China's New Measures (draft) on Data Cross-border Transmission
By Jihong CHEN
On April 11, 2017, the State Internet Information Office has issued a notice of consulting public comment on Measures on Security Assessment Relating to Export of Personal Information and Important Data (Draft for Comment) (the “Assessment Measures”).
The scope of application is beyond the Cyber Security Law.
This Assessment Measures is promulgated on the basis of the National Security Law and the Cyber Security Law. Therefore, the application scope of the security assessment is beyond the scope of Article 37 of the Cyber Security Law. In accordance with Article 2, all of the personal information and important data collected and generated by network operators within the territory of the People’s Republic of China (for this purpose, Hong Kong, Taiwan and Macau are unlikely to be regarded as part of the territory of the PRC), shall be stored within the territory of China, which is a general requirement. As an exception, for the personal information and important data required to be exported to a place outside of China for business reasons, the pre-step security assessment shall be conducted. This provision significantly expands the application scope of requirements on data localization.
What is the export of data?
In accordance with the provisions of the Assessment Measures, the export of data refers to that the network operators provide the personal information and important data collected and generated during the operation within the territory of the People’s Republic of China to the institutions, organizations and individuals located outside of China.
The Assessment Measures actually defines a physical boundary. Providing the data to the overseas subject constitutes the export of data, regardless of the identity of the receiver. We understand that the data transmission in the following cases constitutes the export of data defined by the Assessment Measures: the network operator within the territory of China transmits the data directly to the overseas subject through the network; allowing the overseas subject to visit and read the data within the territory of China through the network; the network operator within the territory of China provides the data to the overseas subject through other means (such as carrying) instead of the network.
Self-assessment and regulatory assessment
The Assessment Measures sets out two assessment procedures, self-assessment and regulatory assessment (assessment by regulatory authorities), based on the importance of the data. The basic principle of supervision on the export of data is that, for general data, the enterprise shall conduct self-assessment and it is responsible for the assessment; for specific data, the regulatory authority is responsible for organizing the assessment and decides whether or not the data is allowed to be exported.
We understand that industry competent authorities such as China Banking Regulatory Commission (CBRC), China Securities Regulatory Commission (CSRC), China Insurance Regulatory Commission (CIRC) and Ministry of Industry and Information Technology of the People’s Republic of China (MIIT) or regulatory authorities will gradually formulate the implementation methods on the security assessment of the data export of the industry.
Annual assessment and re-assessment
The Assessment Measures establishes the annual assessment system and the re-assessment system.
In accordance with the provisions of Article 12, the network operators shall conduct the security assessment on the export of data at least once a year, and timely report the assessment result to the industry competent authority or the regulatory authority. If the assessment situation has changes, such as the data receiver has changed, the purpose, scope, quantity and type of the export of data are subject to great change, and a major security event occurs on the data receiver or the data to be exported, the security assessment shall be re-conducted.
The content of the security assessment
The security assessment must first prove the necessity of the export of data. We understand that requirements of multinational enterprises management, disclosure and reporting requirements of listed companies and requirements to carry out legitimate business and other similar requirements may be considered as having legitimacy or necessity. In the assessment process, the nature and content of the data, the number of data, the receiver’s security measures, the legal environment of the country where the receiver is located in, and the risk of data abuse will be included in the scope of the assessment.
Circumstances that the data is not allowed to be exported
In accordance with the provisions of Article 10, if the following circumstances exist, the data may not be allowed to be exported:
(1) The export of personal information is without the consent of the subject of personal information, or it may be against the interests of the subject;
(2) The export of data may bring risks to politics, economy, science and technology, national defense and other security fields of the state, and may affect the national security and harm the social and public interests;
(3) Other circumstances that are determined by national network information administration departments, police departments, security departments and other relevant departments in which the data cannot be exported.
According to the above provisions, where there is the export of personal information, it is required to obtain the consent of the subject of personal information, and, in order to meet the procedural requirements of the assessment, the authorization should be written and provable. Data transmission that may endanger national security and social public interests will be prohibited, but the Assessment Measures does not set out specific circumstances that may endanger national security and social public interests. We understand that in subsequent national standards or industry guidelines, it may be specifically defined as the standard for the assessment.
This article is only for the purpose of communication, it does not constitute a formal legal opinion, and it may not be relied on for any business decisions or taking legal action.