Article by Daniel Albrecht
Summary: The Cybersecurity Law of the People’s Republic of China was issued on November 7, 2016, and officially put into effect June 1, 2017. The Cyberspace Administration of China (CAC) has released supportive measures to implement provisions of the Cybersecurity Law. These draft Measures provide guidelines for cross-border transfer of data, data security assessments, and the protection of data in relation to national and public interest. In 2017, the CAC published Measures on Security Assessment of Cross-Border Transfer of Personal Information and Important Data. The draft received immense feedback, leading to a second draft released in June 2019, Measures on Security Assessment of Cross-Border Transfer of Personal Information. The new draft will affect a wide range of domestic and foreign entities in China that have cross-border transfer needs.
Separating “Personal Information” and “Important Data”
On June 13, 2019, the Cyberspace Administration of China (CAC) released Measures on Security Assessment of Cross-Border Transfer of Personal Information. Regulations and guidelines provided in the draft pertain to network operators that export personal information data to recipients outside of China. It should be noted that the 2017 draft Measures applied to both “important data” and “personal information” data. However, the 2019 draft legislation omits the term “important data” and solely focuses on the export of “personal information.” The removal of the term implies that the CAC is now treating important data and personal information as separate categories that are subject to different requirements. Therefore, the content in the new draft regulation only concerns the cross-border transfer of “personal information” collected within the territory of China.
Data Localization Requirement
China’s Cybersecurity Law requires data localization for “critical information infrastructure operators” (CIIO’s) that collect and generate data within China. In other words, the provision requires that personal information and important data collected by CIIO’s within the territory of China will be stored in Chinese servers. The 2017 draft Measures attempted to bring clarification to this data localization rule. However, the draft expanded the data localization requirement to all “network operators,” causing controversy and confusion in the international community. Since “network operator” is more vaguely defined than CIIO’s, the 2017 Measures broadened the scope for the data localization requirement.
To make things more complicated, the CAC published the 2019 draft Measures without any mention of data localization requirements. Although there is no data localization provision in the new draft, it does not mean that network operators are exempt from data localization. Legal experts point out that China’s Cybersecurity Law overlaps with the new draft Measures, and CIIO’s are still obligated to follow data localization rules. However, with the cybersecurity law referring to “CIIO’s”, and the Measures only referring to “network operators,” there is room for interpretation regarding what entities will be impacted by data localization requirements.
Data Security Assessment Guidelines
A. General Overview of Security Assessments
Network operators are required to conduct data security assessments before the outbound transfer of personal information. While the previous draft listed the CAC as the primary coordinator for security assessments, the new draft assigns provincial-level cyberspace departments to perform data inspections. In addition, every individual recipient of data requires a separate security assessment. However, the export of personal information several times to the same recipient does not require multiple assessments. Furthermore, network operators must perform a new security assessment every 2 years or in the case that “there are changes to the purpose, type, or overseas retention period related to the outbound transfer of personal information.”
B. Filing for Security Assessment
Network operators must file with a provincial-level cyberspace administration to organize a security assessment of the personal information to be exported. Network operators are required to submit specific documentation when requesting the assessment. Documents include a declaration form, the contract between the network operator and the recipient(s), and an analysis report on the security risk of the data. The provincial-level cybersecurity department will then conduct a security assessment within 15 working days. The time limit to complete the security assessment was reduced from the previous draft’s timeframe of 60 working days. However, some experts doubt the provincial CAC administrations will have the capacity to perform extensive amounts of security assessments within this established deadline.
C. Results and Follow Up
Once the provincial-level cybersecurity department conducts a security assessment of the personal information data, the department must notify the network operator of the results. Article 7 states that network operators can file an appeal with the CAC if the network operator objects to the results that the provincial-level cybersecurity department provides. At the end of each year, network operators are obligated to report all personal information transfers of that year to their provincial-level cybersecurity department, along with any other requested information. Furthermore, the provincial-level cybersecurity departments will conduct regular inspections of the outbound transfer of personal data by network providers to check on contract fulfillment, violations of rules or regulations, and protection of rights of the personal information subjects.
D. Security Assessment Details
The 2019 draft Measures include the following information in greater detail:
o Article 6: When conducting a security assessment, cyberspace departments are concerned with specific matters. This article lists the type of information that is critical to the assessment.
o Article 8: Network operators are required to maintain records of personal information data for five years. This article lists specifics on what these records should include.
o Article 9: Cyberspace departments have the right to prohibit or suspend the export of personal information. This article lists the cases in which prohibition/suspension is justified.
o Article 17: Network operators must provide an analysis report that describes the security risks of the outbound transfer of personal information. This article lists what type of information the reports should include.
Contracts Between Network Operators and Data Recipients
The 2019 draft Measures provide contract requirements between the network operator and the data receiver. The following articles enumerate what the legal agreements should explicitly state:
o Article 13 lists general content that should be included in the contract between the network operator and data recipient.
o Article 14 and 15 defines the obligations of network operators and data recipients, which must be stated in the legal contracts.
o Article 16 describes the rules for when data recipients transfer personal information data to third-parties. These requirements must also be specified in the contract.
2019 Draft Measures and Overseas Organizations
The new draft Measures mandate that overseas organizations that collect personal information of Chinese users on the internet are subject to the same rules and regulations as network operators in China. To fulfill these obligations, foreign entities are required to go through a domestic legal representative or organization. Since “network operators” is a broad term, it will have a sweeping affect over a variety of companies and industry sectors that collect personal data of domestic users in China. Once the draft Measures are implemented, foreign businesses that collect personal data in China may need to review their contracts with data recipients to ensure compliance. Overall, non-domestic companies that perform cross-border transfer of data should become familiar with the new draft Measures in order to navigate China’s cybersecurity landscape.
The Impact of the 2019 Draft Measures on Foreign Businesses
In comparison to China’s Cybersecurity Law, the 2019 draft Measures widen the scope of who will be subject to data review and regulations. The draft Measures concerns all “network operators,” which is broadly defined as “network owners, managers, and network service providers.” Consequently, the draft will impact multinational companies in a wide variety of industries and sectors that operate and use information networks in China. Foreign businesses that collect personal information data in the territory of China should prepare for compliance with the 2019 Measures. In addition to assessing the new obligations, foreign firms should also be aware of the challenges that may occur, such as administrative burdens, inefficient business operations, and new costs.
In general, the new draft Measures will make foreign business operations in China less efficient. This is largely due to the mandatory security assessments of the personal information data. For instance, in the previous draft Measures, companies were expected to perform self-assessments of personal data. This meant companies would be subject to government assessments only when reaching a threshold, such as exporting a high quantity of personal data or highly sensitive data. However, the 2019 draft requires the government administrations to conduct security assessments of all outbound transfer of personal data, with no regard to the quantity or the sensitivity of the information. The consequence of this provision means that even basic customer information or human resources information that a company collects in China would require a security assessment before the outbound transfer of the data. Therefore, the Measures create more obstacles for foreign businesses that frequently share data overseas.
Another way the new draft Measures may slow down foreign business operations is the ambiguous legal language that leaves companies vulnerable to the local cybersecurity administrations’ control. For example, Article 5 states that security assessments should take place within 15 days, but that this period can be extended for “complex situations.” Since it is unclear what the CAC considers a complex situation, data security assessments could take longer than necessary before the local cybersecurity administrations permit the export. The CAC uses similar obscure language in Article 3 of the draft Measures, where new security assessments will be carried out every two years unless there is “a change in the purpose of personal information export or a change in the overseas storage period.” Because it is also not specified what constitutes a change in purpose, foreign firms could experience more security assessments in a given period than stated in the draft. Therefore, the 2019 draft regulations give local cybersecurity administrations the authority and discretion to make security assessments more complicated for foreign firms.
Once the new draft Measures are implemented, foreign businesses will most likely have additional administrative burdens. For instance, network operators will need to provide various materials to the local cybersecurity administrations to declare a security assessment of the export of personal information. Such documents include an analysis report that will be tedious to produce and must consist of detailed information regarding the network operator and each data recipient. In addition, record keeping and reporting of personal information data will be extra administrative obligations. Records must contain specific information that is laid out in Article 8. Annual reports on the conditions of the personal information export must be submitted to the local cybersecurity administration at the end of each year. Moreover, legal contracts will need to be updated between network operators and data recipients to comply with the Measures. Multinational corporations will have to adjust to these time-consuming administrative tasks that are mandatory for data transfer overseas.
Lastly, foreign companies should be aware that the new draft Measures may significantly add to the cost of doing business in China. Many foreign firms do not have a presence in China but collect personal data from Chinese users online. In Article 20 of the draft Measures, corporations such as these would be required to fulfill the obligations of the Measures through “domestic legal representatives or organizations.” Therefore, obtaining a legal representative in China will be an extra cost to consider for some companies. Other expenses may go towards additional administrative assistance and management to ensure that the company is preparing and submitting documents in accordance with the regulations. In conclusion, foreign businesses that collect personal data of domestic users in China should prepare for the time and resources needed to comply with the 2019 draft Measures.
It is important to note that the 2019 draft Measures do not solely apply to foreign businesses operating in China. Foreign firms in China do not face stricter regulations than domestic firms. The Measures apply to all domestic network operators that collect the personal information data of Chinese users. Overseas organizations are simply held to the same standards as domestic entities. Therefore, domestic and foreign firms are both responsible for fulfilling the same obligations when transferring personal information data overseas.
“Personal information” is defined in the draft Measures as “various information recorded by electronic or other means that, alone or in combination with other information, can identify a natural person’s personal identity, including but not limited to the name of the natural person, date of birth, ID number, personal biometric information, address, phone number, etc.”)
- Publication date
- 27 February 2020
- Executive Agency for Small and Medium-sized Enterprises