Following EU's release of General Data Protection Regulation ("GDPR") and numerous nations or regions' issuance of data protection laws including Russia, Singapore, Australia, Canada, India and South Korea, China's first comprehensive law of data protection, i.e. the Cybersecurity Law of the People's Republic of China ("CSL"), took effect on 1 June 2017.
Compared with EU's so-called strictest privacy law GDPR, the CSL appears to be even stricter in terms of cross-border data transfer for the purposes of which include safeguarding cyberspace sovereignty, national security and public interests, far beyond the ordinary legislative purpose of protecting citizen's personal information. In this regard, the CSL not only targets personal information but also important data. And its supporting legal documents require operators of critical information infrastructure ("CII") to localize data within the territory of China in principle and all network operators to conduct security assessments prior to the data export.
This article's objective is to shed light on the latest progress of cross-border data transfer requirements in China and to provide compliance recommendations for multinational companies operating business in China.
2. CSL IS STILL IN GRACE PERIOD
Before talking about specific requirements of cross-border data transfer in China, it shall be noted that the CSL is still in a grace period since many terms and obligations remain unclear. For instance, the terms of "CII" and "important data" are first brought up by the CSL but the scope of which can only be determined following the issuance of the CSL's supporting regulations and guidelines. As shown in the table below, the CSL's implementation requires regulations, rules and guidelines and most of which are still in the pipeline with their drafts being released in order to solicit public opinions.
|Regulations and Rules||Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data ("Draft Security Assessment Measures")1||In the pipeline|
|Regulation on Security Protection of Critical Information Infrastructure ("Draft CII Regulation")2||In the pipeline|
|Information Security Techniques – Personal Information Security Specification ("Personal Information Security Specification")3||Effective|
|Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment ("Draft Security Assessment Guidelines")4||In the pipeline|
As the CSL's supporting legal documents may come into effect in the next two years, multinational companies conducting businesses in China shall catch up closely with the legislative progress and wrap up compliance preparations.
3. BASICS OF CROSS-BORDER DATA TRANSFER REGULATION
This chapter introduces basic terms and concepts under the CSL, including "cross-border data transfer", "personal information", "important data", "CII operators" and "network operators", which helps to understand the subjects and obligors of cross-border data transfer requirements.
3.1 Circumstances of Cross-border Data Transfer
Similar to most data protections laws in the world including the GDPR, the CSL only regulates outbound data flow from China, which is defined as network operators' provision of personal or important data collected and generated during its operation within China to entities, organizations or individuals located outside of China. Besides, cross-border data transfer also covers the following circumstances:
- providing personal information and important data to entities located in China but that are not subject to Chinese jurisdiction or are not registered in China;
- data which are not transferred and stored outside of China but are accessed by entities, organizations, or individuals outside of China (except for accessing public information or webpages); and
- data cross-border transfer within a network operator's group companies, involving personal information or important data collected and generated during operation within China.
3.2 CSL Targets Both Personal Information and Important Data
Most data protection laws like GDPR only concern personal information, while the CSL also capture non-personal information, namely important data, as the subject of cross-border data transfer.
(1) Personal Information
Personal information refers to information which can be used alone or in combination with other information to recognize the identity of a natural person. For instance, online search records in combination of IP addresses directing to a specific natural person constitute personal information. However, once personal information undergoes anonymization, which prevent a specific natural person from being identified and being restored, it can no longer be defined as personal information.
(2) Important Data
To safeguard national security and public interest, the CSL also limit the cross-border transfer of "important data", which is defined as data closely related to national security, economic development and societal and public interests. The scope of important data shall be determined in specific sectors, and reference can be made to the non-exhaustive list of exemplar information in 27 sectors provided by Appendix A of the Draft Security Assessment Guidelines, such as telecommunication, electronic information, finance, e-commerce, credit investigation, food and drug, population health and post express. For example, where testing results of Chinese citizens' genes have been anonymized for cross-border transfer, even if the results will not be regarded as personal information, it may constitute important data and shall be localized within China.
3.3 CII Operators Face Stricter Obligations Compared with Network Operators
Both network operators and CII operators need to fulfill cross-border data transfer obligations under the CSL and its supporting rules, while the CII operators face stricter restrictions concerning data localization and security assessment, which will be deliberated in the chapter four.
Similar with the concepts of "controller or processors of personal data" under the GDPR, network operators shall be interpreted broadly to encompass owners, managers and service providers of a network. CII operators are a subset of network operators, operating critical information infrastructure in important industries and sectors that, once damaged, disabled or data disclosed, may severely threaten the national security, national economy, people's livelihood and public interests.
The Draft CII Regulation listed more than 20 industries or sectors as exemplary "important industries and sectors", including government administration, energy, finance, transportation, water conservation, health care, education and information networks. And a guideline for identifying CII will be formulated by the Cyberspace Administration of China ("CAC"), China's chief internet watchdog, in conjunction with other relevant authorities in the future, according to which the identification of CII in certain industry or sector will be conducted by industry supervising authorities.
4. MAIN OBLIGATION: CONDUCTING SECURITY ASSESSMENTS
Article 37 of the CSL initially requires CII operators to store within China personal information and important data generated during its operation in China or to conduct security assessment where cross-border data transfer is needed for business purposes. Notably, the Draft Security Assessment Measures expanded the security assessment requirement from CII operators to all network operators.
4.1 Data Localization
At present, only CII operators need to fulfill the obligation of storing personal information and important data within China, such as data localized in the servers, clouds, or other systems within China. Some multinational companies have already taken compliance measures. On 28 February 2018, Apple announced that it has transferred it iCloud Services in China to its data center in Guizhou Province, which aims to store data including photos, videos, files and backups within the territory of China, and it has also informed iCloud users of the data transfer via email.
4.2 Two Sets of Security Assessments
Security assessment under the CSL is a two-tiered framework, consisting of self-assessment and official assessment. In principle, network operators shall conduct a security self-assessment where cross-border data transfer occurs. In special circumstances, an official security assessment is conducted by industry supervising authorities or CAC where involving personal information of more than 500,000 individuals, containing information in critical industries, or other circumstances that possibly affect national security and societal and public interests.
In addition, before transferring personal information overseas, network operators shall notify data subjects the purpose, scope, type and the country or region in which the recipient is located and obtain his/her consent, except for the occurrence of urgent circumstances under which the security of the person's lives and properties are endangered. The notification is advised to be stated in explicit statements in privacy policies, pop-ups and non-ticked boxes in internet websites, and phone voices, etc. Besides, data subjects' behaviors of making international phone calls, sending international emails, conducting international instant messaging and conducting cross-border trading through internet can be regarded as giving implicit consent to cross-border data transfer.
4.3 Legal Liabilities
The fines imposed by the CSL for breaching cross-border data transfer requirements is relatively small: ranging from 50,000 yuan to 500,000 yuan. But the enforcement of the CSL focuses on severe penalties such as suspension of related business or shutdown of the website and revocation of business licenses. Besides, violators may also face penalties in forms of warning, rectification and confiscation of illegal gains.
5. RECOMMENDATIONS FOR COMPLIANCE
Against this backdrop, though the CSL still left a fair number of issues unresolved with respect to cross-border data transfer, companies doing business in China, whether or not it has a physical presence in China, are advised to make preparation to achieve compliance. To this end, efforts can be made in terms of policy update, technical preparation, manning and training and keeping up with the implementation of the CSL and seeking professional advice.
First, companies doing business in China are advised to update their privacy policies or establish a policy on cross-border data transfer, in which the scope, purpose and type of personal information and the country or region of the recipient shall be articulated in an explicit way. To obtain data subjects' consent, it is suggested to adopt a check box which is not checked by default.
Second, to fulfill data localization requirement or reduce security assessment cost, companies can reduce the amount of personal information and important data to a minimum necessary for business purposes or take measures of anonymization where data export is needed. For companies which are likely to be regarded as CII operators, they can set up their own servers or clouds within China or outsource the data storage service to operators within China.
Third, companies can add positions for data protection where necessary or at least provide training on cross-border data transfer requirements for employees on a regular basis.
Finally, as multiple issues regarding cross-border data transfer requirement remain unclear, it is advised to keep up with the next implemented rules of the CSL and to seek professional advice for interpretation and compliance in a timely manner.
1. CAC published a draft of Security Assessment Measures on 11 April 2017, see http://www.cac.gov.cn/2017-04/11/c_1120785691.htm, which was updated later in May 2017.
2. CAC published a draft of CII Regulation on 10 July 2017, see http://www.cac.gov.cn/2017-07/11/c_1121294220.htm.
3. Chinese version of the Personal Information Security Specification, http://c.gb688.cn/bzgk/gb/showGb?type=online&hcno=4FFAA51D63BA21B9EE40C51DD3CC40BE.
4. The National Information Security Standardization Technical Committee ("TC260", in which some officials of CAC serve as its members) published a draft of Security Assessment Guidelines on 30 August 2017, see http://www.tc260.org.cn/front/bzzqyjDetail.html?id=20170830211755&norm_id=20170221113131&recode_id=23883.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.