Transferring data overseas under the Cybersecurity Law

November 02, 2017 | BY

Katherine Jo &

Businesses await clarity on scope and procedure following a set of a draft rules that mandate security assessments for exporting personal and important data in critical fields

The first draft of the PRC Cybersecurity Law (CSL) was published at the beginning of 2015, aimed at bringing China in line with global best practices for cybersecurity. Two years and three versions later, the law officially came into force on June 1, 2017. This highly condensed legislative process indicates China's eagerness to have the CSL in place as soon as possible. However, having the new law promulgated so swiftly with a lack of key supporting implementing rules and guidelines left many fundamental principles unclear.

As at the date of writing, a number of key concepts under the CSL require further guidance and clarification. According to a Q&A released by the Cybersecurity Coordination Bureau of the Cyberspace Administration of China (CAC) on May 31, relevant authorities and ministries are expected to promulgate regulations and implementing measures within 12 months from the date the CSL entered into effect.

With a phase-in period of less than a year, businesses operating in China are eager to understand what they need to prepare for compliance with the new law. Of particular concern is the data localization requirement—which mandates data to be stored within the PRC—and the related restrictions on exporting or transferring data outside of the country. The Q&A, together with some draft implementing measures and guidelines on data export, have raised more concerns among businesses than expected.

The key questions being asked by businesses in China regarding the law include:

  • What is the data localization requirement?
  • Who does the data localization requirement apply to?
  • What are the types of data subject to data localization?
  • Is the security assessment for data export a self-assessment exercise?
  • What does the security assessment involve?

The “data localization” requirement

Article 37 of the CSL provides that operators of critical information infrastructure (CII) are required to store personal information and important data in China. If there is a business need to transfer this information and data outside of China, a security review must be conducted in accordance with measures to be formulated by the CAC in concert with relevant supervisory authorities under the State Council.

Applicable to CII operators only?

The data localization requirement under Article 37 of the CSL applies to operators of CII. CII is defined as critical information infrastructure whereby the destruction, loss of functions or data leakage of which would cause serious damage to the national security, economy and people's livelihood and public interests. Sectors that are specifically mentioned under Article 31 include public communications and information services, energy, transportation, water conservancy, finance, public services and e-government affairs. Reading the law in isolation would indicate that only such operators of CII are captured by the data localization requirement.

The Measures for Security Assessments of the Transfer of Personal Information and Important Data Overseas (Draft for Comments) (Data Transfer Measures) and the Draft Guidelines on Security Assessment for Data Transfers (Draft Guidelines) were published for consultation in April and May, respectively. A revised version of the Draft Guidelines was further published for consultation at the end of August. The drafts apply the data localization requirement to “network operators”. The CSL widely defines “network operators” as owners or administrators of a network, and network service providers. The proposed application could cover all businesses with internal computer systems, or online platforms operating over the internet in China. The broad definition of “network operator” under the new law also widens the potential application scope of the data localization requirement.

In an attempt to clear away any confusion, CAC officials at the Q&A emphasized and confirmed that data localization applies only to CII operators rather than all network operators. Be that as it may, inconsistency with the Draft Data Transfer Measures and the Draft Guidelines remains.

Targeted data

Operators of CII (under Article 37 of the CSL) and network operators (as per the Draft Data Transfer Measures and Draft Guidelines) are required to store “personal information” and “important data” in China. While the CSL provides a definition of “personal information”, it leaves “important data” open to interpretation. Once again, this creates uncertainty as to the scope of data that could potentially be subject to the data localization requirement. Companies are particularly concerned as to whether “important data” would cover business and commercial data.

To alleviate corporate concerns, the Q&A clarified that “important data” is data concerning the state, and not data relating to businesses or individuals. Further, the Draft Data Transfer Measures and the Draft Guidelines also define “important data” as data closely related to national security, economic development and public interests. On this basis, it appears that “important data” will unlikely cover business or commercial information.

However, at the end of the Draft Guidelines is a comprehensive appendix on what “important data” is in relation to certain key industries and sectors. Somewhat confusingly, its contents appear to be incompatible with the definition provided in the same Draft Guidelines. In particular, some of the detailed items of data listed in the appendix appear to relate to business and commercial information (e.g. industry operational data, business strategy, and investment and development data), as well as personal information (e.g. private individuals' e-commerce account information, financial data, bank account information, and credit information). Industry regulators are expected to clarify the exact scope of “important data” relevant to their sectors and jurisdictions in due course, and only then would businesses be able to clearly identify the scope of “important data” subject to local storage.

Security self-assessments

The prohibition on transferring personal information and important data outside of China is not absolute. According to Article 37 of the CSL, even if the data localization requirement applies, data may be exported if necessary for “business needs” provided that a security assessment is conducted in accordance with measures formulated by the CAC and other relevant authorities. Through the Q&A, the CAC official clarified that the purpose of the security assessment is to determine that overseas transfer of relevant data does not endanger or harm national security or social and public interests.

The Draft Data Transfer Measures provide that the assessment may be conducted by the businesses themselves, unless the data falls within one of the exceptions, which include, but not limited to:

  • the data involves the personal information of over 500,000 individuals;
  • the data volume exceeds 1,000GB;
  • the data contains information in the fields of nuclear facilities, chemical biology, national defence and military, population health and the like, and information about major engineering activities, the marine environment and sensitive geography;
  • the data contains network security information of CII;
  • CII operators provide personal information and important data for overseas parties; and
  • other factors that may affect national security and public interests.

In these situations, network operators must notify the relevant industry authority or regulator and the security assessment will be arranged by the relevant industry authority or regulator. In other circumstances where businesses conduct a self-assessment, the next concern is the scope and requirements of the review.

Security assessment procedure

The Draft Guidelines provide a first glimpse of the intended scope of the security assessment, which, in essence, involves two steps. First, network operators would be required to set out data export plans, the content of which must include:

  • in relation to personal information: the scope, type, scale and sensitivity of the data;
  • in relation to “important data”: the scope, type and scale of the data;
  • the information systems involved;
  • the security protection measures of the data exporter; and
  • the security protection measures and the basic situation of the receiving party and their country or region.

Network operators must then assess: (i) the lawfulness, appropriateness and necessity of the data export; and (ii) the level of risk involved in the transfer. Factors to be taken into account in the assessment include the following:

The lawfulness, appropriateness and necessity of the data exportThe level of risk involved in the transfer
(i) whether consent has been obtained from the individuals whose personal information is to be exported;

(ii) whether the data export complies with provisions under relevant treaties executed between the Chinese government and other countries or regions;

(iii) whether the data export is necessary for the network operators to perform their ordinary business activities or contractual obligations; and

(iv) whether the data export is required for carrying out contractual obligations, for purposes of internal corporate business development purposes, judicial assistance, conduct of obligations by supervisory authorities and other purposes for protection of national security, economic development, social public interest of citizens.

(i) the type, scope, sensitivity (in relation to personal information), and volume of the data;

(ii) the likelihood and impact of information security breach incidents, including assessing:

· the technical measures undertaken by the data exporter and its management abilities;

· the technical measures and management abilities of the data recipient; and

· the political and legal environment of the recipient country.

Following the assessment, if the data export is deemed either unlawful or inappropriate, or if the level of risk is categorized as “high” or “extremely high”, it will not be permitted.

Although the Draft Guidelines provide some useful guidance as to how businesses can conduct self-assessments when cross-border data transfers are necessary, the possible lack of technical ability and resources to be able to do so in the manner described remains a key concern.

Loading…

Notwithstanding the clarifications provided in the Q&A, some of the answers appear to be inconsistent with the Draft Data Transfer Measures and the Draft Guidelines, in particular, the application of the data localization requirement to network operators rather than operators of CII, and the scope of “important data” that would be required to be stored in China.

In relation to data export, compared with the existing Data Protection Directive (95/46/EC) and the new General Data Protection Regulation in the EU, the PRC Cybersecurity Law contains much more ambiguity. For example, there is no officially recognized “white list” of countries that offer an “adequate level of protection for data transfers”, and neither is there a mechanism for standard contractual clauses or binding corporate rules available to allow for data export. Further, while it would appear possible for businesses to conduct self-assessments, the details of the review itself and the processes involved require further clarity and confirmation. In light of the confusing state of the law and its supporting implementing rules, many businesses are at a loss as to how to prepare for compliance with the new law.

In the meantime, however, businesses can audit or review existing security policies and measures and keep a close watch on further developments. As mentioned, relevant authorities and ministries are expected to promulgate implementing rules and measures within 12 months from the CSL's effect date to provide proper guidance to businesses. The Draft Data Transfer Measures and the Draft Guidelines will also be finalized soon, and altogether these may untangle current inconsistencies and provide clearer steps for businesses to follow.

Clarice Yue, Counsel
Bird & Bird
Hong Kong

This premium content is reserved for
China Law & Practice Subscribers.

  • A database of over 3,000 essential documents including key PRC legislation translated into English
  • A choice of newsletters to alert you to changes affecting your business including sector specific updates
  • Premium access to the mobile optimized site for timely analysis that guides you through China's ever-changing business environment
For enterprise-wide or corporate enquiries, please contact our experienced Sales Professionals at +44 (0)203 868 7546 or [email protected]