On May 19, 2017, the Cyberspace Administration of China (“CAC”) issued a revised draft (the “Revised Draft”) of its Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data. The original draft was issued in April 2017, and similar to the original draft, the Revised Draft does not have the impact of law; it does, however, provide an indication of how the CAC’s views on the Cybersecurity Law have evolved since the publication of the original draft. The Revised Draft was issued after the CAC received comments on the original draft from numerous parties.
The principal issues and challenges presented in the original draft remain largely the same in the Revised Draft, although certain issues have been clarified. Below are some key issues addressed in the Revised Draft:
- The Revised Draft maintains the original draft’s restrictions on cross-border transfers of personal data, and applies the restrictions to “network operators.” Prior to conducting cross-border transfers, “network operators” are required to notify data subjects and obtain their consent.
- Data subject consent to a cross-border transfer will not be required during emergencies (i.e., when the life or property of a data subject is in danger).
- The data subject’s consent can be established in implied form by way of an affirmative act by the data subject.
- The Revised Draft maintains the original draft’s requirement to conduct a “security assessment” on all cross-border transfers of personal data. Large-scale transfers, or transfers involving relatively sensitive information, must be conducted before a regulatory authority. The original draft defined large-scale transfers as those involving personal data of more than 500,000 individuals or involving files larger than 1,000 GB; the Revised Draft’s definition no longer includes files larger than 1,000 GB.
- The definition of “network operator” remains very broad under the Revised Draft, and may apply to practically any material enterprise.
- The Revised Draft is stated to go into effect together with the Cybersecurity Law itself on June 1, 2017. However, the Revised Draft also contains a grace period for the cross-border transfer restriction. Under that grace period, “network operators” will only have to comply with the requirements on cross-border transfers beginning on December 31, 2018.