On May 27, 2017, the National Information Security Standardization Technical Committee of China published draft guidelines on cross-border transfers pursuant to the new Cybersecurity Law, entitled Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (the “Draft Guidelines”). The earlier draft, Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data (the “Draft Measures”), requires network operators to conduct “security assessments” when they propose to transfer personal information and “important information” to places outside of China. These “security assessments” are essentially audits of the cybersecurity circumstances surrounding the proposed transfer that are intended to produce an assessment of the risk involved. If the assessment indicates that the risk is too high, the transfer must be terminated.

The Draft Guidelines, once finalized, are intended to establish norms for working requirements, methodology, content and the determination of conclusions for these “security assessments.” They recommend particular content for consideration during “security assessments,” such as the volume of information to be transferred, the political and legal environment in the place where the data recipient is located, and the security safeguard capabilities of both the transferor and the data recipient. At this time, the following observations can be made:

  • Very generally speaking, the Draft Measures appear to take a risk-based approach, meaning that an assessment of the overall risks associated with a cross-border transfer, and the likely outcomes thereof, rather than a formalistic “check the box” compliance approach, should be used to determine whether the transfer should proceed.
  • The Draft Guidelines appear intended, once finalized, to be a voluntary rather than compulsory document.
  • The “security assessments” would focus on two overall inquiries: (1) the legality and appropriateness of the proposed cross-border transfer, and (2) the controllability of the risks involved.
  • In addition to personal information, the Draft Measures would also impose restrictions on the cross-border transfer of “important information.” The Draft Measures define this term broadly as “information which is very closely related to national security, economic development and the societal and public interests.” The Draft Guidelines provide some specific possible examples of what might constitute “important information.”
  • The Draft Guidelines would introduce into the Cybersecurity Law’s implementation framework the concept of “sensitive personal information,” as well as the possibility of desensitizing this information using processing that removes or reduces the sensitive elements in the data.

The Draft Guidelines’ content and approach may change by the time they are finalized. The Draft Guidelines are open to comment from the general public until June 26, 2017.