On 13 June 2019, the Cyberspace Administration of China (CAC) released a new draft of proposed measures on the security assessment for the export of personal information, two years after the previous draft was released. The 2019 version of the draft Measures on Security Assessment of Personal Information Export (2019 Draft Measures) fundamentally changes the proposed regulatory regime on personal information export from that proposed in the 2017 draft. If enacted, the 2019 Draft Measures will have a significant impact on the way that personal information export is regulated and will increase the compliance burden for both domestic and overseas companies that collect personal information from China.
The CAC first published draft measures on the security assessment of personal information and important data in April 2017. That draft caused a backlash amongst foreign companies, organizations and governments and was criticised for its requirement that personal information and important data should be stored within China and not be exported without the network operator or authorities being satisfied following a security assessment. The CAC removed the compulsory localisation requirement in an amended draft issued in May 2017 (2017 Draft Measures) and proposed a regime requiring all network operators to conduct and be satisfied with a self-assessment on the proposed transfer before the export of personal information and important data. The authorities will only conduct assessments in a few specified scenarios.
It was intended that the 2017 Draft Measures would take effect on the same date as the Cyber Security Law of China (i.e. 1 June 2017) with a seven-month grace period. In August 2017, the Chinese National Information Security Standardization Technical Committee (TC260) issued guidelines on how to conduct a security assessment. However, since then, the legislative process seems to have stalled and there has not been any new draft regulations on data export until the 2019 Draft Measures were released in June this year.
HIGHLIGHTS OF KEY PROVISIONS IN THE 2019 DRAFT MEASURES
I. Personal information and important data separately regulated
A noticeable change in approach is that the export of important data is not regulated in the 2019 Draft Measures. The CAC seems to be of the view that personal information concerns personal rights whilst important data concerns national and public interests, and the two should be regulated in different ways. This is in line with the current legislative approach being taken by the National People’s Congress in the Personal Information Protection Law and Data Security Law which regulate personal information and data security separately.
This approach is also reflected in the draft Administrative Measures of Data Security(Draft Data Security Measures) which, whilst regulating security of both personal information and important data, lays down different rules for their export. In accordance with the Draft Data Security Measures, the export of important data is subject to security assessment and approval by the competent industrial regulators, whereas the export of personal information is to be regulated under separate regulations, i.e. the 2019 Draft Measures.
As such, it is likely that a standalone regulation will be enacted in the future to regulate the export of important data to include details of the security assessment which, unlike personal information, will be mainly assessed by industrial regulators rather than the CAC.
II. Mandatory governmental assessment on all exports
The self-assessment regime proposed by the 2017 Draft Measures is absent from the 2019 Draft Measure which instead required all proposed exports to be assessed by a provincial-level office of the CAC. Separate evaluation is required for each receiver, although repeat assessments are not necessary for continuous or multiple exports to the same receiver. The security assessment must be conducted bi-annually or whenever the purpose, type or retention period overseas of the export changes.
Assessments will be carried out by experts organized by the CAC and should be completed within 15 business days of acceptance of application. Materials to be submitted for assessment include:
an application form;
the contract signed between the network operator and the receiver in respect of the export (Export Contract);
an analysis report on the risks and security measures relating to the proposed export of personal information; and
any other materials as required by the CAC.
The assessment will focus on a variety of aspects of the export including compliance with relevant laws and regulations, the protection of the legal interests of data subjects under the Export Contract and its enforceability. The assessment will also consider the network operators’ and the receivers’ track record in cybersecurity and data protection. The legality and legitimacy of the personal information collection by the network operator will also be assessed.
The 2019 Export Measures propose further strengthening administrative scrutiny by:
requiring the network operators to file annual reports with the CAC in respect of personal information export and the performance of the Export contract and report any major data breach incidents;
requiring records to be maintained by network operators (for at least five years) and available for inspection by the CAC on data export, performance of the Export Contracts and any violation of the regulations or legal interests of the data subjects;
giving power to the CAC to suspend or prohibit personal information export if (i) major data misuse or a leakage incident has occurred to the network operator or receiver; (ii) data subjects cannot protect their legal interests; or (iii) the network operator or receiver is incapable of protecting personal information; and
authorising the CAC to accept and deal with any complaints or reports of misconduct.
III. Export Contract
The 2019 Draft Measures propose lengthy stipulations as to the terms of the Export Contract. It appears that the CAC intends to use the Export Contract as a key component in strengthening the accountability of network operators and receivers in respect of personal information protection.
The 2019 Draft Measures require the Export Contract to expressly state;
the purpose and type of the proposed data export and the retention period;
that data subjects are the beneficiaries of the contract;
that data subjects can bring infringement claims against the network operators or the receivers or both, who should compensate the data subjects unless they can prove that they are not liable;
that the Export Contract must be terminated or a security assessment must be re-conducted if the performance of the Export Contract is rendered difficult; and
that the termination of the Export Contract should not exempt the network operator or the receiver from their obligations to protect the legal interests of data subjects, unless the relevant personal information has been anonymised.
The Export Contract must impose a number of obligations on the network operators as to data subjects. These must include obligations to (i) notify data subjects of basic information on the network operator and the receiver, the purpose of the proposed export and the type and retention period of the personal information; (ii) provide a copy of the Export Contract to the data subjects upon their requests; and (iii) relay requests and claims from data subjects to the receiver, and, where compensation is not available from the receiver, compensate the data subjects.
In respect of the receiver, the Export Contract must also set out is obligations. These must include obligations to: (i) respond to data subjects’ requests to access, rectify or delete their personal information within a reasonable time frame and at reasonable cost; (ii) use personal information pursuant to the terms of the Export Contract and retain the personal information for a period no longer than is specified in the Export Contract; and (iii) confirm that the execution and performance of the Export Contract will not violate any laws of the jurisdiction where the receiver is located and to notify the network operator and the CAC (via the network operator) of any changes to the local laws that could affect the performance of the Export Contract.
The Export Contract must also prohibit the receiver from transferring the personal information to a third party, unless (i) the network operator has informed the data subjects of the purpose of the transfer, the identity and nationality of the third party, and the type and retention period of the personal information; (ii) the receiver undertakes to cease transmission and request the third party to destroy the personal information upon request of the data subjects; (iii) the data subjects have given their consent to the transfer in relation to sensitive personal information; and (iv) the network operator agrees to be liable for and compensate any losses arising out of any infringement of the data subjects’ legal rights.
I. Implementation challenges
The 2019 Draft Measures propose greatly strengthened administrative scrutiny over the export of personal information by imposing a governmental evaluation and pre-approval regime on the export to each overseas receiver together with a range of administrative powers over the export. Considering the large number of data exports from China, the new draft regulations, if enacted, will inevitably create an enormous administrative workload for the CAC. In order to achieve any efficiency, the CAC will need to employ a sizeable work force to process the applications and evaluate the exports. The increase in administrative costs and workload management will be a challenge for the CAC.
The 2019 Draft Measures do not provide any exemption for random or limited transfers of personal information. This will further increase the number of applications and also the compliance burden for companies that only export personal information on an occasional basis.
In addition, the 2019 Draft Measures do not expressly provide a grace period within which network operators can complete the evaluation and approval process. If implemented strictly, network operators may have to cease current transfers and wait for the export applications to be evaluated and approved. This would give rise to serious operational difficulties for a number of companies.
Compared to the data export regime under GDPR which provides data controllers with flexibility in choosing the appropriate route for compliance, the CAC’s approach requires all exports to undergo an administrative evaluation and approval process. The proposed new regulations do not put much emphasis on the efficiency of personal information flow between countries. It is unclear how the CAC plans to deal with the implementation challenges.
II. Enforceability of Export Contract
In addition to administrative scrutiny, the 2019 Draft Measures propose imposing certain contractual obligations on the network operators and the receivers through the Export Contract. This is the first time that the CAC has attempted to use contractual arrangements as a major regulatory tool to control personal information export. Some commentators have drawn analogies between the Export Contract and the standard contract clauses provided for under the GDPR for international data transfers. Whilst the standard contract clauses are considered one of the measures that could provide adequate safeguard for international data transfers under the GDPR, the Export Contract forms a mandatory and integral part of the administrative evaluation process.
As set out above, the 2019 Draft Measures specify certain provisions that must be included in an Export Contract, but some of the provisions appear to be inconsistent with the general contract law or tort law and could give rise to enforcement issues. For instance, the draft regulations require that the Export Contract must contain provisions requiring the network operators or receivers to compensate data subjects for their damages claims unless the network operators or receivers can prove that they are not liable. This provision reverses the burden of proof and shifts it from the claimant to the defendant. It is not clear from the draft regulation whether this requirement relates to tort or contract liabilities. The reason for this approach appears to be that it is usually difficult for data subjects to access evidence to prove that the network operators or receivers are at fault in protecting their personal information.
Whilst the CAC may intend this to be a step forward to hold the network operators and receivers accountable, the CAC does not have the legal power to determine which party bears the burden of proof in a judicial case involving infringement of personal information rights. Only the Supreme People’s Court has the power to dictate this in judicial practice. The courts are not obligated to follow the CAC’s position in adjudicating a tort or contract case. Such a provision in the Export Contract regulating the burden of proof may not have the legal effect intended by the CAC, especially when the data subject is not even a party to the Export Contract.
The 2019 Draft Measures also intend to grant to data subjects certain contractual rights by requiring the Export Contract to make data subjects third-party beneficiaries of provisions relating to personal information rights. However, under the contract law of China, there is no well-established rule relating to the rights of a third-party beneficiary and it is unclear how data subjects will be able to enforce such rights. Whether data subjects will be able to bring a claim against either party to the Export Contract as a third-party beneficiary is unclear. The Supreme People’s Court’s position to enforcing this provision in judicial practice will be critical.
Additionally, the new regulations propose that network operators would be obliged to compensate data subjects for infringement claims against the receivers, including any third-party receivers, in an Export Contract. The rationale appears to be that it will be easier for data subjects to claim compensation from a Chinese entity in an infringement case than from a foreign one. The legal effect would be that the network operator will be held jointly and severally liable with the receivers and any third-party receivers for any personal information infringement. However, it is unclear how this can be enforced in a tort case where the network operator is not at fault. It is also unclear as a matter of general contract law whether a data subject can bring a claim as a third-party beneficiary.
Therefore, if the suggested provisions on the Export Contract are to be adopted, the CAC should consult with the Supreme People’s Court and request it to issue a judicial paper to clarify its position on how the courts will adjudicate such cases.
III. Extra-territorial effect
As discussed above, where there is a data transfer from a network operator in China to an overseas receiver, the 2019 Draft Measures propose applying the Cyber Security Law and other data protection regulations via the Export Contract. Where an overseas entity directly collects personal information from China via the internet, article 20 of the 2019 Draft Measures proposes that the overseas entity should “perform the obligations of the network operator via its legal representative or office within China”.
It appears that the CAC intends the 2019 Draft Measures to apply directly to overseas entities that collect personal information directly from data subjects in China as if the overseas entities were network operators in China. However, the draft regulations do not expressly specify whether the overseas entities must also apply to the CAC for assessment and pre-approval for the collection of personal information. If that is to be the case, the CAC should clarify this in the assessment procedure and application materials given that there will not be any receivers involved in the process nor an Export Contract.
Moreover, the 2019 Draft Measures seek to apply the regime to overseas entities through their “legal representatives and offices in China”. This is similar to the approach adopted by the GDPR, but the role of the local legal representative and office needs to be further refined. For instance, it is not clear whether the an overseas entity is required to designate a local representative in China if it does not have one, how such a representative should be appointed and what its liability will be for performing the obligations of the overseas entity.
Additionally, the meaning of “legal representative” should be clearly defined. A legal representative in the context of Chinese law normally means the person that is registered with the company registration authority to represent a company in entering into legal documents. However, overseas entities are normally not required to appoint a legal representative in their home countries and it is unclear why they should appoint one in China, especially if they do not have any subsidiaries in China. If the CAC intends the term “legal representative” to mean an individual who is appointed by the overseas entity as an “authorized representative” for certain data protection functions, it should be spelt out in the regulations.
The 2019 Draft Measures seem to apply to all overseas entities that collect personal information from China, irrespective of the amount of personal information collected or whether Chinese data subjects are targeted. In addition to a rocketing administrative workload, the proposed regulations would also give rise to a disproportionate compliance burden for overseas entities that collect only a small amount of personal information on an irregular or random basis.
IV. Consent still required?
The requirement in the 2017 Draft Measures that network operators must have obtained consent of the data subjects before exporting personal information is absent from the 2019 Draft Measures. The new regime only requires network operators to notify data subjects when receivers transmit personal information to a third-party receiver and to obtain consent in relation to sensitive personal information. Does this mean that network operators do not have to continue to obtain the consent of data subjects before data export?
The Cyber Security Law requires network operators to obtain consent from data subjects before providing their personal information to third parties. The Draft Data Security Measures also impose a similar requirement. Simply because the 2019 Draft Measures are silent, network operators should not assume that consent is not required and should still obtain such consent from data subjects for any transfer of personal information to overseas receivers.
The 2019 Draft Measures mark a major change of the approach taken by the CAC in regulating the export of personal information. They regulate the export of personal information with the export of important data to be regulated by a separate regime. Although the 2019 Draft Measures do not expressly require all personal information to be stored in China (as was proposed in the very first draft in 2017), they achieve a similar effect given that personal information will not be permitted to be exported without completing the mandatory government evaluation. The CAC is seeking to replace the regime primarily based on self-assessment in the 2017 Draft Measures with one based on mandatory governmental assessment and pre-approval and to insert certain mandatory terms in the Export Contract as a tool to impose data protection obligations on overseas receivers.
The changes, if enacted, will dramatically increase the administrative burden for the government as well as the compliance workload and cost for domestic and overseas companies that collect personal information from China. In addition, there will be judicial and practical challenges to enforcing the Export Contract without a clear opinion being given by the judiciary. The applicability of the 2019 Draft Measures to overseas personal information collectors and the role of representatives remain to be clarified by the CAC. We hope the next draft of the regulations will address these issues, which will be vital for their successful implementation.