Further Developments in Draft Rules on Security Assessment of Outbound Data Transmission

Information Technology & Communications China Client Alert June 2017 www.bakermckenzie.com Beijing Suite 3401, China World Office 2 China World Trade Centre 1 Jianguomenwai Dajie Beijing 100004, PRC Tel: +86 10 6535 3800 Fax: +86 10 6505 2309 Hong Kong 14th Floor, Hutchison House 10 Harcourt Road Central, Hong Kong Tel: +852 2846 1888 Fax: +852 2845 0476 Shanghai Unit 1601, Jin Mao Tower 88 Century Avenue, Pudong Shanghai 200121, PRC Tel: +86 21 6105 8558 Fax: +86 21 5047 0020 Further Developments in Draft Rules on Security Assessment of Outbound Data Transmission On 19 May 2017, the Cybersecurity Administration of China ("CAC") released an amended draft ("Amended Draft") of the Measures for Security Assessment of Outbound Transmission of Personal Information and Important Data ("Draft Measures") at a seminar attended by the representatives from the international business community in Beijing. About a week later, the National Information Security Standardization Technical Committee announced a draft of the Guidelines for Security Assessment of Outbound Data Transmission ("Draft Guidelines"), which contain the relevant standards and guidelines referenced in the Draft Measures. This alert discusses these developments as an update to our previous alert on the original version of the Draft Measures issued in April 2017. Key Revisions in the Amended Draft Key revisions contained in the Amended Draft are:  Local data residency requirement. China's Cybersecurity Law ("CSL") requires operators of "Critical Information Infrastructure ("CII")" to store "personal information and other important data collected and generated during operations in China" ("Local Data") within China. The original Draft Measures extended the local data residency requirement from CII operators to all "Network Operators" (broadly defined in the CSL to include owners and administrators of computer networks as well as network service providers). However, the Amended Draft removes reference to the local data residency requirement, focusing entirely on security assessment of outbound data transmission. This amendment suggests that not all Network Operators (but only CII operators) will be required to store Local Data in China, which is in line with the CSL itself.  Consent requirement. The Amended Draft removes some of the more onerous requirements for obtaining consent regarding the outbound data transmission. For example, the Amended Draft no longer requires obtaining guardian consent for the outbound transmission of a minor's personal information. Also, while Network Operators are still required to inform data subjects of the purpose and scope of the outbound data transmission as well as the location of the data recipient(s), the Amended Draft does not require disclosure of the data recipients to data subjects. In addition, the Amended Draft provides an exemption to the consent requirement (i.e., where the outbound data transmission is necessitated by an emergency that endangers the life or property of citizens) and circumstances where consent may be inferred from the conduct of data subjects (e.g., making international phone calls, sending international emails or instant messages, conducting cross-border online transactions). 2 Baker McKenzie  June 2017  Security self-assessment. The original Draft Measures require all Network Operators to conduct a security self-assessment of outbound transmission of Local Data on an ongoing basis and also at least once a year. Under the Amended Draft, however, while there is still a general requirement for security self-assessment, Network Operators are no longer required to conduct annual security assessment or report the selfassessment results to the relevant industry regulator.  Government-administered security assessment. Under the Amended Draft, any of the following situations from the original Draft Measures would still trigger a government-administered assessment for outbound transmission of Local Data: (1) the data to be transmitted abroad involves personal information of 500,000 individuals; (2) the data concerns areas such as nuclear facilities, chemical biology, national defense, population health, large-scale engineering activities, marine environment and sensitive geographic information data; (3) network security data relating to CII, including system vulnerabilities and security protection measures; or (4) other circumstances that may affect national security or public interests. Other triggering situations where the Local Data to be transmitted overseas (a) contains more than 1,000 GB by volume or (b) relates to the Local Data of CII operators as stipulated under the original Draft Measures have been dropped from the Amended Draft. These revisions have narrowed the scope of outbound transmission of the Local Data to be regulated under the original Draft Measures, and also suggest that CII operators would no longer be automatically subject to a government-administered security assessment (unless one of the triggering situations occurs).  Security assessment procedures. The Amended Draft still does not provide much detail on how a government-administered security assessment would be conducted procedurally. In addition, the Amended Draft removes the 60-day timeframe for completing a governmentadministered security review, adding in uncertainty as to timing.  Definition of personal information. The definition of personal information has been expanded under the Amended Draft, specifically including location and behavioural information into the scope of personal information subject to the security assessment regime. This definition is more in line with the definition of personal information contained in the Interpretations on Several Issues Concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens’ Personal Information issued by the Supreme People’s Court and the Supreme People’s Procuratorate of China on 9 May 2017. Draft Guidelines The Draft Guidelines contain detailed criteria and standards for conducting security assessments of outbound data transmission, including the identification guidelines for "important data" specifically referenced in the Draft Measures and in the CSL itself. The identification guidelines for important data define the scope of important data for a wide range of industries. Although the scope of coverage is still quite broad, at least initially it seems that important data would not include internal corporate data generated from day-to-day operations. The detailed listing of key industries (oil/gas, coal, petrochemicals, power, 3 Baker McKenzie  June 2017 telecommunications, steel, defence, geolocation data, etc.) also perhaps sheds some lights on what types of industries may be initially classified as CII. Also, it may be worth noting that the Draft Guidelines have clarified that data generated outside China and transferred through China does fall within the scope of Local Data and would not be subject to the outbound transmission requirements, if such data has not been modified or processed in China. Further, the Draft Guidelines define the term "provision" to mean active provision of data by Network Operators to overseas entities or individuals, which raises the question of whether outbound data transmission within the meaning of the Draft Measures would include remote access. Next Step The CAC has scaled back the Draft Measures significantly and issued an implementation regulation that is consistent with the CSL itself, after significant noise and resistance from industry players (both foreign and domestic) with respect to the original version of the Draft Measures. Furthermore, to provide more breathing space perhaps, the Amended Draft provides an effective date of 1 June 2017, but an implementation date of 31 December 2018. As such, Network Operators will have a grace period of up to 18 months to comply with the requirements under the Draft Measures. According to the press release issued by CAC on 30 June 2017 right ahead of the CSL taking effect, within the 12-month period following 1 June 2017, the Draft Measures will be further amended, and implementation measures concerning CII operators will also be issued. Businesses operating in China are advised to continue to closely monitor developments in this area and start adopting corresponding measures as soon as further implementation measures of the CSL, including the Draft Measures and the Draft Guidelines, are finalized and announced. This client alert has been prepared for clients and professional associates of Baker & McKenzie. Whilst every effort has been made to ensure accuracy, this client alert is not an exhaustive treatment of the area of law discussed and no responsibility for any loss occasioned to any person acting or refraining from action as a result of material in this client alert is accepted by Baker & McKenzie. If advice concerning individual problems or other expert assistance is required, the services of a competent professional adviser should be sought. Unsubscribe To unsubscribe from our mailing list or to change your communication preferences, please contact [email protected]. ©2017 Baker & McKenzie. All rights reserved. Baker & McKenzie International is a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome. Should you wish to obtain further information or want to discuss any issues raised in this alert with us, please contact: Shanghai Howard Wu +86 21 6105 8538 [email protected] Zhenyu Ruan +86 21 6105 8577 [email protected] Beijing Vivian Wu +86 10 6535 3860 [email protected] Hong Kong Nancy Leigh +852 2846 1787 [email protected] Paolo Sbuttoni +852 2846 1521 [email protected] Singapore Eugene Lim +65 6434 2633 [email protected]