Despite being brought into force over two years ago, uncertainty remains regarding the application of China’s Cybersecurity Law (CSL). This largely stems from the fact that many of the supplemental measures and guidelines issued by the Chinese authorities still remain in draft format.
On 28 May 2019 and 13 June 2019, respectively, the new draft Measures for Data Security Management (New Draft Security Management Measures) and the new draft Measures on Security Assessment of the Cross-Border Transfer of Personal Information (New Draft Cross-Border PI Measures) were issued for public consultation. These recent drafts appear to depart significantly from the draft Security Assessment Measures for the Cross-Border Transfer of Personal Information and Important Data, which were issued in 2017. More stringent and detailed requirements now appear to be the norm, particularly regarding the cross-border transfer of personal information and important data.
The CSL applies to critical information infrastructure (CII) operators and network operators in China. CIIs include key sectors such as finance, transportation, utilities (e.g. energy and water), government and communications, and any other industries that the Chinese authorities identify as having the potential to cause serious damage to national security, national economy and people’s livelihood and public interests in the event they suffer a security breach leading to any destruction, loss of function or data. In the past year or so, additional sectors that have been identified by the Chinese authorities as falling into the CII category include media, e-commerce, e-payment, search engines, emails, blogs, cloud computing, enterprise systems and big data.
As far as network operators are concerned, the definition is broad enough to essentially include any business that uses some form of IT infrastructure in China (i.e. owns or operates a computer network, server or website in China), regardless of its industry sector.
Transfers of Personal Information and Important Data
Under the New Draft Cross-Border PI Measures and the New Draft Security Management Measures, a CII operator or network operator cannot transfer or disclose personal information or important data collected or generated during their operations in China to anyone outside of China, unless:
- they have completed an official security assessment;
- a contract is signed with the intended recipient (which must incorporate specific provisions stipulated by the New Draft Cross-Border PI Measures); and
- for personal information, the express and informed consent of the relevant individual is obtained.
In addition, the prior authorisation of the relevant regulatory authority is also required for the cross-border transfer, disclosure, sale or publishing of important data by CII operators or network operators. The definition of "important data" under the New Draft Security Management Measures only covers data which, if leaked, may directly affect national security, economic security, social stability, public health and security, such as non-public government information, large-scale population, genetic health, geographic and mineral resources. The definition expressly excludes any information relating to the production, operation or internal management of an entity and personal information.
The above restrictions appear to have extra-territorial effect and may apply to companies that do not have a physical presence in China, but which have operations that involve the collection of personal information of Chinese residents. In particular, the New Draft Cross-Border PI Measures provide that if the business activities of any organisation located outside China results in the collection of personal information of persons located in China, then such organisation will be subject to the New Draft Cross-Border PI Measures as a network operator.
Under the previous draft measures, CII operators and network operators were required to carry out a self-assessment for the cross border transfer of personal information, and an official security assessment by the relevant local authorities would only be necessary if certain thresholds were met or the transfer was being made by a CII operator. In contrast, the New Draft Cross-Border PI Measures now require all cross-border transfers of personal information by either a CII operator or network operator to undergo an official security assessment by the relevant Cyberspace Administration of China (CAC) branch office. There is currently no minimum threshold in relation to the application of this requirement. In addition, no express exceptions are made in relation to intra-group transfers.
The official security assessment must be conducted prior to the cross-border data transfer, and must be completed for each different recipient. However, multiple or ongoing transfers to the same recipient will not require additional assessments. The assessment must be repeated every two years or whenever there is a change in the purpose, type or retention period regarding the data.
The documents that must be submitted by the CII or network operator when applying for an official security assessment will include a detailed report on the security risks and measures related to the transfer, the agreement with the intended recipient and a declaration form. If the results of the assessment reveal that the cross-border transfer could present a risk to national security, damage public interest or provide inadequate protection for the personal information, then the transfer will be prohibited. Whilst the CII or network operator can file an objection to the decision, there is currently no detailed appeal procedure set out in the New Draft Cross-Border PI Measures.
A record must be retained by CII operators and network operators for at least five years, which details all of their cross-border transfers of personal information. The local CAC office is obligated to carry out regular inspections of such records, and an annual report must also be submitted to the local CAC office regarding the CII or network operator's cross-border transfers and any related contract.
Lastly, prior to the sharing of personal information with a third party, under the New Draft Security Management Measures CII operators and network operators need to conduct an assessment of the potential security risks and to obtain the express consent of the data subjects. This requirement is not expressly limited to cross-border transfers and does not exclude intra-group sharing of personal information – therefore it appears that it may also apply to domestic transfers and transfers within the same group. There are certain exceptions to this requirement, including situations where the data was collected from a public source and the sharing is not in violation of the data subjects' wishes, the data subject voluntarily published his personal information, it is necessary for law enforcement purposes or to protect national security, and so on.
Outside the context of cross-border transfers, the New Draft Security Management Measures impose further obligations on CII operators and network operators in relation to personal information. Unlike the "Information Technology – Personal Information Security Specification" (National Standard GB/T 35273-2017) (GB/T 35273-2017 信息安全技术个人信息安全规范) (PI Specification), and its draft amendments released on 1 February 20191, the New Draft Security Management Measures (once finalised and brought into operation) will be legally binding and a breach could lead to various penalties (including the shutting down of business operations). The New Draft Security Management Measures introduce requirements such as the need to obtain explicit and informed consent of the data subjects (and specifically sets out the information that needs to be provided to the data subject), an obligation not to force or mislead data subjects to provide their consent (e.g. bundled consent, default consent, etc.), not to take any discriminatory actions based on the scope of consent provided by the data subject (e.g. reduce service quality), comply with data access requests, implement data encryption and backup measures, and so on.
In addition, CII operators and network operators that collect important data or sensitive personal information for business purposes must also file with their local CAC office their rules for collection and use, and the purpose, scope volume, method, type and retention period of such data. The CII operators and network operators must also designate a person to be in charge of the data security for the important data and sensitive personal information.
Where to Now?
The draft measures are likely to be finalised by the end of 2019. For now, companies that have a link to China (e.g. business operations in China, networks in China, collecting information from Chinese residents, Chinese-hosted website, vendors in China, etc.), are advised to conduct privacy and security audits to ensure compliance with the CSL. In particular, companies should carefully scrutinise where their data is held, and engage in conversations with their supply chain.