China Solicits Opinions Concerning Exportation of Personal Information and Important Data
As China's new Cyber Law kicks off, multinationals are turning their attention to compliance issues, including data transfer issues. This article looks at the current state of the law in this area.
Since the PRC Cyber Security Law came into effective on June 1, 2017, China has issued or has been drafting a series of regulations/standards, in order to coordinate with the Cyber Security Law. One of the drafted regulations is the Measures of Safety Assessment of Personal Information and Important Data Exported Abroad (Soliciting for Opinions) (“the Draft Measures”) issued by the Cyberspace Administration of China (“the CAC”) on April 11, 2017.
The Draft Measures is composed of eighteen articles, with the key points being as follows:
⋅ Storing data in China: personal information and important data generated and collected within China by the network operator shall be stored in China. In case of transferring them abroad, it shall conduct a security evaluation (Article 2).
⋅ Obtaining consent: in case of transferring personal information abroad, it shall obtain consent from the subject of such information (Article 4).
⋅ Self-evaluation: prior to transferring, the network operator shall conduct security evaluation to the data and be liable to the evaluation result (Article 7).
⋅ Evaluation content: including but not limited to necessity of the transferring; situation of the involved personal information; situation of the involved important data; situation of the data recipient and its network security environment; risk of being disclosed, destroyed, amended, abused and the like upon transferring; risk to national security, social interest and personal interest after transferring etc (Article 8).
⋅ Evaluation by industry administrative or supervision departments in case of one of the following six circumstances: containing or cumulatively containing more than 500,000 person’s personal information; amount of data more than 1000GB; data in the fields of nuclear facility, chemical biology, national defense, demographic health etc., data, such as mega engineering activities, oceanic environment and sensitive geographic information; network security information, such as system leak, security protection of key information infrastructure; personal information and important data provided abroad by the operator of the key information infrastructure etc (Article 9).
⋅ Circumstance that data should not be transferred: personal information that is obtained without obtaining consent from the subject thereof, or may damage such person’s interest; data that causing security risk to national politics, economy, technology, defense and so on, and may affect national security and damage social public interest; others that are recognized as forbidden to be transferred abroad by CAC, Public Safety, Security and other departments (Article 11).
In accordance with the Cyber Safety Law, operator of key information infrastructure shall store personal information and important data collected and generated during its operation within the territory of the People's Republic of China in China. The key information infrastructure mentioned above includes public telecommunication and message service, energy, transportation, water conservancy, financing, public service, e-government, as well as those may severely threaten national security, people’s livelihood and public interest once such key information infrastructure are damaged, malfunctioned or suffered data loss.
In other words, based on the content mentioned above, not all of the personal information and important data are required to be stored within China, unless those information and data fall into the category of key information infrastructure. In addition, certain kinds of information/data, such as personal credit information, personal financial information, health information, map data, government information, enterprises’ accounting information and human inheritance resource information and the like, are also prohibited or restricted to be transferred abroad.
However, according to the Draft Measures, the subject of information and data to be stored within China is defined as the network operator, who is the owner, administrator and network service provider. Such definition means that, in case no further amendment is made to the said Draft Measures, the scope of mandatory data storage in China will be expanded to all web operators. In addition, the network operators will also be included to conduct security evaluation by themselves, or report to the relevant departments under certain circumstances for evaluation, to the information/data generated or collected during their operation, prior to transferring them abroad.
Although the Draft Measures does not forbid transferring personal information and important data, unless such information/data falls into one of the three circumstances provided in Article 11 thereof, those three circumstances are very vague and lack of enforceability. Taking one of the forbidden circumstances, “data that causing security risk to national politics, economy, technology, defense and so on, and may affect national security and damage social public interest”, as an example, it needs to specify a more detailed standard/guide for an enforceable evaluation, such as definition of the risks, degrees of risks and so on.
Nevertheless, according to the latest news, the National Information Security Standardization Technical Committee issued a draft of Information Safety Technology Data Transferring Abroad Safety Evaluation Guide (“the Draft Guide”) for opinion solicitation from May 27, 2017 to June 27, 2017, apart from making definition of some important terms, such as network operator, personal information, important data, self-assessment and so on, it proposes to further specify issues, such as assessment process, assessment key points (e.g. method of security evaluation and the like), and define the scope of the important data in 28 fields (e.g. petrol and natural gas, coal, petrochemical etc.). It is worth of mentioning that, the definition of the “network operator” in the Draft Guide is the same as that of the Draft Measures. Also, as a Guide, it is not mandatory as laws and regulations are; however, the Draft Guide will be probably adopted by network operators from various industries due to the lack of laws/regulations specifying the security evaluation.
The solicitation for the Draft Measures was terminated on May 11, 2017, and it is estimated that the finalized Measures will be issued within the second half of the year, assuming that there is no fundamental changes to be made. Thus, it is suggested that pay close attention to the follow-up of the Draft Measures, as well as other relevant documents (e.g. the Draft Guide), and make relevant preparation to comply with the new regulations concerning data cross-border transfer.
ABOUT THE AUTHOR: Fei Dang
Fei Dang is an Associate in the MMLC Group.
Copyright MMLC Group
More information from MMLC Group
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer. For specific technical or legal advice on the information provided and related topics, please contact the author.