Following the publication of the Measures for Data Security Management (draft for public comments)1 on 28 May 2019, the Cyberspace Administration of China further released the Measures for Security Assessment of Cross-border Transfer of Personal Information (draft for public comments) (Cross-border Transfer of PI Draft or Draft) on 13 June 2019, which targets an important element of data management – that is, “cross-border transfer of personal information (PI)”2. In comparison with the previously published Measures for the Security Assessment of Cross-border Transfer of Personal Information and Important Data (draft for public comments)3andthe Information Security Technology – Guidelines for Data Cross-border Transfer Security Assessment (draft for public comments)4, the Draft has put forward a different regulatory framework for cross-border transfer of PI.

Highlights of the Cross-border Transfer of PI Draft include:

I. Adjusting security assessment system

The Draft no longer distinguishes the various extent of sensitivity, and quantities among PI, and so forth5. Rather, it provides that prior to cross-border transfer of PI, network operators must apply to the relevant local branch of the Cyberspace Administration of China (Cyberspace Authorities) for security assessment. To avoid causing excessive burdens on network operators, theDraft also stipulates that it is not necessary to apply for multiple assessments if PI is frequently or continuously provided to the same recipient. However, as a qualification condition, the Draft also stipulates that for every two years, or when there are changes to the purpose, type or preservation time of PI, then, such cross-border transfer of PI should be reassessed.

II. Establishing mandatory contract terms system

According to the Draft, one of the documents that must be submitted for security assessment is the cross-border transfer of PI contract between the network operator and the overseas recipient. The Draft also provides that such contract must include mandatory terms and conditions such as the purposes and types of transfer, network operator’s necessary obligations, recipient’s necessary obligations, etc. After careful perusal, we suggest paying particular attention to the following essential terms6:

(1) When the lawful rights and interests of a PI subject (Individual) are violated, the Individual can claim damages against the network operator and/or the recipient (unless the network operator and/or recipient can prove that they are not liable). Moreover, if the Individual cannot obtain damages from the recipient, the network operator shall pay damages first;
(2) The network operator shall at the request of the Individual provide the Individual with a copy of the cross-border transfer of PI contract;
(3) The recipient shall provide the relevant Individual with access to his/her PI. The recipient shall also respond, correct or delete the relevant information pursuant to the Individual’s request at a reasonable cost, and within a reasonable time; and
(4) The recipient must not transfer the PI received to any third parties, unless the conditions prescribed under the Draft are satisfied (including the four conditions, such as the relevant consent from the Individual having been obtained when sensitive PI is involved, etc.)

We understand that an important purpose for the setting up of the contract terms system, is to monitor overseas recipients indirectly by means of contract management.

III. Establishment of record retention and annual reporting systems

The Draft prescribes that a network operator shall establish a record of cross-border transfer of PI (the contents of which shall meet the requirements under the Draft) and keep the record for at least 5 years. At the same time, a network operator must report to the Cyberspace Authorities on the status of overseas transfer of PI, contract performance, and so forth by 31 December every year. In addition, in case of a relatively large-scale data security event, the network operator shall make timely report to the Cyberspace Authorities.

IV. Establishment of other regulatory systems

The Draft has introduced several other regulatory systems, including: (1) in some specific circumstances (e.g., network operators’ or recipients’ large-scale data leakage or abuse), the Cyberspace Authorities have power to require network operators to suspend or terminate the overseas transfer of PI; (2) if overseas organisations collect PI in the course of their business operations from users who are in China through the Internet, they shall fulfil obligations as network operators through their legal representatives or organisations in China; and so on.

From a practical point of view, some of the issues provided under the Draft may still require further clarification7. That being said, in comparison with previous drafts8, the regulatory framework reflected in the Cross-border Transfer of PI Draft seems more reasonable, and could be more conducive to facilitating the safer circulation of PI.