Cross-border data transfers: China issues new measures to strengthen data localisation

On 11 April 2017 the Cyberspace Administration of China (CAC) issued draft “Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data Overseas” (Measures) for public comment. In this briefing, we outline the key aspects of the Measures and examine the implications for businesses in China.

The draft Measures are one step further towards the implementation of the National Security Law of China and the Cybersecurity Law of China (Cybersecurity Law), which will come into effect on 1 June 2017. Once adopted, the Measures will have a significant impact on businesses (in particular, multi-national businesses) in China which have operational needs for cross-border data transfers. Multi-national businesses should therefore review their internal cross-border data transfer policies and be prepared to make necessary adjustments once the Measures are adopted.

Under Article 37 of the Cybersecurity Law the data localisation requirements are applicable solely to operators of critical information infrastructure (CII). However, the Measures have significantly expanded the scope of the data localisation requirements so as to cover all network operators. Under Article 2 of the Measures network operators are required to store within the territory of China personal information and important data collected and generated in the course of their operations in China. For purposes of the Measures, Hong Kong, Macau and Taiwan are likely to be excluded from the territory of China. 

The effect of Article 2 of the Measures is that the data localisation requirements would apply if:

1. a business qualifies as a network operator under the Cybersecurity Law (i.e. an owner, administrator of network or a network service provider);
2. the business operates a business within the territory of China; and
3. personal information and important data is collected and generated in the course of the business’s operations in China.

If any of the above conditions is not satisfied, the data localisation requirements would not apply.

Furthermore, under Article 16 of the Measures, individuals and organisations in China not qualifying as network operators are nonetheless recommended to carry out security assessments of cross-border data transfers by reference to the Measures. This provision could potentially render all entities in China subject to regulation by the Measures and to the data localisation requirements under the Measures.

A cross-border data transfer is defined as “the provision of personal information and important data collected and generated within the territory of China to overseas institutions, organisations or individuals by network operators”. If broadly interpreted by the authority, a cross-border data transfer would be deemed to have occurred if a network operator:

1. transfers personal information and important data to entities outside of China via a network;
2. allows entities outside China to remotely access the personal information and important data stored in China via a network; or  
3. provides personal information and important data to entities outside China through physical means (e.g. by using portable storage devices).

Like the Cybersecurity Law, the Measures have yet to provide a clear definition (or specific examples) for “important data”. However, the Measures suggest that national standards and identification guidelines relating to “important data” will be issued.  

Under the Measures, the competent industry regulators (e.g., the Ministry of Industry and Information Technology, the China Banking Regulatory Commission, the China Securities Regulatory Commission, and the China Insurance Regulatory Commission, etc.) will act as regulatory authorities in relation to security assessments for their respective sectors.

If a competent industry regulator cannot be identified, CAC will assume the role of the regulatory authority. In addition, CAC will be responsible for the overall coordination of the security assessments of cross-border data transfers, and may issue instructions to industry regulators in this respect. It is expected that industry regulators may formulate implementing regulations for security assessments of cross-border data transfers in their respective industries.

In addition, national cyberspace authorities (e.g., CAC), public security departments (i.e., China’s police departments) and national security departments have the right to determine whether data shall be prohibited from being transferred out of China.

Scope

A security assessment of a cross-border data transfer should focus on the following aspects:

1. the necessity of the cross-border data transfer;
2. the personal information involved, including the amount, scope, type, and degree of sensitivity; and whether the data subject has consented to the cross-border transfer of his/her personal information, etc.;
3. the important data involved, including the amount, scope, type, degree of sensitivity of the important data, etc.;
4. the security measures, capability and level of security protection of the data receiver, and the cybersecurity environment of the country or region in which the data receiver is located;
5. risks of leakage, damage, tampering and abuse of data after the cross-border data transfer or subsequent re-transfer;
6. risk of harm to national security, social public interest and individual legitimate interests arising from the cross-border transfer and convergence of data; and
7. other important aspects that need to be assessed.

Based on the above, network operators must first prove the necessity of a cross-border data transfer before the data can be transferred out of China. However, the Measures have yet to provide any standard of proof in this respect. We understand that network operators may prove the necessity of a cross-border data transfer by explaining in detail the actual business needs.

Self-assessment

Under the Measures, a network operator should organise a security assessment on its own initiative prior to a cross-border data transfer taking effect. Network operators are to be responsible for the results of security assessments - meaning that network operators will be held liable if there is any violation in relation to the security assessments. They will also be held liable if they do not proactively conduct self-assessments prior to cross-border data transfers. However, the Measures fail to provide specific punitive measures for network operators violating such obligations.

Regulator assessment

Network operators should report to their respective industry regulators for the relevant regulator to organise a security assessment under any of the following circumstances:

1. the data contains (or accumulatively contains) personal information of more than 500,000 individuals;
2. the amount of data exceeds 1,000GB;
3. the data contains information regarding nuclear facilities, chemical biology, national defense or military, population health, data related to large-scale engineering activities, the marine environment, or sensitive geographic information;
4. the data contains cybersecurity information, such as system vulnerabilities or security measures relating to critical information infrastructure;
5. provision of personal information or important data to overseas receivers by operators of CII; or
6. other circumstances that may affect the national security and social public interests and are considered to be subject to assessment by the industry regulators or regulatory authorities.

Security assessment organised by industry regulators must be completed within 60 working days, and the results will be reported to CAC. Data will be prohibited from being transferred out of China under any of the following circumstances:

1. the data subject does not consent to the cross-border transfer of his/her personal information, or if such transfer may bring harm to personal rights and interests;
2. the cross-border data transfer poses risks to the security of State politics, the economy, technology, or national defense, and may affect national security or harm social and public interests; or
3. other circumstances in which CAC, public security departments, or national security departments determine that the data is prohibited from being transferred out of China.

It is clear from item (1) above that network operators must first obtain the consent from data subjects prior to cross-border data transfers. The Measures do not provide how the circumstances (1) to (3) above are determined. It is expected that subsequent national standards or guidelines may be issued to shed light on this.

Annual assessment and re-assessment

After the initial self-assessment or regulator assessment prior to the cross-border data transfer, network operators are not required to carry out a security assessment every time they transfer the data out of China. Instead, network operators must conduct a security assessment at least once a year, and report the results to their respective industry regulators.

If the data recipient is changed, or there is any substantial change to the purpose, scope, amount, or type of the cross-border data transfer, or there is any material security incident relating to the data recipient or the data transferred out of China, a security assessment must be re-conducted in a timely manner.

The issuance of the draft Measures is a strong indication of the Chinese Government’s intention to impose data localisation requirements on all network operators and to tighten requirements in relation to cross-border data transfers. This is consistent with the concept of “Cyberspace Sovereignty” as reflected in the Chinese Government’s policies that underscore the Cybersecurity Law.

Once finalised and adopted, the Measures could present compliance challenges and increase compliance costs for businesses (in particular, multinational businesses) in China which have operational needs for cross-border data transfers. For example:

1. a cross-border data transfer would be allowed only if a business can prove (in a security assessment) that such transfer is necessary for operational reasons;
2. the security assessments would be conducted by Government authorities under certain circumstances, which may render network operators subject to the approvals of Government authorities on cross-border data transfers; and
3. security assessments in relation to cross-border data transfers could be costly and time-consuming.

We therefore recommend that businesses:

1. review the data collected and generated in their operations in China and their existing (and future) cross-border data flows;
2. formulate internal cross-border data transfer policies and security assessment procedures;
3. carefully study the requirements proposed by the Measures and assess whether there is a need to change their existing cross-border data transfer policies and security assessment procedures (if any) to ensure compliance with the Measures; and
4. once the Measures are adopted, proactively communicate with the competent industry regulators (or, if such regulators cannot be identified, CAC) prior to cross-border data transfers taking effect in order to confirm whether self-assessments or regulator assessments would be required, and in any event maintain good communications with the relevant authorities during the entire security assessment process.

As the Measures are subject to further revision and adoption, we will continue to monitor the situation and provide updates on any significant developments.