The Measures for Security Assessments of the Transfer of Personal Information and Important Data Overseas (Draft for Comments) (Data Transfer Measures) and the Draft Guidelines on Security Assessment for Data Transfers (Draft Guidelines) were published for consultation in April and May, respectively. A revised version of the Draft Guidelines was further published for consultation at the end of August. The drafts apply the data localization requirement to “network operators”. The CSL widely defines “network operators” as owners or administrators of a network, and network service providers. The proposed application could cover all businesses with internal computer systems, or online platforms operating over the internet in China. The broad definition of “network operator” under the new law also widens the potential application scope of the data localization requirement.

In an attempt to clear away any confusion, CAC officials at the Q&A emphasized and confirmed that data localization applies only to CII operators rather than all network operators. Be that as it may, inconsistency with the Draft Data Transfer Measures and the Draft Guidelines remains.

Targeted data

Operators of CII (under Article 37 of the CSL) and network operators (as per the Draft Data Transfer Measures and Draft Guidelines) are required to store “personal information” and “important data” in China. While the CSL provides a definition of “personal information”, it leaves “important data” open to interpretation. Once again, this creates uncertainty as to the scope of data that could potentially be subject to the data localization requirement. Companies are particularly concerned as to whether “important data” would cover business and commercial data.

To alleviate corporate concerns, the Q&A clarified that “important data” is data concerning the state, and not data relating to businesses or individuals. Further, the Draft Data Transfer Measures and the Draft Guidelines also define “important data” as data closely related to national security, economic development and public interests. On this basis, it appears that “important data” will unlikely cover business or commercial information.

However, at the end of the Draft Guidelines is a comprehensive appendix on what “important data” is in relation to certain key industries and sectors. Somewhat confusingly, its contents appear to be incompatible with the definition provided in the same Draft Guidelines. In particular, some of the detailed items of data listed in the appendix appear to relate to business and commercial information (e.g. industry operational data, business strategy, and investment and development data), as well as personal information (e.g. private individuals' e-commerce account information, financial data, bank account information, and credit information). Industry regulators are expected to clarify the exact scope of “important data” relevant to their sectors and jurisdictions in due course, and only then would businesses be able to clearly identify the scope of “important data” subject to local storage.

Security self-assessments

The prohibition on transferring personal information and important data outside of China is not absolute. According to Article 37 of the CSL, even if the data localization requirement applies, data may be exported if necessary for “business needs” provided that a security assessment is conducted in accordance with measures formulated by the CAC and other relevant authorities. Through the Q&A, the CAC official clarified that the purpose of the security assessment is to determine that overseas transfer of relevant data does not endanger or harm national security or social and public interests.

The Draft Data Transfer Measures provide that the assessment may be conducted by the businesses themselves, unless the data falls within one of the exceptions, which include, but not limited to:

• the data involves the personal information of over 500,000 individuals;
• the data volume exceeds 1,000GB;
• the data contains information in the fields of nuclear facilities, chemical biology, national defence and military, population health and the like, and information about major engineering activities, the marine environment and sensitive geography;
• the data contains network security information of CII;
• CII operators provide personal information and important data for overseas parties; and
• other factors that may affect national security and public interests.

In these situations, network operators must notify the relevant industry authority or regulator and the security assessment will be arranged by the relevant industry authority or regulator. In other circumstances where businesses conduct a self-assessment, the next concern is the scope and requirements of the review.

Security assessment procedure

The Draft Guidelines provide a first glimpse of the intended scope of the security assessment, which, in essence, involves two steps. First, network operators would be required to set out data export plans, the content of which must include:

• in relation to personal information: the scope, type, scale and sensitivity of the data;
• in relation to “important data”: the scope, type and scale of the data;
• the information systems involved;
• the security protection measures of the data exporter; and
• the security protection measures and the basic situation of the receiving party and their country or region.

Network operators must then assess: (i) the lawfulness, appropriateness and necessity of the data export; and (ii) the level of risk involved in the transfer. Factors to be taken into account in the assessment include the following:

Following the assessment, if the data export is deemed either unlawful or inappropriate, or if the level of risk is categorized as “high” or “extremely high”, it will not be permitted.

Although the Draft Guidelines provide some useful guidance as to how businesses can conduct self-assessments when cross-border data transfers are necessary, the possible lack of technical ability and resources to be able to do so in the manner described remains a key concern.

Loading…

Notwithstanding the clarifications provided in the Q&A, some of the answers appear to be inconsistent with the Draft Data Transfer Measures and the Draft Guidelines, in particular, the application of the data localization requirement to network operators rather than operators of CII, and the scope of “important data” that would be required to be stored in China.

In relation to data export, compared with the existing Data Protection Directive (95/46/EC) and the new General Data Protection Regulation in the EU, the PRC Cybersecurity Law contains much more ambiguity. For example, there is no officially recognized “white list” of countries that offer an “adequate level of protection for data transfers”, and neither is there a mechanism for standard contractual clauses or binding corporate rules available to allow for data export. Further, while it would appear possible for businesses to conduct self-assessments, the details of the review itself and the processes involved require further clarity and confirmation. In light of the confusing state of the law and its supporting implementing rules, many businesses are at a loss as to how to prepare for compliance with the new law.

In the meantime, however, businesses can audit or review existing security policies and measures and keep a close watch on further developments. As mentioned, relevant authorities and ministries are expected to promulgate implementing rules and measures within 12 months from the CSL's effect date to provide proper guidance to businesses. The Draft Data Transfer Measures and the Draft Guidelines will also be finalized soon, and altogether these may untangle current inconsistencies and provide clearer steps for businesses to follow.

Clarice Yue, Counsel
Bird & Bird
Hong Kong