Overseas data transfer restrictions have been extended

7 THINGS YOU NEED TO KNOW

Regulation of personal and business data and restrictions on your ability to transfer it out of China is set to become a reality on 1 June 2017 when the PRC Cybersecurity Law comes into force. Last week the Cyberspace Administration of China (CAC) issued draft regulations that drastically increase the number of businesses caught by the offshore data transfer rules in the PRC Cybersecurity Law.

As noted in our previous updates, the PRC Cybersecurity Law and subsequent draft measures will introduces significant changes to data protection and data security practices in China. For several years, China has been laying down the foundation for data regulation via a series of court decisions, regulations and sector specific laws. However, a distinct lack of enforcement has resulted in many taking a view that the time, cost and business disruption associated with data compliance exceeds the current threat level. As a result, many are unprepared for the imminent changes.

The establishment of a dedicated regulator and creation of a whistle blower mechanism suggest this is tipping point after which China will get serious on data regulation. In our view, the time for deferring compliance is over.

Proposed extension of overseas data transfer restrictions

Whereas the PRC Cybersecurity Law had previously only imposed overseas data transfer restrictions on "key information infrastructure operators", the draft regulations now suggest most if not all business will be caught by the offshore transfer requirements. The key legal requirements and recommended actions are:-

Key requirement

Required action

1.

The new draft regulations apply to both “personal data” (as defined in the PRC Cybersecurity Law) and “important data”, which is widely defined to include information that relates to national security, economic development, or social or public interest.

Assessment of data flows to determine what is being sent offshore and whether it falls within these definitions.

2.

Consent must be obtained from all individuals before their personal data is sent out of China.

Consents need to be obtained at all data collection points including for employees, customers and individuals within your supply chain or distribution networks.

Existing datasets should be identified and consents obtained where none are currently in place.

3.

A security assessment needs to be carried out before offshore transfer occurs.

The security assessment needs to be redone annually.

Your security assessment includes the need to establish:-

  • the legitimate business necessity of transferring the data offshore;
  • the amount, scope, type and sensitivity of the “personal data”, and whether consent has been obtained;
  • the amount, scope, type and sensitivity of “important data”;
  • the safety precautions established by the offshore data recipients (including group companies);
  • the risk of the transferred data being retransferred, leaked or misused; and
  • whether the transfer may create national security concerns, public or individual risks.

4.

The offshore transfer needs to be notified to relevant regulators if any of the following transfer thresholds are met:-

  • data sets of 500,000+ individuals;
  • data files in excess of 1000GB;
  • data related to nuclear facilities, chemical biology, national defence or military, large engineering activities, ocean environmental protection or sensitive geographical information;
  • network information of "key information infrastructure", including system loopholes or security measures; or
  • you are a “key information infrastructure operator”.

Your security assessment should specifically identify if any of these thresholds are met and if so relevant regulators must be identified and notified.

Notification will trigger an independent assessment by the relevant regulator(s) and/or the CAC and should be carefully constructed to minimize the risk of the transfer being blocked.

Regulators are required to make an assessment within 60 days of receiving notification.

5.

There is an absolute prohibition on offshore transfer if:-

  • consent has not been obtained from data subject for transferring their Personal Data;
  • it may result in risks for state politics, the economy, technology, national defence, national security, social or public interests; or
  • any relevant regulators issue specific prohibitions.

Data must not be transferred offshore in any of these circumstances.

For businesses caught by and unable to circumvent these prohibitions, China based infrastructure and onshore processing is likely to be the practical solution.

6.

Any individual or organisation has a right to report an offshore transfer that violates the law to the relevant regulators.

Complaints by individuals are one of the most common ways in which privacy and data security issues are brought to the attention of regulators in other countries. Disgruntled employees and competitors represent obvious threats and this practical risk needs to be considered as part of your data handling policies and practices.

The “nobody will find out” argument has suddenly become less compelling.

7.

Sanctions will be imposed in the event of a violation of the provisions of the regulations in accordance with relevant laws and regulations.

While specific sanctions are not called out in the draft regulations, sanctions mentioned in existing privacy laws are wide ranging and include the possibility of cancellation of your China business license.