On April 11, 2017, the Cyberspace Administration of China (“CAC”) issued the draft Measures for the Security Assessment of Export of Personal Information and Critical Data (“Draft”) soliciting public comments. This move of the CAC is a positive development which paves way for easier implementation of the new PRC Cyber Security Law taking effect on June 1, 2017 (“CS Law”). Article 37 of the CS Law generally stipulates that critical information infrastructure operators (CIIO) must store onshore those personal information and important data collected and generated out of its operation in China. If transmission of such data out of China is necessary due to business needs, clearance procedures shall be followed according to separate rules to be formulated by the CAC, like the Draft. However, besides clarifying the implementation details, this Draft also brings more complexities and concerns. Below is a quick analysis by Taylor Wessing’s TMC team on this Draft.
Who are concerned?
A pure literal read of the CS Law gives the impression that CIIO shall mean e.g. telecom infrastructure service operators. However, there is no clear definition of this term under the CS Law. The CS Law lists some exemplary industries an information infrastructure operator of which will qualify as CIIO, such as the industries of public communication network and information service, energy, transport, water conservancy, finance, public services, e-government affairs. It further extends CIIO to those other areas where a data breach or security compromise could result in serious harm to national security, national economy, people’s livelihood and public interest. Since the term “information service” is a very broad and vague term which could potentially be extensively interpreted to cover all business having an online feature, the business circle has been awaiting for more clarity in this regards.
Surprisingly, the Draft does not address CIIO. Instead, it rephrases Article 37 of the CS Law by imposing data local storage requirements upon “network operators”. This term is further defined to be those who own networks, manage networks and provide network services. Although the Draft is regulating data export clearance procedures, use of a different term for obligation subject creates an impression that local storage of data becomes a general principle (instead of only for CIIO). This is the particular impression convoyed when the Draft further states that other individuals or organizations shall also refer to the data export clearance procedures under this Draft.
What data are concerned?
Article 37 of the SC Law refers to two types of data, namely personal data (i.e. more individual based data) and critical data (e.g. more group based data) collected and generated within the territory of China. The definition of the former is repeated under the Draft, i.e. information recorded by electronic or other means that, alone or jointly with other information, can serve to identify a natural person, including but not limited to a natural person’s name, date of birth, identification number, personal biometrics data, address, or phone number. The SC Law does not define critical data. The Draft clarifies that critical data shall be data closely related to national security, economic development and public interest, of which the exact scope shall follow relevant national standards and classification guidance.
According to the Draft, below data are not allowed to be exported
- personal data of which no prior consent was sought for export or an export might jeopardize personal interest
- (any) data of which an export brings risk to national security (e.g. politics, economy, technology, national defense) or may possibly affect national security and damage public interest
- other data of which an export is barred by administrative authorities like the CAC, police authority and national security authority.
Security assessment procedures
For export of personal data and critical data, a self-assessment obligation applies to all network operators who shall be responsible for the result of their own assessment. Such assessment shall focus on aspects like – among others – business demand for export, quantity, scope, category and sensitivity of the concerned data including consent for export where applicable, security level and competence on the data recipient’s side including cyber security situation in the country/region where the data recipient resides, data breach risk and impact after export including re-export.
As far as one of the below events applies, a network operator who intends to export respective data shall seek clearance from the respective administrative watch-dogs
- personal information involving over 500,000 individuals (including on accrued basis)
- data size exceeding 1,000 GB
- data concerning nuclear facilities, biochemistry, national defense and military, demographics and health, large-scale project activities, marine environment or sensitive geographic information, etc.
- cyber security information about system vulnerabilities and security protection of critical information infrastructures
- other circumstances potentially impacting national security and public interest, of which an assessment is deemed necessary by the regulatory watch dogs.
The Draft answers some pending questions under the SC Law, but also seems to create more questions than expected. This reflects the fact that the CAC - as a new rising power among the Chinese ministries - plays a more and more critical role as the Chinese government’s seeking for cyber security with strategic importance.
A particular concern as we see is its extended interpretation of the SC Law by making local storage of data as a general principle for all network operators which could further be extended to cover all online activities. This could potentially mean that in future all data export shall require a clearance from the Chinese government to stay on the safe side. Though this might sound similar to the situation in Europe where all data export is regulated, the clearance mechanism under the Draft is too cumbersome compared with the approach adopted by EU (e.g. data protection agreement suffices for export to a country/region not recognized by EU as providing an adequate level of data protection). It may jeopardize business operation and contradict the goal of “promoting orderly and freely the flow of data” as mentioned by the Draft. Although the Draft is not yet officially launched, companies operating in China are advised to closely follow up development of this topic and get prepared to tackle new challenges that might come soon.