The draft legislation provides further guidance on the regulations provided in the recent cybersecurity law, including definitions and details on the security assessments required for cross-border data transfers.
China’s recently enacted Cybersecurity Law (CL), effective June 1, 2017, requires that personal information and important data collected and produced by critical information infrastructure (CII) operators in China be stored in China. The CL also requires that security assessments be performed before personal information and important data are provided to any entity or individual outside of China (Cross-border Data Transfer). Along with the CL, China has published other draft legislation addressing the requirements for local storage and Cross-border Data Transfer and soliciting public comments. The new draft implementing rules include
- Measures for the Security Assessment of Cross-border Transfer of Personal Information and Important Data (Consultation Draft)(the Assessment Measures);
- Assessment Guidelines for Security Assessment of Cross-border Data Transfer (Consultation Draft) (the Assessment Guidelines); and
- Regulation for the Security Protection of the Critical Information Infrastructure (Consultation Draft) (the CII Regulation).
These drafts provide definitions and the scope of key concepts under the CL as well as more details regarding the security assessment required for Cross-border Data Transfer. Multinational corporations collecting and transferring data from China should consult this draft legislation and understand the legislative trends in order to prepare for the specific steps that must be taken regarding the storage and transfer of data once the legislation comes into effect. In this LawFlash we set out the highlights of this draft legislation and compare them to the CL.
Who Is Subject to Local Storage and Security Assessment Requirements
While the CL only applies the local storage and security assessment requirements for the Cross-border Data Transfer of “personal information” and “important data” to CII operators, the current draft of the Assessment Measures states that all “network operators” are generally obliged to conduct a security review of Cross-border Data Transfers if the data contains “personal information” or “important data”; it also says that such data must be stored inside China. The draft Assessment Guidelines follow the Assessment Measures and provide the security assessment process to be used for all “network operators.”
However, in May 2017, during an official press briefing on the implementation of the CL, the chief of the Network Security Coordination Office of the CAC clearly stated that the local storage and security assessment requirements for Cross-border Data Transfer apply only to CII operators, so this will remain uncertain until the Assessment Measures have been finalized and published.
Definition of CII
The CL defines CII as “infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger national security, national welfare or the livelihoods of the people, or the public interest.” The CL also provides examples of CII, including network operators in the areas of public communications, information services, energy, transportation, water utilities, finance, public services, and e-government, but leaves the specific definition of CII to the regulations to be made by the State Council.
The CII Regulation defines the scope of CII by listing operators in certain industries, including
- government agencies and entities in the energy, finance, transportation, water conservation, healthcare, education, social insurance, environmental protection, and public utilities sector;
- information networks, such as telecommunication networks, broadcast television networks, and the internet, and entities providing cloud computing, big data, and other large-scale public information network services;
- research and manufacturing entities in sectors such as science and technology for national defense, large equipment manufacturing, chemical industry, and food and drug sectors; and
- press units such as broadcasting stations, television stations, and news agencies.
We note that multinational companies in the manufacturing, IT, food, healthcare, and medical sectors can be included in such a broad definition if regulators decide that any data leakage or malfunction of its information system may affect national security, national welfare, or the people’s livelihood and public interest.
Definition of “network operator”
The CL’s definition of “network operator” is much broader compared to its definition for CII operators. Network operators include “owners and administrators of networks as well as network service providers.” Multinational corporations that use certain networks in China to transmit data offshore, including through the internet and email, could potentially be deemed “network operators.”
Personal Information and Important Data
The local storage and security assessment requirements for Cross-border Data Transfer under the CL protect “personal information” and “important data.” The ongoing legislative efforts further define “personal information” and “important data” and provide detailed protective measures.
Definition of “personal information”
The CL’s definition of “personal information” includes the name, date of birth, ID number, personal biological identification information, address, and telephone number of a natural person, but is not limited to the foregoing. The Assessment Guidelines specifically add accounts and passwords, financial status, location, and behavioral information to the CL’s definition. Considering that the CL’s definition is not limited to the listed types of personal information, the Assessment Guidelines’ definition remains consistent with the CL, so it is possible that regulators may treat location and behavioral information as “personal information” in the future.
Consent required for the cross-border transfer of personal information and exceptions
The Assessment Measures require that a network operator inform the owners of personal information about the purpose, scope, content, recipient, and recipient’s country related to the cross-border transfer of the information, and the network operators must obtain the owners’ consent for the cross-border information transfer to take place.
The Assessment Guidelines do provide an exception to the principle of obtaining consent: where there is an emergency threatening a citizen’s life or the security of their property, consent need not be obtained.
Notably, the CL provides an exception for personal information that has been irreversibly processed so as to prevent a specific person from being identified. The CL allows such processed information to be disclosed to others without receiving the owner’s consent. Comments suggest that this exception was designed for the convenience of developing big-data and cloud businesses in China.
Businesses have also requested that inferred consent be recognized under certain circumstances in the Assessment Measures, including where international phone calls are made, emails and instant messages are sent to individuals or organizations overseas, and cross-border e-commerce transactions and other activities are initiated by data subjects. It is uncertain whether such an exception may be included in the Assessment Measures.
Definition of “important data”
The CL does not define “important data.” The Assessment Measures define “important data” as data closely related to national security, economic development, and public interest. The Assessment Guidelines provide a more specific definition of “important data”:
[D]ata (including original and derived data) collected by the Chinese government, enterprises, and individuals within the territory of China, which does not involve state secrets, but which is closely related to national security, economic development, or the public interest, and when disclosed without authorization, lost, used abusively, tampered with or destroyed, or after aggregation, or integration and analysis, may cause serious consequences related to national security, national economic and financial security, social public interests and the legitimate rights and interests of individuals.
The Assessment Guidelines provide comprehensive examples of important data in 27 industries and sectors, as well as a catchall category for any other data in any other area that may affect the peace, prosperity, or social welfare of China. The Assessment Guidelines also specify the industry regulators for these 27 industries and provide that the definitions, scope, and identifying criteria of important data in these key industries may be further specified by the competent industry regulators.
For example, under the “Demographic Health” category, the Assessment Guidelines list eight types of important data, including
- personal information of patients and their families obtained in the administration of certain public health services (such as monitoring side effects of drug and birth control devices, public health emergencies, epidemic situations etc.);
- electronic medical history;
- health records and other diagnostic and heath data retained by medical institutions and health management service institutions;
- personal information of human organ donors and recipients and applicants of human organ transplants obtained through human organ transplant medical services;
- personal information of sperm and egg donors and users of and applicants for human assisted reproductive technology services;
- personal information obtained through family planning services;
- personal and family genetic information; and
- life registration information.
According to the Assessment Measures and Assessment Guidelines, industry regulators, instead of the CAC, will be responsible for the security assessment of the Cross-border Data Transfer. The CAC will lead and coordinate the efforts of the security assessment.
Per the Assessment Measures and Assessment Guidelines, the security assessment can be conducted by network operators themselves, subject to industry regulators’ periodic examinations. However, security assessments should be conducted by industry regulators for the following transfers:
- Data containing personal information of more than 500,000 Chinese citizens
- Data volume of more than 1,000 gigabytes to be transmitted abroad
- Data regarding “nuclear facilities, chemical biology, national defense or military, population and health care, etc.”
- Data related to “large-scale engineering activities, marine environment, and sensitive geographic information”
- Data related to the cybersecurity information of China’s CII operators, such as their system vulnerabilities or security measures
- When a CII operator provides personal information and important data abroad
- Other transfers that may potentially affect China’s national security and public interests
The Assessment Measures also provide the following circumstances where data cannot be transferred abroad:
- The cross-border transfer fails to be approved by the owner of personal information or such transfer may jeopardize personal interests.
- The cross-border transfer causes security risks to the nation’s politics, economy, technology, and/or defense that may affect national security and jeopardize social and public interests.
- The state cyberspace administration, public security authority, or another relevant authority determines that the data is forbidden to be transmitted abroad.
The Assessment Guidelines provide more details about the procedures used for both self-assessment and assessment by industry regulators, including the assessment process, key assessment factors, and an assessment methodology. Factors that network operators must take into account include the type and degree of sensitivity of the information; the volume and scope of the information; whether or not the information has been desensitized; the possible effects of its transfer; its effect on state security and the public interest; safety precautions taken by the sender; safety capabilities of the recipient; and the local legal climate of the recipient.
Although the Assessment Measures, Assessment Guidelines, and CII Regulation have not yet been formally promulgated, they provide detailed practical guidance regarding what businesses are categorized as CII operators, the types of data subject to local storage and security assessment requirements for Cross-border Data Transfer, and the manner in which the security self-assessments and security assessments by regulators will be conducted. However, there will still be uncertainty regarding the issues discussed above until these draft regulations are finalized. Companies in China should remain alert and aware of legislative developments and be prepared to take the necessary steps for compliance with the new rules.