule the Measures, allowing us to hypothesize on future bilateral data transfer agreements between China and other countries/regions around the world.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.